...
| Anonymous Access | Pseudonymous Access | Personalized Access | Research and Scholarship (R&S) | |
|---|---|---|---|---|
| Organisation | eduPersonScopedAffiliation schacHomeOrganization | eduPersonScopedAffiliation schacHomeOrganization | eduPersonScopedAffiliation schacHomeOrganization | eduPersonScopedAffiliation (optional) |
| User identifier | samlPairwiseID | samlSubjectID | eduPersonPrincipalName (if non-reassigned) eduPersonPrincipalName + eduPersonTargetedID (not used within SWAMID) | |
| Assurance | eduPersonAssurance | eduPersonAssurance | eduPersonAssurance (only within SWAMID) | |
| Person name | displayName givenName sn | displayName or givenName + sn | ||
| Email address |
...
The expected Identity Provider behaviour is to release to the Service Provider a predefined set of attributes. Service Providers signals their need of Anonymous Access Entity Category via an entity category tag in metadata. There is furthermore an identity provider entity support category that should be registered for all Identity Providers that supports the Anonymous Access Entity Category.
...
Expected attribute release from an Identity Provider
| Attribute(s) | SAML2 Attribute Identifier | Comment |
|---|---|---|
| eduPersonScopedAffiliation | urn:oid:1.3.6.1.4.1.5923.1.1.1.9 | |
| schacHomeOrganization | urn:oid:1.3.6.1.4.1.25178.1.2.9 |
...
Process for applying for tagging a service with entity category REFEDS Anonymous Access Entity Category
For a service to be tagged with REFEDS Anonymous Access Entity Category it must contact the federation that it has registered with. If the service is registered within the SWAMID federation the service operator updates the service metadata in the SWAMID Metadata Tool.
The request must besides the metadata update contain the following administrative information:
- Purpose and scope of the service.
The entity category has the following metadata requirements:
- Well functional SAML2 metadata for the service with an entityid in URL-form as described in the SWAMID SAML WebSSO Technology Profile.
- Display name for the Service in English and preferable also in Swedish for use in Identity Providers' login pages and Discovery Services.
- URL to an informational web page that describes the service in English and preferable also in Swedish.
- At least one of the administrative, technical and support contact for the service and it's recommended that security contact is also given.
The request is highly recommended to also have the following information for metadata publication:
- URL beginning with https to the service logotype for use in Identity Providers login pages and Discovery Services.
Besides the formal requirements and recommendations of REFEDS Anonymous Access Entity Category are Service Providers it is highly recommended that the service also adheres to the REFEDS Security Incident Response Trust Framework for Federated Identity (Sirtfi).
REFEDS Pseudonymous Access Entity Category
...
For REFEDS Pseudonymous Access Entity Category there is a formal requirement that the service shall publish a public Privacy Policy. SWAMID have published a Service Provider Privacy Policy Template for GÉANT Data Protection Code of Conduct that can be used except for the requirement for mention the GÉANT Data Protection Code of Conduct.
Expected attribute release from an Identity Provider
| Attribute(s) | SAML2 Attribute Identifier | Comment |
|---|---|---|
| samlPairwiseID | urn:oasis:names:tc:SAML:attribute:pairwise-id | |
| eduPersonAssurance | urn:oid:1.3.6.1.4.1.5923.1.1.1.11 | |
| eduPersonScopedAffiliation | urn:oid:1.3.6.1.4.1.5923.1.1.1.9 | |
| schacHomeOrganization | urn:oid:1.3.6.1.4.1.25178.1.2.9 |
...
For REFEDS Personalized Access Entity Category there is a formal requirement that the service shall publish a public Privacy Policy. SWAMID have published a Service Provider Privacy Policy Template for GÉANT Data Protection Code of Conduct that can be used except for the requirement for mention the GÉANT Data Protection Code of Conduct.
Expected attribute release from an Identity Provider
| Attribute(s) | SAML2 Attribute Identifier | Comment |
|---|---|---|
| samlSubjectID | urn:oasis:names:tc:SAML:attribute:subject-id | |
| urn:oid:0.9.2342.19200300.100.1.3 | Can be more than one address released but Identity Providers are recommended to release only one. | |
| displayName | urn:oid:2.16.840.1.113730.3.1.241 | |
| givenName | urn:oid:2.5.4.42 | |
| sn | urn:oid:2.5.4.4 | |
| eduPersonAssurance | urn:oid:1.3.6.1.4.1.5923.1.1.1.11 | |
| eduPersonScopedAffiliation | urn:oid:1.3.6.1.4.1.5923.1.1.1.9 | |
| schacHomeOrganization | urn:oid:1.3.6.1.4.1.25178.1.2.9 |
...
