Cliquez ici pour la version française

Research and Scholarship category (R&S)

1. Definition

1.1 Overview

The Research and Scholarship category (R&S) aims at enabling trustworthy exchange of a basic, standardized set of attributes between Identity Providers (IDP) and Service Providers (SP) belonging specifically to the research and education community.

Mutual recognition of membership in the research and education domain is based on the use of a specific tag in the metadata. This tag takes the form of an Entity Category attribute, respecting the following format:

<mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
  <saml:Attribute
      xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
      Name="http://macedir.org/entity-category">
    <saml:AttributeValue>http://refeds.org/category/research-and-scholarship</saml:AttributeValue>
  </saml:Attribute>
</mdattr:EntityAttributes>

1.2 R&S attribute bundle

Controlling the release of attributes between R&S Identity and Service Providers is based on the definition of a small set of standardized attributes. The idea here is to transmit only the strict minimum in terms of attributes (i.e. the minimum required to operate the service) for the purpose of confidentiality and privacy of user data.

Without going into technical considerations, this set of attributes consists of the following data elements :

  • User identifier
  • Person name
  • Email address
  • Affiliation

The table below shows whether or not each of these data is mandatory and the attributes used to represent them:

Type of data Mandatory / Optional Usable attribute(s)
User identifier Mandatory 1. eduPersonPrincipalName (if non-reassigned)
OR
2. eduPersonPrincipalName + eduPersonTargetedID
Person name Mandatory 1. displayName
OR
2. giveName + sn
Email address Mandatory mail
Affiliation Optional eduPersonScopedAffiliation


1.3 Service Provider requirements (SP)

R&S eligibility

# RS-SP-01
Candidates for the Research and Scholarship (R&S) Category are Service Providers that are operated for the purpose of supporting research and scholarship interaction, collaboration or management, at least in part.

Here is a non-exhaustive list of example Service Providers that are eligible for R&S:

  • cross-enterprise wikis ;
  • collaboration tools for students, faculty, staff, and researchers ;
  • data sharing and management tools ;
  • access management tools ;
  • learning platforms for research and education ;
  • cloud computing and storage services for scientists ;
The R&S category should not be used for access to licensed content such as e-journals

Attributes

# RS-SP-02
A Service Provider should only request attributes defined in the R&S attribute bundle.
If additional attributes are required, it is up to the Service Provider to negotiate directly with the administrator of the Identity Provider(s) concerned (out of the the scope of this document).

# RS-SP-03
For the sake of maximum interoperability, a Service Provider is strongly encouraged to support all the alternatives described in section 1.2 for the representation of the user ID and name.
In the case of the eduPersonTargetedID attribute, this recommendation includes the ability to support the SAML 2.0 persistent NameID, which is the recommended modern expression of the eduPersonTargetedID attribute in the SAML 2.0 standard.

# RS-SP-04
In the event that a Service Provider does not receive an eduPersonTargetedID attribute from an R&S Identity Provider, then the Service Provider can trust the ability of the Identity Provider to deliver a unique eduPersonPrincipalName attribute per user.

# RS-SP-05
Alternatively, a Service Provider can obtain a unique user ID by concatenating the values of the eduPersonPrincipalName and eduPersonTargetedID attributes. In the event that the value resulting from this concatenation is likely to change over time, the Service Provider may then assume that the ““eduPersonPrincipalName”” has been re-assigned to another user.

Metadata

# RS-SP-06
An R&S-compliant Service Provider should contain the R&S tag in its SAML metadata.

1.4 Identity Provider requirements (IdP)

Attributes

# RS-IDP-01
When interacting with an R&S Service Provider, an R&S Identity Provider must implement a specific attribute filter policy limiting the attributes released to the R&S attribute bundle. This limitation to a minimum set of attributes only applies to the exchanges with R&S Service Providers (and not for non-R&S SPs).

# RS-IDP-02
An R&S Identity Provider must be able to release all the mandatory attributes of the R&S attribute bundle (defined in section 1.2) to all existing R&S Service Providers. Exceptions that limit the release of attributes to specific R&S Service Providers may be permitted in the event of a security incident or any other special circumstances.

# RS-IDP-03
An Identity Provider that does not release all the mandatory attributes of the R&S attribute bundle (defined in section 1.2) should not display the R&S tag in its SAML metadata.

# RS-IDP-04
The user ID must be persistent, unique and not specific to a service. If an Identity Provider can guarantee the uniqueness of the eduPersonPrincipalName over time, then it is sufficient. Otherwise, an Identity Provider must release the eduPersonTargetedID (unique by definition) in addition to the eduPersonPrincipalName. In all cases, the release of these two attributes is recommended.

# RS-IDP-05
The transmission of the user name requires at least the release of the displayName attribute or the givenName + sn attribute pair. The release of the three attributes (displayName, givenName and sn) is recommended.

# RS-IDP-06
An Identity Provider is strongly encouraged to release the complete R&S attribute bundle (mandatory + optional attributes) to the R&S Service Providers, in order to ensure interoperability and maximize the scope of supported services. In particular, it is important to note that the affiliation attribute is widely used by many R&S services in the research and education community.

Metadata

# RS-IDP-07
An Identity Provider indicates its R&S compliance by the presence of the R&S tag in its SAML metadata.

2. Declaring an R&S compliance for your Identity Provider

To have your Identity Provider certified as supporting R&S :

  1. Read and understand the requirements for R&S IdPs ;
  2. Declare your ability to support R&S for your Identity Provider on the federation registry.

3. Declaring an R&S compliance for your Service Provider

To have your Service Provider certified as supporting R&S :

  1. Ensure your service is eligible for R&S ;
  2. Read and understand the requirements for R&S SPs ;
  3. Declare your ability to support R&S for your Service Provider on the federation registry.