This is a set of entity-categories (http://macedir.org) in use by SWAMID.
For a suggestion on how to consume and process this information in an Identity Provider look at the page Example of a standard attribute filter for Shibboleth IdP.
REFEDS Research and Scholarship
entity-category URI | |
---|---|
eduGAIN enabled | Yes |
Definition
Candidates for the Research and Scholarship (R&S) Category are Service Providers that are operated for the purpose of supporting research and scholarship interaction, collaboration or management, at least in part. For more information please see REFEDS Entity Category Research and Scholarship.
R&S is used both within SWAMID and in the eduGAIN interfederation to make services available to users of the higher education institutions in Sweden and around the world. The R&S makes it possible to automatically release the mostly harmless attributes to Service Providers within the higher educational sector.
The expected IdP behaviour is to release to the Service Provider a set of R&S Category Attributes (eptid, eppn, email, displayName, surname, given name and scoped affiliation plus the SWAMID addons eduPersonUniqueID and eduPersonAssurance). Service Providers signals their use of R&S via an entity category tag in metadata.. There is furthermore an identity provider entity support category that should be registered for all Identity Providers that supports the R&S Category and thit can be used for filter purpose in a discovery service.
Example of services that uses the entity category includes (but are not limited to) collaborative tools and services such as wikis, blogs, project and grant management tools that require some personal information about users to work effectively. This Entity Category should not be used for access to licensed content such as e-journals.
Expected attribute release from an Identity Provider
Attribute(s) | SAML2 Attribute Identifier | Comment |
---|---|---|
eduPersonTargetedID | urn:oid:1.3.6.1.4.1.5923.1.1.1.10 | Only released if eduPersonPrincipalName is reassignable in the Identity Provider. |
eduPersonPrincipalName | urn:oid:1.3.6.1.4.1.5923.1.1.1.6 | |
eduPersonUniqueID | urn:oid:1.3.6.1.4.1.5923.1.1.1.13 | eduPersonUniqueID is a long term unique identifier that will not be reused by the Identity Provider. It may be the same value as eduPersonPrincipalName if that attriubte is non-reassignable. Services shall only expect this attribute to be available from Identity Providers within SWAMID. |
urn:oid:0.9.2342.19200300.100.1.3 | Can be more than one address released but Identity Providers are recommended to release only one. | |
displayName and/or givenName and sn | urn:oid:2.16.840.1.113730.3.1.241 | A user's name can be released in different ways and it's expected that the Service Provider can handle this. |
eduPersonAssurance | urn:oid:1.3.6.1.4.1.5923.1.1.1.11 | Services shall only expect this attribute to be available from Identity Providers within SWAMID. |
eduPersonScopedAffiliation | urn:oid:1.3.6.1.4.1.5923.1.1.1.9 |
Process for applying for tagging a service with entity category REFEDS Research and Scholarship
For a service to be tagged with REFEDS Research and Scholarship (R&S) it must contact the federation that it has registered with. If the service is registered within the SWAMID federation the service operator sends an e-mail to operations@swamid.se with a formal request that contains the information below. Upon receiving a request SWAMID operations will respond within two weeks.
The request must contain the following administrative information:
- Purpose and scope of the service.
- Documentation which proves that the service has fulfilled all the requirements for R&S if not defined by purpose and scope of the service.
The request must contain the following information for metadata publication:
- Well functional SAML2 metadata for the service with an entityid on URL-form.
- Display name for the Service in Swedish and English for use in Identity Providers login pages and Discovery Services.
- Short description of the Service in Swedish and English for use in Identity Providers login pages and Discovery Services.
- Mail address to the technical and/or support contact for the service.
- Organisation name of the organisation delivering the service
- URL to the organisation delivering the service.
The request is highly recommended to also contain the following information for metadata publication:
- URL beginning with https to the service logotype for use in Identity Providers login pages and Discovery Services.
- URL to a web page with the service privacy policy in English and an another in Swedish is recommended.
- URL to a informational web page that describes the service in English and an another in Swedish is recommended.
Besides the formal requirements and recommendations of REFEDS it is highly recommended that the service besides R&S also fulfills the REFEDS Security Incident Response Trust Framework for Federated Identity (Sirtfi).
GÉANT Dataprotection Code of Conduct
entity-category URI | |
---|---|
eduGAIN enabled | Yes |
Definition
The GÉANT Data protection Code of Conduct (CoCo) defines an approach at a European level to meet the requirements of the European Union Data Protection Directive for releasing mostly harmless personal attributes to a Service Provider (SP) from an Identity Provider (IdP). For more information please see GEANT Data Protection Code of Conduct.
CoCo is used in the eduGAIN interfederation to make services available to users of European higher education institutions. The CoCo makes it possible to automatically release mostly harmless attributes to Service Providers which fulfill the EU Data Protection Directive. The expected IdP behaviour is to release the Service Provider required subset of the attributes eptid, eppn, mail, displayName, scoped affiliation and schacHomeOrganization. The required subset of attributes for a specific service is defined in the mandatory Service Provider Privacy Policy. There is furthermore an identity provider entity support category that should be registered for all IdP that supports the R&S Category that can be used for filter purpose in a discovery service.
