EARC

Innen: KIFÜ Wiki

eduGAIN Attribute Release Check

Evaluation

Ranks (for each SP):

  • A: IdP sends all necessary information
  • B: IdP sends minimal information
  • C: IdP sends basic information while some required information is missing
  • C: IdP sends eduPersonTargetedId with the wrong (legacy) syntax
  • D: IdP sends superfluous personal information
  • D: IdP sends some subset of the requested information, but not the basic information (see definition below)
  • F: Incorrect value syntax (except for eptid above)
  • F: R&S category support is indicated but its requirements are not satisfied
  • F: No attributes received

Additional points (A-C):

  • IdP R&S support is indicated

Penalty points (A-C):

  • Redundant attributes are missing, but information is available
  • IdP sends superfluous non-personal information (eptid, homeOrganizationType, etc)

Definitions

  • attribute: a non-empty SAML Attribute sent as a part of a SAML AttributeStatement
  • information: either an attribute or a set of attributes for which a transformation or combination algorithm is available to produce data for an application (ie: e-mail, affiliation, name)
  • requested information: the set of attributes or meta-attributes (such as a non-reassigned identifier or a name), that is requested by the SP by using SAML metadata, whether or not isRequired is flagged.
  • all necessary information: set of released attributes that can provide all requested information
  • minimal information = required information: If the tested SP has an entity category, where the minimal set is defined (such as R&S), the minimal information is the minimal set. Otherwise it is the set of attributes that can provide the subset of requested information, where isRequired is set in the SAML metadata.
  • basic information: a set of attributes, including at least a persistent identifier represented by at least one of:
    • eduPersonPrincipalName
    • eduPersonTargetedId (either as a SAML NameID or an attribute)
    • eduPersonUniqueId
  • superfluous attribute: attribute that is sent by the IdP even though the information is not requested by the SP. Sending the same attribute in different NameFormats (such as URI and OID) does not count as superfluous information
  • R&S requirements: according to the R&S specification, the following attributes must be provided by an R&S IdP:
    • eduPersonPrincipalName
    • mail
    • displayName OR (givenName AND sn)
  • redundant attributes: information that can be extracted from one or more attributes:
    • schacHomeOrganization <= eduPersonScopedAffiliation / eduPersonPrincipalName
    • eduPersonAffiliation <= eduPersonScopedAffiliation
    • cn <= sn+givenName
    • cn <= displayName