This is a set of entity categories in use by SWAMID. Entity categories for SAML is defined by REFEDS in the RFC8409 specification.
For an example on how to consume and process this information in an Identity Provider look at the page Example of a standard attribute filter for Shibboleth IdP v3.4.0 and above. ADFS Toolkit support the use of entity categories.
REFEDS Research and Scholarship
entity-category URI | |
|---|---|
| eduGAIN enabled | Yes |
Definition
Candidates for the Research and Scholarship (R&S) Category are Service Providers that are operated for the purpose of supporting research and scholarship interaction, collaboration or management, at least in part. For more information please see REFEDS Entity Category Research and Scholarship.
R&S is used both within SWAMID and in the eduGAIN interfederation to make services available to users of the higher education institutions in Sweden and around the world. The R&S makes it possible to automatically release mostly harmless attributes to Service Providers within the higher educational sector.
The expected IdP behaviour is to release to the Service Provider a set of R&S Category Attributes (eptid, eppn, email, displayName, surname, given name and scoped affiliation plus the SWAMID addons eduPersonUniqueID and eduPersonAssurance). Service Providers signals their use of R&S via an entity category tag in metadata. There is furthermore an identity provider entity support category that should be registered for all Identity Providers that supports the R&S entity category and this can be used for filter purpose in a discovery service.
Example of services that uses the entity category includes (but are not limited to) collaborative tools and services such as wikis, blogs, project and grant management tools that require some personal information about users to work effectively. This Entity Category should not be used for access to licensed content such as e-journals.
For REFEDS Research and Scholarship there is no formal requirement that the service shall publish a public Privacy Policy. However it's recommended that all services that are registered in SWAMID have a Privacy Policy to inform end users about how personal data are processed. SWAMID have published a Service Provider Privacy Policy Template for GÉANT Data Protection Code of Conduct that can be used except for the last section.
Expected attribute release from an Identity Provider
| Attribute(s) | SAML2 Attribute Identifier | Comment |
|---|---|---|
| eduPersonTargetedID | urn:oid:1.3.6.1.4.1.5923.1.1.1.10 | Should only be released by the Identity Provider if eduPersonPrincipalName is re-assignable to another user. |
| eduPersonPrincipalName | urn:oid:1.3.6.1.4.1.5923.1.1.1.6 | |
| urn:oid:0.9.2342.19200300.100.1.3 | Can be more than one address released but Identity Providers are recommended to release only one. | |
| displayName and/or givenName and sn | urn:oid:2.16.840.1.113730.3.1.241 | A user's name can be released in different ways and it's expected that the Service Provider can handle this. |
| eduPersonAssurance | urn:oid:1.3.6.1.4.1.5923.1.1.1.11 | Local addon within SWAMID. Services shall only expect this attribute to be available from Identity Providers within SWAMID. |
| eduPersonScopedAffiliation | urn:oid:1.3.6.1.4.1.5923.1.1.1.9 |
Process for applying for tagging a service with entity category REFEDS Research and Scholarship
For a service to be tagged with REFEDS Research and Scholarship (R&S) it must contact the federation that it has registered with. If the service is registered within the SWAMID federation the service operator sends an e-mail to operations@swamid.se with a formal request that contains the information below. Upon receiving the request SWAMID operations will respond within two weeks.
The request must contain the following administrative information:
- Purpose and scope of the service.
- Documentation which proves that the service has fulfilled all the requirements for R&S if it's not defined by purpose and scope of the service.
Unless the following is already published in current service metadata, the request must contain:
- Well functional SAML2 metadata for the service with an entityid in URL-form.
- Display name for the Service in Swedish and English for use in Identity Providers login pages and Discovery Services.
- Short description of the Service in Swedish and English for use in Identity Providers login pages and Discovery Services.
- Mail address to the technical and/or support contact for the service.
- Organisation name of the organisation delivering the service
- URL to the organisation delivering the service.
The request is highly recommended to also have the following information for metadata publication:
- URL beginning with https to the service logotype for use in Identity Providers login pages and Discovery Services.
- URL to a web page with the service privacy policy in English and maybe Swedish.
- URL to a informational web page that describes the service in English and probably in Swedish.