Expected minimal attribute availability for release (only if required)
Attribute(s) | OID | Comment |
---|---|---|
transientId | SAML2 session user identifier. | |
eduPersonTargetedID | 1.3.6.1.4.1.5923.1.1.1.10 | Only if required in Service Provider metadata! |
eduPersonPrincipalName | 1.3.6.1.4.1.5923.1.1.1.6 | Only if required in Service Provider metadata! |
0.9.2342.19200300.100.1.3 | Only if required in Service Provider metadata! Can be more than one address released but Identity Providers are recommended to release only one. | |
displayName and/or cn | 2.16.840.1.113730.3.1.241, | Only if required in Service Provider metadata! A user's name can be released in different ways and it's recommended that the Service Provider can handle this. |
eduPersonScopedAffiliation | 1.3.6.1.4.1.5923.1.1.1.9 | Only if required in Service Provider metadata! |
schacHomeOrganization | 1.3.6.1.4.1.25178.1.2.9 | Only if required in Service Provider metadata! |
schacHomeOrganizationType | 1.3.6.1.4.1.25178.1.2.10 | Only if required in Service Provider metadata! |
Process for applying for tagging a service with entity category GÉANT Dataprotection Code of Conduct
For a service to be tagged with CoCo it must contact the federation that it has registered with. If the service is registered within the SWAMID federation the service operator sends an e-mail to operations@swamid.se with a formal request.
The request must contain the following information:
- Purpose and scope of the service.
- A list off the required subset from CoCo Category Attributes
- Documentation which proves that the service has fulfilled all the requirements for CoCo.
Upon receiving a request SWAMID operations will respond within two weeks.
Release without any recognized Entity Categories
Most Identity Providers within SWAMID sends no attributes when a service is not marked any entity category.
SWAMID deprecated entity categories
Will be deprecated
SWAMID is under the process to deprecate old entity categories. All entity category based attribute released will be based on entity categories described above.
Deprication process:
- From 2019-10-23 all new services need to register with both the old SWAMID entity categories and the entity categories described above.
- From 2020-05-01 all new services will only be registered with the entity categories described above, not the old SWAMID ones.
- From 2020-05-01 to 2020-10-31 all current services will be moved from the old SWAMID entity categories to the entity categories described above.
- 2020-10-31 all services that still has the old entity categories will be removed from SWAMID metadata.
SWAMID Service Provider Attribute Release Entity Categories (deprecated 2020-05-01 with transitional use until 2020-10-31)
These categories define the release of mostly harmless personal attributes to a Service Provider (SP) from a Identity Provider (IdP). It is used together with SWAMID Data Protection Entity Categories below.
Entity categories is additive, this means that one Service Provider can have both research-and-education and sfs-1993-1153.
name below means givenName, surname, initials, displayName.
Category | Description |
---|---|
research-and-education | SP is an application that directly or indirectly supports HEI institutions. |
sfs-1993-1153 | SP is an application that fulfills SFS 1993:1153 |
SWAMID Research & Education (deprecated 2020-05-01 with transitional use until 2020-10-31)
entity-category URI | |
---|---|
eduGAIN enabled | No |
Will be deprecated
This entity category is under process to be deprecated and will in the future be replaced with REFEDS R&S or GÉANT CoCo depending on service.
Definition
The Research & Education category applies to low-risk services that support research and education as an essential component.
To release attributes to services tagged with the Research & Education category the service must also be tagged with at least one of the SWAMID Data Protection Entity Categories.
For instance, a service that provides tools for both multi-institutional research collaboration and instruction is eligible as a candidate for this category. This category is very similar to InCommons Research & Scolarship Category. The expected IdP behaviour is to release name, eppn, eptid, mail and eduPersonScopedAffiliation only if the services is also in at least one of the safe data processing categories. It is also recommended that static organisational information is released. If the Identity Provider home organisation has fulfilled the requirements for SWAMID Assurance Profiles eduPersonAssurance should also be released.
Expected attribute release when paired with a SWAMID Data Protection Entity Category
Attribute(s) | OID | Comment |
---|---|---|
transientId | SAML2 session user identifier. | |
eduPersonTargetedID | 1.3.6.1.4.1.5923.1.1.1.10 | |
eduPersonAssurance | 1.3.6.1.4.1.5923.1.1.1.11 | One or more Assurance Profiles for the user if it is defined, please see "3.3 Configure Shibboleth SP - Check for Identity Assurance or REFEDS SIRTFI" for more information. |
eduPersonPrincipalName | 1.3.6.1.4.1.5923.1.1.1.6 | |
0.9.2342.19200300.100.1.3 | Can be more than one address released but Identity Providers are recommended to release only one. | |
displayName, cn and/or givenName and sn | 2.16.840.1.113730.3.1.241, | A user's name can be released in different ways and it's recommended that the Service Provider can handle this. |
eduPersonScopedAffiliation | 1.3.6.1.4.1.5923.1.1.1.9 | |
o | 2.5.4.10 | |
norEduOrgAcronym | 1.3.6.1.4.1.2428.90.1.6 | |
c | 2.5.4.6 | |
co | 0.9.2342.19200300.100.1.43 | |
schacHomeOrganization | 1.3.6.1.4.1.25178.1.2.9 |
Process for applying for tagging a service with entity category Research & Education
The service operator sends an e-mail to operations@swamid.se with a formal request.