For REFEDS Research and Scholarship there is no formal requirement that the service shall publish a public Privacy Policy. However all services that are registered in SWAMID must have a Privacy Policy to inform end users about how personal data are processed. SWAMID have published a Service Provider Privacy Policy Template for GÉANT Data Protection Code of Conduct that can be used except for mention the GÉANT Data Protection Code of Conduct.
Expected attribute release from an Identity Provider
| Attribute(s) | SAML2 Attribute Identifier | Comment |
|---|---|---|
| eduPersonTargetedID | urn:oid:1.3.6.1.4.1.5923.1.1.1.10 | Should only be released by the Identity Provider if eduPersonPrincipalName is re-assignable to another user. Within SWAMID reassignment of the eduPersonPrincipalName is not allowed and therefore this attribute will not be released from Identity Providers within SWAMID. |
| eduPersonPrincipalName | urn:oid:1.3.6.1.4.1.5923.1.1.1.6 | |
| urn:oid:0.9.2342.19200300.100.1.3 | Can be more than one address released but Identity Providers are recommended to release only one. | |
| displayName and/or givenName and sn | urn:oid:2.16.840.1.113730.3.1.241 | A user's name can be released in different ways and it's expected that the Service Provider can handle this. |
| eduPersonAssurance | urn:oid:1.3.6.1.4.1.5923.1.1.1.11 | Local addon within SWAMID. Services shall only expect this attribute to be available from Identity Providers within SWAMID. |
| eduPersonScopedAffiliation | urn:oid:1.3.6.1.4.1.5923.1.1.1.9 |
...
| Attribute(s) | SAML2 Attribute Identifier | Comment |
|---|---|---|
| samlPairwiseID | urn:oasis:names:tc:SAML:attribute:pairwise-id | |
| eduPersonTargetedID | urn:oid:1.3.6.1.4.1.5923.1.1.1.10 | This attribute is deprecated! |
| samlSubjectID | urn:oasis:names:tc:SAML:attribute:subject-id | |
| eduPersonPrincipalName | urn:oid:1.3.6.1.4.1.5923.1.1.1.6 | |
| eduPersonOrcid | urn:oid:1.3.6.1.4.1.5923.1.1.1.16 | |
| norEduPersonNIN | urn:oid:1.3.6.1.4.1.2428.90.1.5 | This attribute is for students systems that needs to be synchronised with the the student documentations system directly or indirectly. Within SWAMID norEduPersonNIN can besides Swedish Personal Numbers and Swedish Co-ordination Numbers also contain Interim Personal Numbers from the student documentation system Ladok and the Swedish national study enrolment system. SWAMID Identity Providers only release this attribute to services registered in SWAMID. |
| personalIdentityNumber | urn:oid:1.2.752.29.4.13 | Within SWAMID personalIdentityNumber only contain Swedish Personal Numbers or Swedish Co-ordination Numbers. SWAMID Identity Providers only release this attribute to services registered in SWAMID. |
| schacDateOfBirth | urn:oid:1.3.6.1.4.1.25178.1.2.3 | |
| displayName | urn:oid:2.16.840.1.113730.3.1.241 | |
| givenName | urn:oid:2.5.4.42 | |
| sn (aka surname) | urn:oid:2.5.4.4 | |
| norEduPersonLegalName | urn:oid:1.3.6.1.4.1.2428.90.1.10 | The full legal name from the population registry or from official travel documents defined in ICAO 9306, i.e. passports and European national identity cards. |
| cn (aka commonName) | urn:oid:2.5.4.3 | Due to that cn is use for different things in different identity management systems it's highly recommended to use the attribute displayName instead. |
| urn:oid:0.9.2342.19200300.100.1.3 | Can be more than one address released but Identity Providers are recommended to release only one. | |
| mailLocalAddress | urn:oid:2.16.840.1.113730.3.1.13 | Fot For services that need to get all active mail aliases to be able to for example for the user. For example to process mail invite flows correctly when the given mail address is not the primary for the user. mailLocalAddress is used as a multi-valued attribute with all active mail alises for the user. |
| eduPersonAssurance | urn:oid:1.3.6.1.4.1.5923.1.1.1.11 | Services shall only expect this attribute to be available from Identity Providers within SWAMID. |
| eduPersonScopedAffiliation | urn:oid:1.3.6.1.4.1.5923.1.1.1.9 | |
| eduPersonAffiliation | urn:oid:1.3.6.1.4.1.5923.1.1.1.1 | Due to eduPersonAffiliations non domain scoped nature it's highly recommended to use the attribute eduPersonScopedAffiliation instead. |
| o (aka organizationName) | urn:oid:2.5.4.10 | This attribute is also be available as an metadata attribute. |
| norEduOrgAcronym | urn:oid:1.3.6.1.4.1.2428.90.1.6 | |
| c (aka countryName) | urn:oid:2.5.4.6 | |
| co (aka friendlyCountryName) | urn:oid:0.9.2342.19200300.100.1.43 | |
| schacHomeOrganization | urn:oid:1.3.6.1.4.1.25178.1.2.9 | |
| schacHomeOrganizationType | urn:oid:1.3.6.1.4.1.25178.1.2.10 |
...
