Entity Category attribute release in SWAMID

Entity categories are used for data release minimization and scalable attribute release from an Identity Provider within SWAMID to a Service Provider in SWAMID and/or eduGAIN. At the wiki page 4.1 Entity Categories for Service Providers all entity categories are described.

If an owner of a Service and the Identity Provider Home Organisation has a bilateral agreement the attribute release can be extended with additional attributes based on the agreement.

Best Practice attribute release based on entity categories

x - Attribute is released if it's available in the Home Organisation Identity Provider.
o - Attribute is released only if requested and required in the metadata for the service and if it's available in the Home Organisation Identity Provider.

SAML2 Attribute IdentifierFriendly NameWithout enitity category

Data protection Code of Conduct (REFEDS CoCo v2 and GÉANT CoCo v1)

REFEDS Personalized Access Entity CategoryREFEDS Pseudonymous Access Entity CategoryREFEDS Anonymous Access Entity CategoryREFEDS Research and Scholarship Entity Category (R&S)

European Student Identifier Entity Category




Restriction

Attribute released
"only if requested and required" in metadata1.

Note that norEduPersonNIN and personalIdentityNumber has additional restrictions2.






urn:oasis:names:tc:SAML:attribute:pairwise-idpairwise-id
o
x


urn:oasis:names:tc:SAML:attribute:subject-idsubject-id
ox



urn:oid:1.3.6.1.4.1.5923.1.1.1.10eduPersonTargetedID
o


(x3)
urn:oid:1.3.6.1.4.1.5923.1.1.1.6eduPersonPrincipalName
o


x
urn:oid:1.3.6.1.4.1.5923.1.1.1.16eduPersonOrcid
o4




urn:oid:1.3.6.1.4.1.2428.90.1.5norEduPersonNIN
o2




urn:oid:1.2.752.29.4.13personalIdentityNumber
o2




urn:oid:1.3.6.1.4.1.25178.1.2.3 schacDateOfBirth
o




urn:oid:0.9.2342.19200300.100.1.3mail
ox

x
urn:oid:2.16.840.1.113730.3.1.13mailLocalAddress
o5




urn:oid:2.5.4.42givenName
o6x6

x6
urn:oid:2.5.4.4sn (aka surname)
o6x6

x6
urn:oid:2.16.840.1.113730.3.1.241displayName
o6x6

x6
urn:oid:1.3.6.1.4.1.2428.90.1.10norEduPersonLegalName
o6




urn:oid:2.5.4.3cn (aka commonName)
o6




urn:oid:1.3.6.1.4.1.5923.1.1.1.11eduPersonAssurance
oxx
x7
urn:oid:1.3.6.1.4.1.5923.1.1.1.9eduPersonScopedAffiliation
oxxxx
urn:oid:1.3.6.1.4.1.5923.1.1.1.1eduPersonAffiliation
o