The request must contain the following information:
- Purpose and scope of the service.
- Valid SWAMID Data Protection Entity Category, i.e. what type of organisation is legally responsible for the Service. The options are defined below (HEI Service, NREN Service or EU Adequate Protection).
Upon receiving a request SWAMID operations will respond within two weeks.
SWAMID SFS 1993:1153 (deprecated 2020-05-01 with transitional use until 2020-10-31)
entity-category URI | |
---|---|
eduGAIN enabled | No |
Definition
The SFS 1993:1153 category is strictly reserved for services that are governed by the Swedish legislation SFS 1993:1153.
SFS 1993:1153 limits membership in this category to services provided by Swedish universities, Swedish university colleges and the Swedish government agencies Swedish Council for Higher Education (UHR) and Statistics Sweden (SCB).
The entity category is intended for common government operated student admissions and achieved learning administration services such as NyA and LADOK as well as services for student account enrollment, course registration and learning progression processes at universities and university colleges.
Inclusion in this category is strictly reserved for services that fulfill SFS 1993:1153 which implies that the application may make use of norEduPersonNIN, i.e. the Swedish Personal identity number, the Swedish Co-ordination number or the Higher education personal interim identity number. The expected IdP behavior is to release norEduPersonNIN. If the Identity Provider home organisation has fulfilled the requirements for SWAMID Assurance Profiles eduPersonAssurance should also be released.
Examples of services that are viable for this entity category is a course registration self service and a student account creation service, a learning progression registration service and an internship administration self service.
Expected attribute release
Attribute | OID | Comment |
---|---|---|
transientId | SAML2 session user identifier. | |
eduPersonTargetedID | 1.3.6.1.4.1.5923.1.1.1.10 | |
eduPersonAssurance | 1.3.6.1.4.1.5923.1.1.1.11 | One or more Assurance Profiles for the user if it is defined, please see "3.3 Configure Shibboleth SP - Check for Identity Assurance or REFEDS SIRTFI" for more information. |
norEduPersonNIN | 1.3.6.1.4.1.2428.90.1.5 | Swedish goverment Personal Identity Number, Swedish goverment temporary Co-ordination number or Swedish National Admission system interim identity number. |
Process for applying for tagging a service with entity category SFS 1993:1153
The service operator sends an e-mail to operations@swamid.se with a formal request.
The request must contain the following information:
- Purpose and scope of the service.
- Full description of why norEduPersonNIN is needed in the service.
Upon receiving a request SWAMID operations will evaluate against the Swedish legislation SFS 1993:1153 (2 kap. 6 § and 4 kap. 4 §). SWAMID operations will normally respond within two weeks. If the evaluation is positive SWAMID operations will add the requested entity category to the service metadata.
SWAMID Data Protection Entity Categories (deprecated 2020-05-01 with transitional use until 2020-10-31)
These categories indicate category classifaction of Identity Providers (IdP) that can release mostly harmless personal attributes to a Service Provider (SP) in conjunction with the Swedish Personal Data Act (PUL). It is used together with the Research & Education Entity Category above.
SWAMID HEI Service (deprecated 2020-05-01 with transitional use until 2020-10-31)
entity-category URI | |
---|---|
eduGAIN enabled | No |
Definition
The application is provided by a Swedish Higher Education Institution (HEI) which is ultimately responsible for its operation.
This category is only relevant for attribute release from SWAMID registered IdPs to services at Swedish universities, Swedish university colleges and the Swedish Council for Higher Education.
SWAMID NREN Service (deprecated 2020-05-01 with transitional use until 2020-10-31)
entity-category URI | |
---|---|
eduGAIN enabled | No |
Definition
The application is provided by SUNET (the Swedish National Research and Education Network, NREN) which is ultimately responsible for its operation.
This category is only relevant for attribute release from SWAMID registered IdPs to SUNET services.
SWAMID EU Adequate Protection (deprecated 2020-05-01 with transitional use until 2020-10-31)
entity-category URI | |
---|---|
eduGAIN enabled | No |
Definition
The application is compliant with either
- EU data protection directive as implemented in the national legislation (the service is located in a EU or EES country) or
- For services located outside EU and EES
- EU adequate protection for third countries according to Commission decisions on the adequacy of the protection of personal data in third countries or
- EU Model Contracts for the transfer of personal data to third countries.