Page History

...

Inspired by prior work by RENATER, the international Identity Federations community (lead by InCommon, REFEDS and GÉANT/eduGAIN) has started to create Service Categories (technically called "Entity Categories", since they apply to SAML "entities") in order to ease the management of release of personal data ("attributes") to services: It has long been apparent that manually writing and maintaining attribute release rules based on individual services does not scale sufficiently, esp. taking into account that e-research today requires international collaboration and does not stop at national or "federation" borders. Dealing with individual requests to access services on a case-by-case basis creates too much work for institutions and their staff, often resulting in students or scholars not being able to access needed (inter-)federated resources because the institiutional SAML Identity Provider did not release the needed attributes to the accessed service.

...

...

GÉANT Data Protection Code of Conduct

As part of the GÉANT Data Protection Code of Conduct's Cookbook you'll find the Recipe for a Home Organisation, giving complete instructions on the necessary steps for deployment. This Service Category only applies when the Service Provider (as well as the Identity Provider, which trivially will be case for all eduID.at Identity Providers) is based in the EU/EEA or countries with adequate data protection, and uses the EU Data Protection Directive 95/46/EC as common frame for disparate implementations thereof throughout the EU. As such it is mostly meant as a reminder and a reassurance to both service owners and home organizations that the services covered are already subject to (national implementations of) EU data protection law.

As this Category definition does not specify an attribute bundle (i.e., it doesn't reference one set of  attributes which should be released to all category members) the set of attributes to be released release may vary from service to service. The data to transmit under this category is limited to attributes "that are necessary for enabling access to the service provided by the Service Provider" (2.b, "purpose limitation"), though. In practice only a limited set of data may  will be exchanged within/across academic Identity Federations today: That could include a person's name, email address, identifier(s) and role infomation ("affiliation", such as "student" or "staff"), but could also be less than that if the service needs less data to perform apppropriate appropriate access control.
The confguration below is an example based on the most commonly used attributes in Identity Federations today which most/all eduID.at Identity Providers should be able to generate. I..e, this constitutes the upper limit of what an IDP would release to Service Providers requesting data under the GÉANT Data Protection Code of Conduct category.

Again, be sure to check out the more general attribute release documentation in our our Shibboleth IDP v3 documentation, which contains more ready-to-use examples and approaches.