| Attribute(s) | SAML2 Attribute Identifier | Comment |
|---|---|---|
| samlPairwiseID | urn:oasis:names:tc:SAML:attribute:pairwise-id | |
| eduPersonTargetedID | urn:oid:1.3.6.1.4.1.5923.1.1.1.10 | This attribute is deprecated! |
| samlSubjectID | urn:oasis:names:tc:SAML:attribute:subject-id | |
| eduPersonPrincipalName | urn:oid:1.3.6.1.4.1.5923.1.1.1.6 | |
| eduPersonOrcid | urn:oid:1.3.6.1.4.1.5923.1.1.1.16 | |
| norEduPersonNIN | urn:oid:1.3.6.1.4.1.2428.90.1.5 | This attribute is for students systems that needs to be synchronised with the the student documentations system directly or indirectly. Within SWAMID norEduPersonNIN can besides Swedish Personal Numbers and Swedish Co-ordination Numbers also contain Interim Personal Numbers from the student documentation system Ladok and the Swedish national study enrolment system. SWAMID Identity Providers only release this attribute to services registered in SWAMID. |
| personalIdentityNumber | urn:oid:1.2.752.29.4.13 | Within SWAMID personalIdentityNumber only contain Swedish Personal Numbers or Swedish Co-ordination Numbers. SWAMID Identity Providers only release this attribute to services registered in SWAMID. |
| schacDateOfBirth | urn:oid:1.3.6.1.4.1.25178.1.2.3 | |
| displayName | urn:oid:2.16.840.1.113730.3.1.241 | |
| givenName | urn:oid:2.5.4.42 | |
| sn (aka surname) | urn:oid:2.5.4.4 | |
| norEduPersonLegalName | urn:oid:1.3.6.1.4.1.2428.90.1.10 | The full legal name from the population registry or from official travel documents defined in ICAO 9306, i.e. passports and European national identity cards. |
| cn (aka commonName) | urn:oid:2.5.4.3 | Due to that cn is use for different things in different identity management systems it's highly recommended to use the attribute displayName instead. |
| urn:oid:0.9.2342.19200300.100.1.3 | Can be more than one address released but Identity Providers are recommended to release only one. | |
| mailLocalAddress | urn:oid:2.16.840.1.113730.3.1.13 | Fot For services that need to get all active mail aliases to be able to for example for the user. For example to process mail invite flows correctly when the given mail address is not the primary for the user. mailLocalAddress is used as a multi-valued attribute with all active mail alises for the user. |
| eduPersonAssurance | urn:oid:1.3.6.1.4.1.5923.1.1.1.11 | Services shall only expect this attribute to be available from Identity Providers within SWAMID. |
| eduPersonScopedAffiliation | urn:oid:1.3.6.1.4.1.5923.1.1.1.9 | |
| eduPersonAffiliation | urn:oid:1.3.6.1.4.1.5923.1.1.1.1 | Due to eduPersonAffiliations non domain scoped nature it's highly recommended to use the attribute eduPersonScopedAffiliation instead. |
| o (aka organizationName) | urn:oid:2.5.4.10 | This attribute is also be available as an metadata attribute. |
| norEduOrgAcronym | urn:oid:1.3.6.1.4.1.2428.90.1.6 | |
| c (aka countryName) | urn:oid:2.5.4.6 | |
| co (aka friendlyCountryName) | urn:oid:0.9.2342.19200300.100.1.43 | |
| schacHomeOrganization | urn:oid:1.3.6.1.4.1.25178.1.2.9 | |
| schacHomeOrganizationType | urn:oid:1.3.6.1.4.1.25178.1.2.10 |
...
The expected Identity Provider behaviour for universites and university colleges is to release to the Service Provider the European Student Identifier. Service Providers signals their need of European Student Identifier via an entity category tag in metadata. There is furthermore an identity provider entity support category that should be registered for all Identity Providers that supports the European Student Identifier Entity Category.
Expected attribute release from an Identity Provider
| Attribute(s) | SAML2 Attribute Identifier | Comment |
|---|---|---|
| schacPersonalUniqueCode | urn:oid:1.3.6.1.4.1.25178.1.2.14 | This attribute is a multi-valued attribute but the expected behaviour is that the Identity Provider only releases the ESI value t to the service if no other values are released by bilateral agreement. |
...