Versions Compared

Old Version 32

changes.mady.by.user Pål Axelsson

Saved on

compared with

New Version 119

changes.mady.by.user Pål Axelsson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Warning
titlePage is under update

This page is under update and the expected result will be changed due to GDPR!

Entity categories is are used for data release minimization and scalable attribute release from an Identity Provider within SWAMID to a Service Provider in SWAMID and/or eduGAIN.

...

.

If an owner of a Service and the Identity Provider Home Organisation has a bilateral agreement the attribute release can be extended with additional attributes based on the agreement.

Please note that the old entity categories SWAMD Research and Education and SWAMID SFS 1993:1153 is deprecated and will removed from all services metadata at the end of 2022.

Best Practice attribute release based on entity categories

x - Users are expected to have a value and that should be released, if no value is present do not release an empty valueAttribute is released if it's available in the Home Organisation Identity Provider.
o - Release Attribute is released only if the user has a value on the attribute.requested and required in the metadata for the service and if it's available in the Home Organisation Identity Provider.

SAML2 Attribute IdentifierFriendly Name
AttributAttribute release identifier
Without enitity category

Data protection Code of Conduct (REFEDS CoCo v2 and GÉANT CoCo v1)

REFEDS Personalized Access Entity CategoryREFEDS Pseudonymous Access Entity CategoryREFEDS Anonymous Access Entity CategoryREFEDS Research and Scholarship Entity Category (R&S
SWAMID R&ESWAMID SFS-1993-1153
)

European Student Identifier Entity Category





Note
title
Release only required attributes
Restriction

Attribute released

Release attribute

"only if requested and required" in metadata1

Warning
titleWill be deprecated

This entity category is under process to be deprecated and will in the future be replaced with REFEDS R&S or GÉANT CoCo.

Warning
titleWill be deprecated

This entity category is under process to be deprecated and will in the future be replaced with GÉANT CoCo.

Beroenden  SWAMID R&E is used in pair with one of the entity categories SWAMID EU-Adequate-Protection, SWAMID NREN-Service and SWAMID HEI-ServiceRelease only for only for users with a Swedish personal identity number (sv. personnummer), a Swedish co-ordination number (sv. samordningsnummer) or a organisational student interim identity number (sv. interimspersonnummer)

.

Note that norEduPersonNIN and personalIdentityNumber has additional restrictions2.







urn:oasis:names:tc:SAML:attribute:pairwise-idpairwise-id
o
x


urn:oasis:names:tc:SAML:attribute:subject-idsubject-id
ox
transientIdSAML2 NameIDxxxxxeduPersonTargetedID




urn:oid:1.3.6.1.4.1.5923.1.1.1.10eduPersonTargetedID
x

o


(x
2
3)
eduPersonPrincipalName

urn:oid:1.3.6.1.4.1.5923.1.1.1.6
 
eduPersonPrincipalName
x

o


x
x eduPersonUniqueID3

urn:oid:1.3.6.1.4.1.5923.1.1.1.
13
16
 xxx eduPersonOrcid
eduPersonOrcid
o4




urn:oid:1.3.6.1.4.1.
5923
2428.
1
90.1.
1.16
5
 norEduPersonNIN
norEduPersonNIN
o
  
2




urn:oid:1.
3
2.
6
752.
1
29.4.
1.2428.90.1.5 o4 opersonalIdentityNumber
13personalIdentityNumber
o2




urn:oid:1.
2
3.
752
6.
29
1.4
.13 o4  mail
.1.25178.1.2.3 schacDateOfBirth
o




urn:oid:0.9.2342.19200300.100.1.3
 
mail
xdisplayName

ox

x
 

urn:oid:2.16.840.1.113730.3.1
.241 xxx 
.13mailLocalAddress
o5




urn:oid:2.5.4.42givenName
o6x6

x6
cn (commonName)

urn:oid:2.5.4.
3 x x 
4sn (aka surname)
o6x6

x6
givenName

urn:oid:2
.5.4.42 xxx 
.16.840.1.113730.3.1.241displayName
o6x6

x6
urn:oid:1.3.6.1.4.1.2428.90.1.10norEduPersonLegalName
o6
sn (surname)





urn:oid:2.5.4.
4 xxx eduPersonAssurance
3cn (aka commonName)
o6




urn:oid:1.3.6.1.4.1.5923.1.1.1.11eduPersonAssurance
 

ox
 eduPersonScopedAffiliation
x
x
7
urn:oid:1.3.6.1.4.1.5923.1.1.1.9
 
eduPersonScopedAffiliation
ox
 eduPersonAffiliation
xx
 
x
urn:oid:1.3.6.1.4.1.5923.1.1.1.1
 x   
eduPersonAffiliation
o
o (organizationName)





urn:oid:2.5.4.10
 x x 
o (aka organizationName)
o
norEduOrgAcronym





urn:oid:1.3.6.1.4.1.2428.90.1.6
 
norEduOrgAcronym
x x c (countryName)friendlyCountryName

o




urn:oid:2.5.4.6
 x x 
c (aka countryName)
o




schacHomeOrganization
urn:oid:0.9.2342.19200300.100.1.43
 x x 
co (aka friendlyCountryName)
o




urn:oid:1.3.6.1.4.1.25178.1.2.9
 
schacHomeOrganization
ox
 schacHomeOrganizationType
xx
 


urn:oid:1.3.6.1.4.1.25178.1.2.10
 
schacHomeOrganizationType
x   

...


o




 urn:oid:1.3.6.1.4.1.25178.1.2.14

schacPersonalUniqueCode





x8


  1. The entity category the REFEDS and GÉANT Code of Conduct entity categories does not have a specific attribute bundle. Instead of an attribute bundle it uses attribute request in metadata for specific required attributes

...

