Entity categories are used for data release minimization and scalable attribute release from an Identity Provider within SWAMID to a Service Provider in SWAMID and/or eduGAIN.
If an owner of a Service and the Identity Provider Home Organisation has a bilateral agreement the attribute release can be extended with additional attributes based on the agreement.
Best Practice attribute release based on entity categories
x - Attribute is released if it's available in the Home Organisation Identity Provider.
o - Attribute is released only if requested and required in the metadata for the service and if it's available in the Home Organisation Identity Provider.
SAML2 Attribute Identifier | Friendly Name | Without enitity category | REFEDS CoCo v2 and GÉANT CoCo v1 | REFEDS Personalized Access Entity Category | REFEDS R&S | SWAMID R&E | SWAMID SFS-1993-1153 |
---|---|---|---|---|---|---|---|
Restriction Attribute released "only if requested and required" in metadata1. Note that norEduPersonNIN and personalIdentityNumber has additional restrictions2. | Deprecated No new EntityID will be permitted to use this category from 2020-09-01. | Deprecated No new EntityID will be permitted to use this category from 2020-09-01. Restriction Attributes released only for users with a Swedish personal identity number (sv. personnummer), a Swedish co-ordination number (sv. samordningsnummer) or a organisational student interim identity number (sv. interimspersonnummer) | |||||
urn:oasis:names:tc:SAML:attribute:pairwise-id | pairwise-id | ||||||
urn:oasis:names:tc:SAML:attribute:subject-id | subject-id | x | |||||
urn:oid:1.3.6.1.4.1.5923.1.1.1.10 | eduPersonTargetedID | o | x3 | ||||
urn:oid:1.3.6.1.4.1.5923.1.1.1.6 | eduPersonPrincipalName | o | x | x | |||
urn:oid:1.3.6.1.4.1.5923.1.1.1.16 | eduPersonOrcid | o | |||||
urn:oid:1.3.6.1.4.1.2428.90.1.5 | norEduPersonNIN | o2 | x | ||||
urn:oid:1.2.752.29.4.13 | personalIdentityNumber | o2 | |||||
urn:oid:1.3.6.1.4.1.25178.1.2.3 | schacDateOfBirth | o | |||||
urn:oid:0.9.2342.19200300.100.1.3 | o | x | x | x | |||
urn:oid:2.16.840.1.113730.3.1.241 | displayName | o | x | x | x | ||
urn:oid:2.5.4.3 | cn (aka commonName) | o | x | ||||
urn:oid:2.5.4.42 | givenName | o | x | x | x | ||
urn:oid:2.5.4.4 | sn (aka surname) | o | x | x | x | ||
urn:oid:1.3.6.1.4.1.5923.1.1.1.11 | eduPersonAssurance | o | x | x | x | x | |
urn:oid:1.3.6.1.4.1.5923.1.1.1.9 | eduPersonScopedAffiliation | o | x | x | x | ||
urn:oid:1.3.6.1.4.1.5923.1.1.1.1 | eduPersonAffiliation | o | |||||
urn:oid:2.5.4.10 | o (aka organizationName) | o | x | ||||
urn:oid:1.3.6.1.4.1.2428.90.1.6 | norEduOrgAcronym | o | x | ||||
urn:oid:2.5.4.6 | c (aka countryName) | o | x | ||||
urn:oid:0.9.2342.19200300.100.1.43 | co (aka friendlyCountryName) | o | x | ||||
urn:oid:1.3.6.1.4.1.25178.1.2.9 | schacHomeOrganization | o | x | x | |||
urn:oid:1.3.6.1.4.1.25178.1.2.10 | schacHomeOrganizationType | o |
- The entity category GÉANT Code of Conduct does not have a specific attribute bundle. Instead of an attribute bundle it uses attribute request in metadata for specific required attributes.
- norEduPersonNIN and personalIdentityNumber shall only be released when required by entities registered with in SWAMID (registrationAuthority="http://www.swamid.se/").
- personalIdentityNumber must only contain Swedish Personal Numbers or Swedish Co-ordination Numbers.
- norEduPersonNIN can besides Swedish Personal Numbers and Swedish Co-ordination Numbers also contain Interim Personal Numbers from the student documentation system Ladok and the Swedish national study enrolment system.
- eduPersonTargetedID should only be released in with the entity category REFEDS Research & Scholarship if eduPersonPrincipalName is reassignable. All Identity Providers in SWAMID must by the SWAMID Assurance Profiles be lonterm unique and therefore it should not noramlly be released.
URI for all entity categories used within SWAMID
Entity category | Unique identifier | |
---|---|---|
GÉANT Data Protection Code of Conduct Entity Category | http://www.geant.net/uri/dataprotection-code-of-conduct/v1 | |
REFEDS Data Protection Code of Conduct Entity Category | https://refeds.org/category/code-of-conduct/v2 | |
REFEDS Personalized Access Entity Category | https://refeds.org/category/personalized | |
REFEDS Research and Scholarship (R&S) | http://refeds.org/category/research-and-scholarship | |
SWAMID R&E | http://www.swamid.se/category/research-and-education | Deprecated |
SWAMID SFS-1993-1153 | http://www.swamid.se/category/sfs-1993-1153 | Deprecated |
SWAMID EU-Adequate-Protection | http://www.swamid.se/category/eu-adequate-protection | Deprecated |
SWAMID NREN-Service | http://www.swamid.se/category/nren-service | Deprecated |
SWAMID HEI-Service | http://www.swamid.se/category/hei-service | Deprecated |
URI for all assurance profiles used within SWAMID
Entitetskategori | Unik identifierare | |
---|---|---|
SWAMID AL1 | http://www.swamid.se/policy/assurance/al1 | |
SWAMID AL2 | http://www.swamid.se/policy/assurance/al2 | |
SWAMID AL3 | http://www.swamid.se/policy/assurance/al3 | |
SWAMID AL2-MFA-HI | https://www.swamid.se/policy/authentication/swamid-al2-mfa-hi | Deprecated |
REFEDS Assurance Framework | https://refeds.org/assurance/* | |
REFEDS Security Incident Response Trust Framework for Federated Identity (SIRTFI) version 1 | https://refeds.org/sirtfi | |
REFEDS Security Incident Response Trust Framework for Federated Identity (SIRTFI) version 2 | https://refeds.org/sirtfi2 |