urn:oid:2.5.4.10o (aka organizationName)
o




urn:oid:1.3.6.1.4.1.2428.90.1.6norEduOrgAcronym
o




urn:oid:2.5.4.6c (aka countryName)
o




urn:oid:0.9.2342.19200300.100.1.43co (aka friendlyCountryName)
o




urn:oid:1.3.6.1.4.1.25178.1.2.9schacHomeOrganization
oxxx

urn:oid:1.3.6.1.4.1.25178.1.2.10schacHomeOrganizationType
o




 urn:oid:1.3.6.1.4.1.25178.1.2.14

schacPersonalUniqueCode





x8


  1. The entity category the REFEDS and GÉANT Code of Conduct entity categories does not have a specific attribute bundle. Instead of an attribute bundle it uses attribute request in metadata for specific required attributes.
  2. norEduPersonNIN and personalIdentityNumber shall only be released when required by entities registered with in SWAMID (registrationAuthority="http://www.swamid.se/").
    • personalIdentityNumber must only contain Swedish Personal Numbers or Swedish Co-ordination Numbers.
    • norEduPersonNIN can besides  Swedish Personal Numbers and Swedish Co-ordination Numbers also contain Interim Personal Numbers from the student documentation system Ladok and the Swedish national study enrolment system.
  3. eduPersonTargetedID should only be released with the entity category REFEDS Research & Scholarship if eduPersonPrincipalName is reassignable. All Identity Providers in SWAMID must by the SWAMID Assurance Profiles be longterm unique and therefore it should not be released.
  4. eduPersonOrcid should only be released if and only if the IdP organization has retrived the ORCID iD via the ORCID Collect & Connect service. ORCID iDs are persistent digital identifiers for individual researchers. Their primary purpose is to unambiguously and definitively link them with their scholarly work products. ORCID iDs are assigned,managed and maintained by the ORCID organization.
  5. mailLocalAddress is used for services that may need access to more than one mail address for the user, for example mail aliases and secondary mail addresses. A use case for this is when a person is invited by another mail address than the one in released in the mail attribute.
  6. Name attribute are expected to be released as following:
    • givenName is the legal first name of the person. If the person has more than one legal first name it's possible to only release the default name (sw. tilltalsnamn) or the person can choose which one of the legal first names they want to be released.
    • sn (aka surname) is the legal last name (or family name) of the person.
    • displayName shall always be the combination of givenName and sn.
    • norEduPersonLegalName must always be the full legal name from the population registry or official travel documents defined in ICAO 9306 (passports or European national identity cards), otherwise it must not be released.
    • cn (aka commonName) must be the persons full name, not the attribute value from Active Directory.
  7. Within SWAMID the REFEDS Research and Scholarship Entity Category is extended to also include eduPersonAssurance.
  8. This entity category should only trigger release of the European Student Identifier (ESI) value as specified by https://wiki.geant.org/display/SM/European+Student+Identifier

URI for all entity categories used within SWAMID

Entity categoryUnique identifier
GÉANT Data Protection Code of Conduct Entity Categoryhttp://www.geant.net/uri/dataprotection-code-of-conduct/v1
REFEDS Data Protection Code of Conduct Entity Categoryhttps://refeds.org/category/code-of-conduct/v2
REFEDS Personalized Access Entity Categoryhttps://refeds.org/category/personalized
REFEDS Pseudonymous Access Entity Categoryhttps://refeds.org/category/pseudonymous
REFEDS Anonymous Access Entity Categoryhttps://refeds.org/category/anonymous
REFEDS Research and Scholarship Entity Category (R&S)http://refeds.org/category/research-and-scholarship
European Student Identifier  Entity Category (ESI)https://myacademicid.org/entity-categories/esi
SWAMID R&Ehttp://www.swamid.se/category/research-and-educationDeprecated and decommisoned
SWAMID SFS-1993-1153http://www.swamid.se/category/sfs-1993-1153Deprecated and decommisoned
SWAMID EU-Adequate-Protectionhttp://www.swamid.se/category/eu-adequate-protectionDeprecated and decommisoned
SWAMID NREN-Servicehttp://www.swamid.se/category/nren-serviceDeprecated and decommisoned
SWAMID HEI-Servicehttp://www.swamid.se/category/hei-serviceDeprecated and decommisoned


URI for all assurance profiles used within SWAMID

EntitetskategoriUnik identifierare
SWAMID AL1http://www.swamid.se/policy/assurance/al1
SWAMID AL2http://www.swamid.se/policy/assurance/al2
SWAMID AL3http://www.swamid.se/policy/assurance/al3
SWAMID AL2-MFA-HIhttps://www.swamid.se/policy/authentication/swamid-al2-mfa-hiDeprecated and decommisoned
REFEDS Assurance Frameworkhttps://refeds.org/assurance/*
REFEDS Security Incident Response Trust Framework for Federated Identity (SIRTFI) version 1https://refeds.org/sirtfi
REFEDS Security Incident Response Trust Framework for Federated Identity (SIRTFI) version 2https://refeds.org/sirtfi2



  • No labels