Attributes are data elements about individuals or institutions, with standardized syntax and semantics. They describe information essential for applications and services, e.g. your name and your relation to the institution issuing those attributes. Often attributes will be used for distributed access control, where the evaluation of attributes (authorization, happening at the Service Provider) is decoupled from the creation of the data (by the Identity Provider, after authenticating the subject).

Attributes are a core part of the value proposition of Identity Federation: Identity Providers issue trustworthy attributes about subjects to Service Providers, which then provide levels of service corresponding to those recieved attributes (e.g. according to a contract with the institution or the identity or affiliation of the subject).

For Attribute Based Access Control (ABAC, a model better suited to distributed systems than RBAC) to work all parties must have a shared understanding of the data elements transmitted, their exact form(at) and their meaning. Therefore standardizing attibutes and their use is an essential component of all Identity Federation and Interfederation efforts.

See child pages (below) for details on specific attributes, including usage and implementation considerations.

  • No labels