Service Categories (or Entity Categories) help managing the secure release of the right attributes to only appropriate Service Providers – within the eduID.at federation and beyond. As such the use of Service Categories within local policies is highly recommended as basis for scalableattribute release policies/decisions. The ultimate responsibility for the release of any personal data to third parties rests with the institution releasing the data, though.
Info |
---|
|
REFEDS has published guidance on justification for attribute release, especially with regard to the use of Service Categories (or Entity Categories) and the "REFEDS Research & Scholarship" category in particular. |
See also Attribute release, in our Shibboleth IDP 2.4 documentation.
Service Categories for Attribute Release
...
Expand |
---|
title | Show example Shibboleth IDP policy for GEANT EU Code of Conduct: |
---|
|
Code Block |
---|
| <afp:AttributeFilterPolicy id="GeantEEADataProtectionCodeOfConduct">
<afp:PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://www.geant.net/uri/dataprotection-code-of-conduct/v1"/>
<!-- Release data to EU CoCo-SPs, based on RequestedAttributes in SAML metadata -->
<afp:AttributeRule attributeID="displayName">
<afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="true"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="givenName">
<afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="true"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="surname">
<afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="true"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="email">
<afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="true"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="eduPersonScopedAffiliation">
<afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="true"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="eduPersonPrincipalName">
<afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="true"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="eduPersonTargetedID">
<afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="schacHomeOrganization">
<afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
</afp:AttributeRule>
</afp:AttributeFilterPolicy> |
|
See also Attribute release, from our Shibboleth IDP 2.4 documentation section.