Home » Identity and Access Management: CAF » CAF Support » R&S Entity Category Technical Instructions

R&S Entity Category Technical Instructions

How to Support the R&S Entity Category

CAF participants operating an IdP and/or SP should follow the steps below to enable support for the R&S Entity Category.

Identity Providers

  1. Review and confirm you’re prepared to meet the Identity Provider Requirements described in the R&S Entity Category
  2. Send an email to tickets@canarie.ca requesting the R&S Entity Category attribute be added to your CAF FIM IdP entity metadata. CAF will advise you when the updates have been completed.
  3. Update your IdP attribute release filters to recognize R&S compliant SPs and release the attribute bundle per Identity Provider Requirements described in the R&S Entity Category Users of Shibboleth IdP Version 3.2.1 or later can use the configuration below:
<!-- REFEDS Research and Scholarship -->
<AttributeFilterPolicy id="CAF-IdPInstaller-releaseToRandS">
    <PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
        attributeName="http://macedir.org/entity-category"
        attributeValue="http://refeds.org/category/research-and-scholarship" />

<AttributeRule attributeID="eduPersonPrincipalName">
    <PermitValueRule xsi:type="ANY" />
  </AttributeRule>
  <AttributeRule attributeID="eduPersonTargetedID">
    <PermitValueRule xsi:type="ANY" />
  </AttributeRule>

<!-- note 'email' should match your attribute-resolver.xml attributeID field for friendly name 'mail'
 This rule permits 'mail', urn:oid:0.9.2342.19200300.100.1.3 to be populated -->
  <AttributeRule attributeID="email">
    <PermitValueRule xsi:type="ANY" />
  </AttributeRule>

  <AttributeRule attributeID="displayName">
    <PermitValueRule xsi:type="ANY" />
  </AttributeRule>
  <AttributeRule attributeID="givenName">
    <PermitValueRule xsi:type="ANY" />
  </AttributeRule>
  <AttributeRule attributeID="surname">
    <PermitValueRule xsi:type="ANY" />
  </AttributeRule>

  <!-- Affiliation is optional but release is still "strongly recommended". -->
  <AttributeRule attributeID="eduPersonScopedAffiliation">
    <PermitValueRule xsi:type="ANY" />
  </AttributeRule>

</AttributeFilterPolicy>

Shibboleth versions earlier than 3.2.1 should use this format, which reflects the slightly different XML handling of the configuration files:

<afp:AttributeFilterPolicy id="CAF-IdPInstaller-releaseToRandS">
    <afp:PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
        attributeName="http://macedir.org/entity-category"
        attributeValue="http://refeds.org/category/research-and-scholarship" />

<afp:AttributeRule attributeID="eduPersonPrincipalName">
    <afp:PermitValueRule xsi:type="basic:ANY" />
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="eduPersonTargetedID">
    <afp:PermitValueRule xsi:type="basic:ANY" />
  </afp:AttributeRule>

  <!-- note 'email' should match your attribute-resolver.xml attributeID field for friendly name 'mail'
 This rule permits 'mail', urn:oid:0.9.2342.19200300.100.1.3 to be populated -->

  <afp:AttributeRule attributeID="email">
    <afp:PermitValueRule xsi:type="basic:ANY" />
  </afp:AttributeRule>

  <afp:AttributeRule attributeID="displayName">
    <afp:PermitValueRule xsi:type="basic:ANY" />
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="givenName">
    <afp:PermitValueRule xsi:type="basic:ANY" />
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="surname">
    <afp:PermitValueRule xsi:type="basic:ANY" />
  </afp:AttributeRule>

  <!-- Affiliation is optional but release is still "strongly recommended". -->
  <afp:AttributeRule attributeID="eduPersonScopedAffiliation">
    <afp:PermitValueRule xsi:type="basic:ANY" />
  </afp:AttributeRule>
</afp:AttributeFilterPolicy>

Test your IdP by following the Test Instructions below.

Service Providers

  1. Review and confirm you’re prepared to meet the Service Provider Requirements described in the R&S Entity Category specification.
  2. Review, and if necessary, update your service to meet the requirements for requesting and using the R&S attribute bundle described in R&S Entity Category specification.
  3. Apply to register your SP as an R&S compliant service by completing the R&S Attestation Form. Please note that if you are not a registered CAF contact for your institution, a CAF team member will follow up with the contact of record from your organization to confirm you are authorized to make this request.
  4. A CAF team member will contact you to confirm your compliance to the R&S Entity Category requirements and when testing can begin.

Testing

Identity Provider Test Instructions

IdPs can test to verify that their attribute release policies are working by visiting a Service Provider that has been assigned the R&S Entity Category.  CAF recommends testing with the eduGAIN Wiki to verify attributes are being released as expected.

Service Provider Test Instructions

Service Providers can test their configurations by identifying an Identity Provider that supports the R&S Entity Category and a person or account that can be used to sign on with that provider.

A sign-on from that Identity Provider should release the R&S attribute set to the Service Provider, indicating correct configuration..  See the Identity Provider Test Instructions below for an example of a test with a Shibboleth-based Service Provider.

Service Providers not using Shibboleth for their integration may need to use different methods to verify that attribute release is occurring, i.e. reviewing logs after a successful login.

Using the eduGAIN Wiki will verify both the proper R&S Entity Category behaviour and that your IdP is properly configured for eduGAIN.

Learn more about eduGAIN.

Procedure

1. Open a new private window in your browser and visit https://wiki.edugain.org. Click “Login” at the top of the page:

2. On the Discovery page, enter the name of your IdP.  In this example, we are using CANARIE’s IdP:

3. Log in to your organization:

4. Verify that you have successfully logged in, (your information should have replaced the Login button):

5. After successful login, change the browser address to https://wiki.edugain.org/Shibboleth.sso/Session

6. Inspect the ‘Attributes’ section of the resulting page to ensure the attribute bundle defined in R&S Entity Category is returned.