- URL to a web page with the service privacy policy in English and probably Swedish, a privacy policy example template: SWAMID Service Provider Privacy Policy Template. Please remove the section about GÉANT Dataprotection Code of Conduct if you use the Privacy Policy Tamplate.
Besides the formal requirements and recommendations of REFEDS R&S it is highly recommended that the service also adheres to the REFEDS Security Incident Response Trust Framework for Federated Identity (Sirtfi).
GÉANT Dataprotection Code of Conduct
entity-category URI | |
|---|---|
| eduGAIN enabled | Yes |
Definition
The GÉANT Data protection Code of Conduct (CoCo) defines an approach at a European level to meet the requirements of the European Union Data Protection Directive for releasing mostly harmless personal attributes to a Service Provider (SP) from an Identity Provider (IdP). For more information please see GEANT Data Protection Code of Conduct.
CoCo is used both within SWAMID and in the eduGAIN interfederation to make services available to users of the higher education institutions in Sweden and around Europe. The CoCo makes it possible to automatically release mostly harmless attributes to Service Providers which fulfil the EU Data Protection legislation. The expected Identity Provider behaviour is to release the Service Provider required attributes if the IdP is able to. Required attributes means attributes the service must have to be able to work for the user. However it's possible to require more than one attribute of a specific type, i.e. name and identifier attributes, to increase the possibility to get the needed set of attributes. The required attributes for a specific service is defined in the the service metadata and must be described in the mandatory Service Provider Privacy Policy. There is furthermore an identity provider entity support category that should be registered for all Identity Provider that supports the CoCo entity category that can be used for filter purpose in a discovery service.
CoCo and GDPR
An updated version of the GÉANT Data protection Code of Conduct (CoCo) based on the new European Union Data Protection Regulation is underway and the current version will be used until it arrives. The new updated CoCo should be a Code of Conduct as described in GDPR and therefore the update takes longer than expected. The current version of CoCo is in the same spirit as GDPR, i.e. the Charter of Fundamental Rights of the European Union.
Expected attribute availability from an Identity Provider for attributes required by indication in metadata
| Attribute(s) | SAML2 Attribute Identifier | Comment |
|---|---|---|
| eduPersonTargetedID | urn:oid:1.3.6.1.4.1.5923.1.1.1.10 | |
| eduPersonPrincipalName | urn:oid:1.3.6.1.4.1.5923.1.1.1.6 | |
| eduPersonOrcid | urn:oid:1.3.6.1.4.1.5923.1.1.1.16 | |
| norEduPersonNIN | urn:oid:1.3.6.1.4.1.2428.90.1.5 | This attribute is for students systems that needs to be synchronised with the the student documentations system directly or indirectly. Within SWAMID norEduPersonNIN can besides Swedish Personal Numbers and Swedish Co-ordination Numbers also contain Interim Personal Numbers from the student documentation system Ladok and the Swedish national study enrolment system. SWAMID Identity Providers only release this attribute to services registered in SWAMID. |
| personalIdentityNumber | urn:oid:1.2.752.29.4.13 | Within SWAMID personalIdentityNumber only contain Swedish Personal Numbers or Swedish Co-ordination Numbers. SWAMID Identity Providers only release this attribute to services registered in SWAMID. |
| schacDateOfBirth | urn:oid:1.3.6.1.4.1.25178.1.2.3 | |
| urn:oid:0.9.2342.19200300.100.1.3 | Can be more than one address released but Identity Providers are recommended to release only one. | |
| displayName | urn:oid:2.16.840.1.113730.3.1.241 | |
| givenName | urn:oid:2.5.4.42 | |
| sn (surname) | urn:oid:2.5.4.4 | |
| cn (commonName) | urn:oid:2.5.4.3 | Due to that cn is use for different things in different in different identity management systems it's highly recommended to use the attribute displayName instead. |
| eduPersonAssurance | urn:oid:1.3.6.1.4.1.5923.1.1.1.11 | Services shall only expect this attribute to be available from Identity Providers within SWAMID. |
| eduPersonScopedAffiliation | urn:oid:1.3.6.1.4.1.5923.1.1.1.9 | |
| eduPersonAffiliation | urn:oid:1.3.6.1.4.1.5923.1.1.1.1 | Due to eduPersonAffiliations non domain scoped nature it's highly recommended to use the attribute eduPersonScopedAffiliation instead. |
| o (organizationName) | urn:oid:2.5.4.10 | This attribute is also be available as an metadata attribute. |
| norEduOrgAcronym | urn:oid:1.3.6.1.4.1.2428.90.1.6 | |
| c (countryName) | urn:oid:2.5.4.6 | |
| co (friendlyCountryName) | urn:oid:0.9.2342.19200300.100.1.43 | |
| schacHomeOrganization | urn:oid:1.3.6.1.4.1.25178.1.2.9 | |
| schacHomeOrganizationType | urn:oid:1.3.6.1.4.1.25178.1.2.10 |
Process for applying for tagging a service with entity category GÉANT Dataprotection Code of Conduct
For a service to be tagged with GÉANT Dataprotection Code of Conduct it must contact the federation that it has registered with. If the service is registered within the SWAMID federation the service operator sends an e-mail to operations@swamid.se with a formal request that contains the information below. Upon receiving the request SWAMID operations will respond within two weeks.
