Research and Scholarship (R&S) Entity Category Technical Instructions

How to Support the R&S Entity Category

CAF participants operating an IdP and/or SP should follow the steps below to enable support for the R&S Entity Category.

  • Submit an application to join the R&S Entity Category
  • Once your application has been approved, follow the instructions below.

Identity Providers

  1. The CAF team will add the R&S Entity Category attribute to your CAF FIM IdP entity metadata. You will be notified when the updates have been completed.
  2. Update your IdP attribute release filters to recognize R&S-compliant Service Providers and release the attribute bundle per the Identity Provider requirements described in the R&S Entity Category. Users of Shibboleth IdP Version 4.x or later can use the configuration below:

 



<!-- REFEDS Research and Scholarship -->
<AttributeFilterPolicy id="CAF-releaseRandSAttributeBundle">
    <PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
        attributeName="http://macedir.org/entity-category"
        attributeValue="http://refeds.org/category/research-and-scholarship" />


<AttributeRule attributeID="eduPersonPrincipalName">
    <PermitValueRule xsi:type="ANY" />
  </AttributeRule>
  <AttributeRule attributeID="eduPersonTargetedID">
    <PermitValueRule xsi:type="ANY" />
  </AttributeRule>


<!-- note 'mail' should match your attribute-resolver.xml attributeID field for friendly name 'mail'
 This rule permits 'mail', urn:oid:0.9.2342.19200300.100.1.3 to be populated -->
  <AttributeRule attributeID="mail">
    <PermitValueRule xsi:type="ANY" />
  </AttributeRule>


  <AttributeRule attributeID="displayName">
    <PermitValueRule xsi:type="ANY" />
  </AttributeRule>
  <AttributeRule attributeID="givenName">
    <PermitValueRule xsi:type="ANY" />
  </AttributeRule>
  <AttributeRule attributeID="sn">
    <PermitValueRule xsi:type="ANY" />
  </AttributeRule>


  <!-- Affiliation is optional but release is still "strongly recommended". -->
  <AttributeRule attributeID="eduPersonScopedAffiliation">
    <PermitValueRule xsi:type="ANY" />
  </AttributeRule>


</AttributeFilterPolicy>

Users of Shibboleth versions earlier than 4.x but later than 3.2.1 should use this configuration, which reflects the slightly different XML handling of the configuration files:

<!-- REFEDS Research and Scholarship -->
<AttributeFilterPolicy id="CAF-IdPInstaller-releaseToRandS">
    <PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
        attributeName="http://macedir.org/entity-category"
        attributeValue="http://refeds.org/category/research-and-scholarship" />

<AttributeRule attributeID="eduPersonPrincipalName">
    <PermitValueRule xsi:type="ANY" />
  </AttributeRule>
  <AttributeRule attributeID="eduPersonTargetedID">
    <PermitValueRule xsi:type="ANY" />
  </AttributeRule>

<!-- note 'email' should match your attribute-resolver.xml attributeID field for friendly name 'mail'
 This rule permits 'mail', urn:oid:0.9.2342.19200300.100.1.3 to be populated -->
  <AttributeRule attributeID="email">
    <PermitValueRule xsi:type="ANY" />
  </AttributeRule>

  <AttributeRule attributeID="displayName">
    <PermitValueRule xsi:type="ANY" />
  </AttributeRule>
  <AttributeRule attributeID="givenName">
    <PermitValueRule xsi:type="ANY" />
  </AttributeRule>
  <AttributeRule attributeID="surname">
    <PermitValueRule xsi:type="ANY" />
  </AttributeRule>

  <!-- Affiliation is optional but release is still "strongly recommended". -->
  <AttributeRule attributeID="eduPersonScopedAffiliation">
    <PermitValueRule xsi:type="ANY" />
  </AttributeRule>

</AttributeFilterPolicy>

Test your IdP by following the Test Instructions below.

Service Providers

The CAF team will add the R&S Entity Category attribute to your CAF FIM IdP entity metadata. CAF will advise you when the updates have been completed and testing can begin.

Testing

Identity Provider Test Instructions

IdPs can test to verify that their attribute release policies are working by visiting a Service Provider that has been assigned the R&S Entity Category. CAF recommends testing with the eduGAIN Attribute Release Check to verify attributes are being released as expected.

Service Provider Test Instructions

Service Providers can test their configurations by identifying an Identity Provider that supports the R&S Entity Category and a person or account that can be used to sign on with that provider.

A sign-on from that Identity Provider should release the R&S attribute set to the Service Provider, indicating correct configuration.. See the Identity Provider Test Instructions below for an example of a test with a Shibboleth-based Service Provider.

Service Providers not using Shibboleth for their integration may need to use different methods to verify that attribute release is occurring, i.e. reviewing logs after a successful login.

Using the eduGAIN Attribute Release Check will verify both the proper R&S Entity Category behaviour and that your IdP is properly configured for eduGAIN.

Procedure

1. Open a new private window in your browser and visit release-check.edugain.org. Click “Login” at the top of the page:

2. Enter the name of your IdP. In this example, we are using CANARIE’s IdP:

3. Log in to your organization:

4. On the Test Results page, verify that you have attained a Verdict of A- or better in the REFEDS R&S Test box (outlined in red)

5. Click Details: show to confirm the Attributes Received