Home » Identity and Access Management: CAF » CAF Support » R&S Entity Category Technical Instructions

R&S Entity Category Technical Instructions

How to Support the R&S Entity Category

CAF participants operating an IdP and/or SP should follow the steps below to enable support for the R&S Entity Category.

  • Submit an application to join the R&S Entity Category
  • Once your application has been approved, follow the instructions below.

Identity Providers

  1. The CAF team will add the R&S Entity Category attribute to your CAF FIM IdP entity metadata. You will be notified when the updates have been completed.
  2. Update your IdP attribute release filters to recognize R&S-compliant Service Providers and release the attribute bundle per the Identity Provider requirements described in the R&S Entity Category. Users of Shibboleth IdP Version 3.2.1 or later can use the configuration below:
<!-- REFEDS Research and Scholarship -->
<AttributeFilterPolicy id="CAF-IdPInstaller-releaseToRandS">
    <PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
        attributeName="http://macedir.org/entity-category"
        attributeValue="http://refeds.org/category/research-and-scholarship" />

<AttributeRule attributeID="eduPersonPrincipalName">
    <PermitValueRule xsi:type="ANY" />
  </AttributeRule>
  <AttributeRule attributeID="eduPersonTargetedID">
    <PermitValueRule xsi:type="ANY" />
  </AttributeRule>

<!-- note 'email' should match your attribute-resolver.xml attributeID field for friendly name 'mail'
 This rule permits 'mail', urn:oid:0.9.2342.19200300.100.1.3 to be populated -->
  <AttributeRule attributeID="email">
    <PermitValueRule xsi:type="ANY" />
  </AttributeRule>

  <AttributeRule attributeID="displayName">
    <PermitValueRule xsi:type="ANY" />
  </AttributeRule>
  <AttributeRule attributeID="givenName">
    <PermitValueRule xsi:type="ANY" />
  </AttributeRule>
  <AttributeRule attributeID="surname">
    <PermitValueRule xsi:type="ANY" />
  </AttributeRule>

  <!-- Affiliation is optional but release is still "strongly recommended". -->
  <AttributeRule attributeID="eduPersonScopedAffiliation">
    <PermitValueRule xsi:type="ANY" />
  </AttributeRule>

</AttributeFilterPolicy>

Shibboleth versions earlier than 3.2.1 should use this format, which reflects the slightly different XML handling of the configuration files:

<afp:AttributeFilterPolicy id="CAF-IdPInstaller-releaseToRandS">
    <afp:PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
        attributeName="http://macedir.org/entity-category"
        attributeValue="http://refeds.org/category/research-and-scholarship" />

<afp:AttributeRule attributeID="eduPersonPrincipalName">
    <afp:PermitValueRule xsi:type="basic:ANY" />
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="eduPersonTargetedID">
    <afp:PermitValueRule xsi:type="basic:ANY" />
  </afp:AttributeRule>

  <!-- note 'email' should match your attribute-resolver.xml attributeID field for friendly name 'mail'
 This rule permits 'mail', urn:oid:0.9.2342.19200300.100.1.3 to be populated -->

  <afp:AttributeRule attributeID="email">
    <afp:PermitValueRule xsi:type="basic:ANY" />
  </afp:AttributeRule>

  <afp:AttributeRule attributeID="displayName">
    <afp:PermitValueRule xsi:type="basic:ANY" />
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="givenName">
    <afp:PermitValueRule xsi:type="basic:ANY" />
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="surname">
    <afp:PermitValueRule xsi:type="basic:ANY" />
  </afp:AttributeRule>

  <!-- Affiliation is optional but release is still "strongly recommended". -->
  <afp:AttributeRule attributeID="eduPersonScopedAffiliation">
    <afp:PermitValueRule xsi:type="basic:ANY" />
  </afp:AttributeRule>
</afp:AttributeFilterPolicy>

Test your IdP by following the Test Instructions below.

Service Providers

The CAF team will add the R&S Entity Category attribute to your CAF FIM IdP entity metadata. CAF will advise you when the updates have been completed and testing can begin.

Testing

Identity Provider Test Instructions

IdPs can test to verify that their attribute release policies are working by visiting a Service Provider that has been assigned the R&S Entity Category. CAF recommends testing with the eduGAIN Wiki to verify attributes are being released as expected.

Service Provider Test Instructions

Service Providers can test their configurations by identifying an Identity Provider that supports the R&S Entity Category and a person or account that can be used to sign on with that provider.

A sign-on from that Identity Provider should release the R&S attribute set to the Service Provider, indicating correct configuration.. See the Identity Provider Test Instructions below for an example of a test with a Shibboleth-based Service Provider.

Service Providers not using Shibboleth for their integration may need to use different methods to verify that attribute release is occurring, i.e. reviewing logs after a successful login.

Using the eduGAIN Wiki will verify both the proper R&S Entity Category behaviour and that your IdP is properly configured for eduGAIN.

Learn more about eduGAIN.

Procedure

1. Open a new private window in your browser and visit https://wiki.edugain.org. Click “Login” at the top of the page:

2. On the Discovery page, enter the name of your IdP. In this example, we are using CANARIE’s IdP:

3. Log in to your organization:

4. Verify that you have successfully logged in, (your information should have replaced the Login button):

5. After successful login, change the browser address to https://wiki.edugain.org/Shibboleth.sso/Session

6. Inspect the ‘Attributes’ section of the resulting page to ensure the attribute bundle defined in R&S Entity Category is returned.