Home » Identity and Access Management: CAF » CAF Support » Research and Scholarship (R&S) Entity Category

Research and Scholarship (R&S) Entity Category

Research and Scholarship (R&S) Entity Categories allow Canadian Access Federation (CAF) participants that use Federated Identity Management to allow their faculty and researchers to instantly access participating research collaboration services.


The R&S Entity Category improves the trust level among CAF participants. For Identity Providers (IdPs), the R&S Entity Category attribute simplifies configuration of attribute release filters by enabling configuration of a single category specific filter, rather than a “per service” attribute release filter. For Service Providers (SPs), the R&S Entity Category reduces service integration effort by ensuring consistency of attribute release from other IdPs supporting this category.

Benefits of R&S Entity Categories

  • Convenience for faculty and researchers: instant access to participating services using campus credentials, without administrator involvement
  • Ease of collaboration: When a research project adds a service to the Entity Category, collaboration across participating institutions is immediate
  • Vetted services: CAF reviews each service application for adherence to the category definition and requirements
  • Efficient use of time and resources: once enabled, there is no additional involvement of IT staff to provision new R&S services

How Does the R&S Entity Category Work?

As the operator of the identity federation in Canada, CAF distributes metadata indicating which entities support the R&S Entity Category. Using this information, IdPs and SPs recognize each other as being part of the research and education community and as thus trustworthy for exchange of a basic, standardized set of attributes.

How to Support the R&S Entity Category

CAF participants operating an IdP and/or SP should follow the steps below to enable support for the R&S Entity Category.

Identity Providers

  1. Review and confirm you’re prepared to meet the Identity Provider Requirements described in the R&S Entity Category
  2. Send an email to tickets@canarie.ca requesting the R&S Entity Category attribute be added to your CAF FIM IdP entity metadata. CAF will advise you when the updates have been completed.
  3. Update your IdP attribute release filters to recognize R&S compliant SPs and release the attribute bundle per Identity Provider Requirements described in the R&S Entity Category Users of Shibboleth IdP Version 3.2.1 or later can use the configuration below:
<!-- REFEDS Research and Scholarship -->
<AttributeFilterPolicy id="CAF-IdPInstaller-releaseToRandS">
    <PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
        attributeName="http://macedir.org/entity-category"
        attributeValue="http://refeds.org/category/research-and-scholarship" />

<AttributeRule attributeID="eduPersonPrincipalName">
    <PermitValueRule xsi:type="ANY" />
  </AttributeRule>
  <AttributeRule attributeID="eduPersonTargetedID">
    <PermitValueRule xsi:type="ANY" />
  </AttributeRule>

<!-- note 'email' should match your attribute-resolver.xml attributeID field for friendly name 'mail'
 This rule permits 'mail', urn:oid:0.9.2342.19200300.100.1.3 to be populated -->
  <AttributeRule attributeID="email">
    <PermitValueRule xsi:type="ANY" />
  </AttributeRule>

  <AttributeRule attributeID="displayName">
    <PermitValueRule xsi:type="ANY" />
  </AttributeRule>
  <AttributeRule attributeID="givenName">
    <PermitValueRule xsi:type="ANY" />
  </AttributeRule>
  <AttributeRule attributeID="surname">
    <PermitValueRule xsi:type="ANY" />
  </AttributeRule>

  <!-- Affiliation is optional but release is still "strongly recommended". -->
  <AttributeRule attributeID="eduPersonScopedAffiliation">
    <PermitValueRule xsi:type="ANY" />
  </AttributeRule>

</AttributeFilterPolicy>

Shibboleth versions earlier than 3.2.1 should use this format, which reflects the slightly different XML handling of the configuration files:

<afp:AttributeFilterPolicy id="CAF-IdPInstaller-releaseToRandS">
    <afp:PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
        attributeName="http://macedir.org/entity-category"
        attributeValue="http://refeds.org/category/research-and-scholarship" />

<afp:AttributeRule attributeID="eduPersonPrincipalName">
    <afp:PermitValueRule xsi:type="basic:ANY" />
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="eduPersonTargetedID">
    <afp:PermitValueRule xsi:type="basic:ANY" />
  </afp:AttributeRule>

  <!-- note 'email' should match your attribute-resolver.xml attributeID field for friendly name 'mail'
 This rule permits 'mail', urn:oid:0.9.2342.19200300.100.1.3 to be populated -->

  <afp:AttributeRule attributeID="email">
    <afp:PermitValueRule xsi:type="basic:ANY" />
  </afp:AttributeRule>

  <afp:AttributeRule attributeID="displayName">
    <afp:PermitValueRule xsi:type="basic:ANY" />
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="givenName">
    <afp:PermitValueRule xsi:type="basic:ANY" />
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="surname">
    <afp:PermitValueRule xsi:type="basic:ANY" />
  </afp:AttributeRule>

  <!-- Affiliation is optional but release is still "strongly recommended". -->
  <afp:AttributeRule attributeID="eduPersonScopedAffiliation">
    <afp:PermitValueRule xsi:type="basic:ANY" />
  </afp:AttributeRule>
</afp:AttributeFilterPolicy>

Test your IdP by following the Test Instructions below.

Service Providers

  1. Review and confirm you’re prepared to meet the Service Provider Requirements described in the R&S Entity Category specification.
  2. Review, and if necessary, update your service to meet the requirements for requesting and using the R&S attribute bundle described in R&S Entity Category specification.
  3. Apply to register your SP as an R&S compliant service by completing the R&S Attestation Form. Please note that if you are not a registered CAF contact for your institution, a CAF team member will follow up with the contact of record from your organization to confirm you are authorized to make this request.
  4. A CAF team member will contact you to confirm your compliance to the R&S Entity Category requirements and when testing can begin.

Testing

Identity Provider Test Instructions

IdPs can test to verify that their attribute release policies are working by visiting a Service Provider that has been assigned the R&S Entity Category.  CAF recommends testing with the eduGAIN Wiki to verify attributes are being released as expected.

Service Provider Test Instructions

Service Providers can test their configurations by identifying an Identity Provider that supports the R&S Entity Category and a person or account that can be used to sign on with that provider.

A sign-on from that Identity Provider should release the R&S attribute set to the Service Provider, indicating correct configuration..  See the Identity Provider Test Instructions below for an example of a test with a Shibboleth-based Service Provider.

Service Providers not using Shibboleth for their integration may need to use different methods to verify that attribute release is occurring, i.e. reviewing logs after a successful login.

Using the eduGAIN Wiki will verify both the proper R&S Entity Category behaviour and that your IdP is properly configured for eduGAIN.

Learn more about eduGAIN.

Procedure

1. Open a new private window in your browser and visit https://wiki.edugain.org. Click “Login” at the top of the page:

2. On the Discovery page, enter the name of your IdP.  In this example, we are using CANARIE’s IdP:

3. Log in to your organization:

4. Verify that you have successfully logged in, (your information should have replaced the Login button):

5. After successful login, change the browser address to https://wiki.edugain.org/Shibboleth.sso/Session

6. Inspect the ‘Attributes’ section of the resulting page to ensure the attribute bundle defined in R&S Entity Category is returned.