Page History
...
| Note | ||
|---|---|---|
| ||
The service provider needs to actually check for those attributes and deny access if the agreed-upon attribute value has not been provided in the response. There is no other way for an institution to signal whether an individual should be entitled to a resource or not. Authentication at an academic institution does not mean the subject is necessarily authorized to access licensed resources on behalf of that institution. |
The eduPerson specification has defined the generic attribute eduPersonEntitlement to communicate entitlements, permissions or rights between entities. For the specific case of library services MACE-Dir has then defined a standard eduPersonEntitlement attribute value (see below for details). This is the only attribute (other than maybe a unique identifier) library services will generally need, as such no more data should be sent from the Identity Provider:
common-lib-terms Entitlement
Here's the current common-lib-terms specification.
...
The NameFormat (what format is the formal attribute name in) is always "urn:oasis:names:tc:SAML:2.0:attrname-format:uri". For legacy services still using the SAML1.x protocol the formal attribute name is "urn:mace:dir:attribute-def:eduPersonEntitlement" (instead of urn:oid:1.3.6.1.4.1.5923.1.1.1.7). See https://eduid.at/entities/sp and "mouse-over" the requested attribute's name to find out its formal name for a given service, if in doubt.
...
Overview
Content Tools
Tasks