Requirements and best practices for exchanging attributes in the Federation
InCommon Federation Attribute Overview
Federation and Identity Attributes
The InCommon Federation provides a trust fabric in which users access protected resources. Service Providers, the federation entities that protect resources, and Identity Providers, the federation entities from which users login, work together to manage user access. InCommon participants use federation products, such as Shibboleth or other products that implement the Security Assertion Markup Language (SAML), to accomplish this.
When a user attempts to access a Service Provider-protected site, it usually asks the user’s Identity Provider to provide one or more specific “identity attributes” it needs or wishes in order to provide the user with their authorized access privileges on the site, to personalize their experience, to account for use of resources, or for other purposes. These attributes might include a user identifier, their organizational affiliation, email address, etc. The Identity Provider obtains user attributes from the organization’s Identity Management System and only releases them to Service Providers in accord with its configured “attribute release policies.”
InCommon requires its federation participants to support a defined set of user attributes and requires or recommends the use or release of user attributes to enable interoperability, good user experience, and to help protect personal privacy. Support requirements are interoperability requirements, ensuring that two parties or federated entities mean the same thing when they transact about them. A supported attribute might or might not be made available for use by an Identity Provider. Release requirements or recommendations state when an Identity Provider should or must release certain user attributes to a Service Provider. Participants are welcome to support and/or release attributes beyond those described here as it suits their purposes in the use of federation.
Attribute support requirements
All InCommon federation participants must support the eduPerson attributes. That is, use of attributes in the context of federated transactions whose definitions agree with those defined in eduPerson must use the eduPerson specification for expressing them, and other attributes used by Participants in a federation context must not conflict with those defined in eduPerson. The eduPerson and eduOrg page links to details on how to implement eduPerson and related information.
Attribute release requirements
Research & scholarship attributes
The international community of research and education federations, to which InCommon belongs, has implemented a program called the Research & Scholarship Category (R&S). This program is designed to ensure successful user access to protected resources provided for a research or scholarly purpose. R&S Service Providers typically require a small set of user attributes in order to provide their service; this set is called the “R&S attributes.”
The R&S program requires federation operators like InCommon to vet Service Providers requesting to be recognized as R&S Service Providers in a standard way so as to uphold user privacy principles in a federation context. An Identity Provider can participate in the R&S program by identifying itself in a standard way and configuring a corresponding attribute release policy. The Research & Scholarship Entity Category page provides additional details, including how to participate in the Research & Scholarship category.
InCommon requires that Identity Providers signalling participation in the R&S program release the appropriate attributes to R&S Service Providers as requested in accord with the R&S program.
Attribute release recommendations
Research & scholarship attributes
InCommon strongly recommends that all InCommon Identity Providers that support users engaged in research or scholarly activities participate in the R&S program. It further recommends that all InCommon Service Providers that provide research or scholarly services request to be recognized as R&S Service Providers.
Default Attribute Release policy
InCommon strongly recommends that each InCommon Identity Provider configure a default attribute release policy that permits releasing at least one non-reassigned and permanently unique user identifier. These can be chosen from eduPersonUniqueID, eduPersonPrincipalName, or eduPersonTargetedID.