2 eduPersonTargetedID should only be released in with the entity category REFEDS Research & Scholarship if eduPersonPrincipalName is reassignable.

...

  1. .

...

...

  1. norEduPersonNIN and personalIdentityNumber shall only be released when required by entities registered with in SWAMID (registrationAuthority="http://www.swamid.se/").

...

    • personalIdentityNumber must only contain Swedish Personal Numbers or Swedish Co-ordination Numbers.
    • norEduPersonNIN can besides  Swedish Personal Numbers

...

    • and Swedish Co-ordination Numbers also contain Interim Personal Numbers from the student documentation system Ladok and the Swedish national study enrolment system.
  2. eduPersonTargetedID should only be released with the entity category REFEDS Research & Scholarship if eduPersonPrincipalName is reassignable. All Identity Providers in SWAMID must by the SWAMID Assurance Profiles be longterm unique and therefore it should not be released.
  3. eduPersonOrcid should only be released if and only if the IdP organization has retrived the ORCID iD via the ORCID Collect & Connect service. ORCID iDs are persistent digital identifiers for individual researchers. Their primary purpose is to unambiguously and definitively link them with their scholarly work products. ORCID iDs are assigned,managed and maintained by the ORCID organization.
  4. mailLocalAddress is used for services that may need access to more than one mail address for the user, for example mail aliases and secondary mail addresses. A use case for this is when a person is invited by another mail address than the one in released in the mail attribute.
  5. Name attribute are expected to be released as following:
    • givenName is the legal first name of the person. If the person has more than one legal first name it's possible to only release the default name (sw. tilltalsnamn) or the person can choose which one of the legal first names they want to be released.
    • sn (aka surname) is the legal last name (or family name) of the person.
    • displayName shall always be the combination of givenName and sn.
    • norEduPersonLegalName must always be the full legal name from the population registry or official travel documents defined in ICAO 9306 (passports or European national identity cards), otherwise it must not be released.
    • cn (aka commonName) must be the persons full name, not the attribute value from Active Directory.
  6. Within SWAMID the REFEDS Research and Scholarship Entity Category is extended to also include eduPersonAssurance.
  7. This entity category should only trigger release of the European Student Identifier (ESI) value as specified by https://wiki.geant.org/display/SM/European+Student+Identifier

URI for all entity categories used within SWAMID

Entity categoryUnique identifier
GÉANT CoCo

GÉANT Data Protection Code of Conduct Entity Categoryhttp://www.geant.net/uri/dataprotection-code-of-conduct/v1
REFEDS Data Protection Code of Conduct Entity Categoryhttps://refeds.org/category/code-of-conduct/v2
REFEDS Personalized Access Entity Categoryhttps://refeds.org/category/personalized
REFEDS Pseudonymous Access Entity Categoryhttps://refeds.org/category/pseudonymous
REFEDS Anonymous Access Entity Categoryhttps://refeds.org/category/anonymous
REFEDS Research and Scholarship Entity Category (R&S)http://refeds.org/category/research-and-scholarship
European Student Identifier  Entity Category (ESI)https://myacademicid.org/entity-categories/esi
SWAMID R&Ehttp://www.swamid.se/category/research-and-educationDeprecated and decommisoned
SWAMID SFS-1993-1153http://www.swamid.se/category/sfs-1993-1153Deprecated and decommisoned
SWAMID EU-Adequate-Protectionhttp://www.swamid.se/category/eu-adequate-protectionDeprecated and decommisoned
SWAMID NREN-Servicehttp://www.swamid.se/category/nren-serviceDeprecated and decommisoned
SWAMID HEI-Servicehttp://www.swamid.se/category/hei-service

...

Deprecated and decommisoned


URI for all assurance profiles used within SWAMID

EntitetskategoriUnik identifierare
SWAMID AL1http://www.swamid.se/policy/assurance/al1
SWAMID AL2http://www.swamid.se/policy/assurance/al2
SWAMID AL3http://www.swamid.se/policy/assurance/al3
SWAMID AL2-MFA-HIhttps://www.swamid.se/policy/authentication/swamid-al2-mfa-hiDeprecated and decommisoned
REFEDS Assurance Frameworkhttps://refeds.org/assurance/*
REFEDS Security Incident Response Trust Framework for Federated Identity (SIRTFI) version 1https://refeds.org/sirtfi
REFEDS Security Incident Response Trust Framework for Federated Identity (SIRTFI) version 2https://refeds.org/sirtfi2