First, a few definitions.
Identity Provider (IdP)
Any organization that assigns digital identities to its user community. Examples include universities, colleges, or research facilities. A user is provided access credentials (e.g. username and password) for their digital identity.
Service Provider (SP)
Any organization of services, resources, or content that requires a digital identity for access. Examples include online research journal libraries, high-performance computing (HPC) centres for scientific research, or developers of video conferencing software for education.View Service Providers that participate in CAF
A digital identity is made up of attributes such as full name, email address, affiliation (student, faculty, staff), etc. Service Providers use attributes to operate effectively, for example allowing faculty but not students access to a service based on the user’s provided attributes.
Identity federations act as a trusted intermediary to exchange user attributes between Identity Providers and Service Providers.
When a user attempts to access a service with their school-provided digital identity:
- The Service Provider requests a set of user attributes (e.g. full name, email address, name of institution) from the Identity Provider before it grants access to its resources.
- Based on its privacy policies, the Identity Provider asks the user for their access credentials, and if correct, releases the requested set of user attributes to the Service Provider.
- If the Service Provider receives the requested set of attributes, it grants access to its resources.
Typically, Identity Providers need to decide which attributes they will and will not release, on a service-by-service basis – configuring each service individually.
Entity Categories: A global standard for exchanging common attributes
Groups of entities (IdPs and SPs) with common system behaviours, information/attribute requirements, and security or privacy interests may be identified by a globally recognized Entity Category. By joining an Entity Category, IdPs and SPs indicate their agreement to exchange a standard set of attributes to other providers that also have joined the Entity Category.
By joining an Entity Category, IdPs release a controlled set of low-risk attributes to all SPs in that category, based on the criteria detailed in the category’s specification. This simplifies how Attribute Release Policies are managed by eliminating the need for Identity Providers to review and configure individual attribute release policies for every Service Provider.
Scaling to support thousands of IdPs and SPs, Entity Categories significantly simplify:
- the roll-out of new services,
- the interoperability of all services,
- the management of user attributes, and most important,
- collaboration possibilities for researchers and students.
For SPs, Entity Categories reduce service integration efforts by ensuring that the correct attributes are released consistently by all IdPs within the category.
Managing Entity Categories
The Entity Categories supported by CAF participants is maintained and published on our website:
- CAF Participant List (Identity Providers)
- Federated Identity Management (FIM)-enabled Services (Service Providers)
Existing Entity Categories
The following entity categories developed by REFEDS are currently in use:
The Research and Scholarship (R&S) Entity Category
The Research and Scholarship (R&S) Entity Category has been designed as a simple and scalable way for Identity Providers to release minimal amounts of required personal data (or attributes) to Service Providers serving the research and scholarship community. Valid services include collaborative tools and services such as wikis, blogs, project and grant management tools that require some personal information about users to work effectively. The R&S Entity Category is not intended for access to licensed content such as e-journals.
Candidates for the Research and Scholarship (R&S) Category are Service Providers that are operated for the purpose of supporting research and scholarship interaction, collaboration or management, at least in part.
The R&S Entity Category strengthens the fabric of trust among CAF participants.
For Identity Providers, the R&S Entity Category attribute simplifies configuration of attribute release filters by enabling configuration of a single category specific filter, rather than configuring attribute release for each service individually.
Benefits of the R&S Entity Category
- Improved convenience for students, researchers, and faculty: instant access to participating services using campus credentials, without administrator involvement. Thus, as new services join the Entity Category, they are automatically added and available immediately.
- Simple collaboration: When a research project adds a new service or resource to the Entity Category, collaboration across participating institutions is automatic. Without the Entity Category, the research project may need to contact each participating institution individually to enable the correct attribute release policy.
- Vetted services: CAF reviews each application from all participants for adherence to the category’s definition and requirements.
- Efficient use of time and resources: once enabled, there is no additional involvement of IT staff to provision new R&S services.
How Does the R&S Entity Category Work?
As the operator of Canada’s identity federation (CAF), CANARIE distributes metadata indicating which entities support the R&S Entity Category. Using this information, IdPs and SPs recognize each other as being part of the research and education community and thus trustworthy for exchange of a basic, standardized set of attributes.
Joining the R&S Entity Category is a simple process.
If your organization participates in CAF and you have deployed Federated Identity Management (FIM), you’re almost there. Simply complete the application to Join the Research and Scholarship (R&S) Entity Category. The application must be completed by your organization’s CEO or CIO, or the designated CAF Signing Authority, Primary Business Contact, or Primary Technical Contact that we have on file for you.
Once our team has received your submission, we will contact you within five (5) business days with next steps. If you have any questions, please contact us at email@example.com.