Entity Categories

When a user attempts to access a service with their school-provided digital identity:

1. The Service Provider requests a set of user attributes (e.g. full name, email address, name of institution) from the Identity Provider before it grants access to its resources.
2. Based on its privacy policies, the Identity Provider asks the user for their access credentials, and if correct, releases the requested set of user attributes to the Service Provider.
3. If the Service Provider receives the requested set of attributes, it grants access to its resources.

Entity Categories: A global standard for exchanging common attributes

Groups of entities (IdPs and SPs) with common system behaviours, information/attribute requirements, and security or privacy interests may be identified by a globally recognized Entity Category. By joining an Entity Category, IdPs and SPs indicate their agreement to exchange a standard set of attributes to other providers that also have joined the Entity Category.

By joining an Entity Category, IdPs release a controlled set of low-risk attributes to all SPs in that category, based on the criteria detailed in the category’s specification. This simplifies how Attribute Release Policies are managed by eliminating the need for Identity Providers to review and configure individual attribute release policies for every Service Provider.

Scaling to support thousands of IdPs and SPs, Entity Categories significantly simplify:

• the roll-out of new services,
• the interoperability of all services,
• the management of user attributes, and most important,
• collaboration possibilities for researchers and students.

For SPs, Entity Categories reduce service integration efforts by ensuring that the correct attributes are released consistently by all IdPs within the category.

Managing Entity Categories

The global specifications for Entity Categories is defined by GÉANT, the pan-European Research and Education Network, through its Research and Education Federations (REFEDS) working group.

The Entity Categories supported by CAF participants is maintained and published on our website:

• CAF Participant List (Identity Providers)
• Federated Identity Management (FIM)-enabled Services (Service Providers)

Existing Entity Categories

The following entity categories developed by REFEDS are currently in use:

• Research and Scholarship (the only Entity Category currently supported by CAF)
• GÉANT Data Protection Code of Conduct
• Hide from Discovery

The Research and Scholarship (R&S) Entity Category

The Research and Scholarship (R&S) Entity Category has been designed as a simple and scalable way for Identity Providers to release minimal amounts of required personal data (or attributes) to Service Providers serving the research and scholarship community. Valid services include collaborative tools and services such as wikis, blogs, project and grant management tools that require some personal information about users to work effectively. The R&S Entity Category is not intended for access to licensed content such as e-journals.

By joining the R&S Category, CAF participants that have deployed Federated Identity Management (FIM) can offer their students, researchers, and faculty instant access to services within the category.

Candidates for the Research and Scholarship (R&S) Category are Service Providers that are operated for the purpose of supporting research and scholarship interaction, collaboration or management, at least in part.

For Identity Providers, the R&S Entity Category attribute simplifies configuration of attribute release filters by enabling configuration of a single category specific filter, rather than configuring attribute release for each service individually.

Benefits of the R&S Entity Category

• Improved convenience for students, researchers, and faculty: instant access to participating services using campus credentials, without administrator involvement. Thus, as new services join the Entity Category, they are automatically added and available immediately.
• Simple collaboration: When a research project adds a new service or resource to the Entity Category, collaboration across participating institutions is automatic. Without the Entity Category, the research project may need to contact each participating institution individually to enable the correct attribute release policy.
• Vetted services: CAF reviews each application from all participants for adherence to the category’s definition and requirements.
• Efficient use of time and resources: once enabled, there is no additional involvement of IT staff to provision new R&S services.

How Does the R&S Entity Category Work?

As the operator of Canada’s identity federation (CAF), CANARIE distributes metadata indicating which entities support the R&S Entity Category. Using this information, IdPs and SPs recognize each other as being part of the research and education community and thus trustworthy for exchange of a basic, standardized set of attributes.

Joining the R&S Entity Category is a simple process.

If your organization participates in CAF and you have deployed Federated Identity Management (FIM), you’re almost there. Simply complete the application to Join the Research and Scholarship (R&S) Entity Category. The application must be completed by your organization’s CEO or CIO, or the designated CAF Signing Authority, Primary Business Contact, or Primary Technical Contact that we have on file for you.

Once our team has received your submission, we will contact you within five (5) business days with next steps. If you have any questions, please contact us at [email protected].