Individual Federations have varying attribute release mechanisms compared with the AAF’s core attribute/optional attribute set. The AAF has defined a set of CORE attributes which Identity providers are expected to provide to services that are authorized to request them. Not all Federations have a defined set of CORE attributes that service providers can rely upon which makes it difficult for services to obtain the attributes they require to function effectively.
The global community recognised this is an issue and subsequently created the Research and Scholarly (R&S) mechanism to help resolve it. Identity providers who assert this entity category are making a statement about their Identity Provider and its willingness to release attributes and participate in the standardisation or attributes with R&S attribute bundle.
The attributes in the R&S bundle is a subset of the AAF CORE attributes which means minimal technical change to implement these attributes for users. However, to limit attribute release only to services who assert R&S will require further technical changes.
How does R&S work?
Categorizing Service Providers as R&S simplifies Identity Provider configuration. Participating Identity Providers release a minimal set of low security attributes via a one-time addition to their default release policies. After making the addition, the Identity Provider can release attribute information about users without needing to change their attribute release rules.
By default, most Identity Providers (IdPs) in eduGAIN only share “opaque identifiers” that do not contain attributes. In this situation, Service Providers must bi-laterally negotiate to release attributes from individual IdPs. Note: This is not the case for services and identity providers within the AAF.
The R&S category provides a simpler and more scalable approach to Identity Provider configuration. R&S ensures attributes in the bundle are shared by participating Identity Providers and Service Providers. As a result, researchers and scholars on campuses that support R&S can seamlessly access a growing list of R&S services without delay and further support from their local IdP administrators.
It is expected that all AAF Identity Providers participating in eduGAIN will also support attribute release through the R&S mechanism.
To assert the R&S attributes with an eduGAIN connected IDP, will require the following technical implementation:
- Ensure all R&S Attributes are being correctly resolved
- Use the AAF Attribute Validator to verify.
- Ensure the attributes are correctly released to services that are R&S
R&S Attribute bundle
Any of the attributes available within the AAF can be requested although unless they are being asserted or utilized, will be unavailable. IdP’s are unique and will commonly assert varying attributes, unless R&S attributes are being utilised, it is best to check with an individual IdP. Unfortunately this process isn’t scalable when using eduGAIN due to the large volume of IdP’s, SP’s and the varying attributes they may or may not assert which is why the R&S category has been implemented, giving every participant a default set of attributes.
The Research and Scholarly categories will form a fundamental attribute set which guarantees a higher success rates when requesting attributes from the R & S attribute bundle. The R&S attribute bundle consists (abstractly) of the following required data elements:
- shared user identifier
- person name
- email address
and one optional element:
Where shared user identifier is a persistent, non-reassigned, non-targeted identifier defined to be either of the following:
- eduPersonPrincipalName (if non-reassigned)
- eduPersonPrincipalName + eduPersonTargetedID
and where person name is defined to be either (or both) of the following:
- givenName + sn
Email address is defined to be the mail attribute, and Affiliation is defined to be the eduPersonScopedAffiliation attribute. All attributes in the R&S attribute bundle are also part of the AAF Core attribute set.