The request must contain the following administrative information:
- Purpose and scope of the service.
- A list of the required attributes that the service needs to function (the list is also required in the privacy policy of the service). It is possible to require more than one attribute of a specific type, i.e. name and identifier attributes, to increase the possibility to get the needed set of attributes.
- Documentation which proves that the service has fulfilled all the requirements for CoCo and lawfullness of processing as described in GDPR Article 6 if it's not defined by purpose and scope of the service.
Unless the following is already published in current service metadata, the request must contain, preferable in xml for direct inclusion in the service metadata:
- Well functional SAML2 metadata for the service with an entityid in URL-form.
- Display name for the Service in Swedish and English for use in Identity Providers' login pages and Discovery Services.
- Short description of the Service in Swedish and English for use in Identity Providers' login pages and Discovery Services.
- Required attributes of the Service
- Mail address to the technical and/or support contact for the service.
- Organisation name of the organisation delivering the service
- URL to the organisation delivering the service.
- URL to a publicly accessible web page (not a pdf document) with the service privacy policy in English and maybe Swedish, a privacy policy example template: SWAMID Service Provider Privacy Policy Template. The privacy policy must at least contain:
- the name, address and jurisdiction of the Service Provider;
- the purpose or purposes of the processing of the Attributes;
- a description of the Attributes being processed;
- the third party recipients or categories of third party recipient to whom he Attributes might be disclosed, and proposed transfers of Attributes to countries outside of the European Economic Area;
- the existence of the rights to access, rectify and delete the Attributes held about the End User;
- the retention period of the Attributes; and
- a reference to this Code of Conduct including the formal reference URL http://www.geant.net/uri/dataprotection-code-of-conduct/v1.
The request is highly recommended to also have the following information for metadata publication:
- URL beginning with https to the service logotype for use in Identity Providers login pages and Discovery Services.
- URL to a informational web page that describes the service in English and preferable also in Swedish.
Besides the formal requirements and recommendations of GÉANT Dataprotection Code of Conduct it is highly recommended that the service also adheres to the REFEDS Security Incident Response Trust Framework for Federated Identity (Sirtfi). SIRTFI will be mandatory in the next version of this code of conduct.
Release without any recognised Entity Categories
Most Identity Providers within SWAMID release no attributes to a service when it is not marked with any entity category.
------------------------------------------------------------------------------
Deprecated SWAMID entity categories
SWAMID has deprecated old entity categories. All entity category based attribute released will be based on entity categories described above.
Deprecation process:
- From 2019-10-23 all new services need to register with both the old SWAMID entity categories and the entity categories described above.
- From 2020-09-01 all new services will only be registered with the entity categories described above, not the old SWAMID ones.
- From 2020-09-01 to 2021-12-31 all current services will be moved from the old SWAMID entity categories to the entity categories described above. The services are resposible for changing the entity categories.
- 2021-12-31 all services that still has the old entity categories will have these entity categories removed from SWAMID metadata.