Page History
...
| Info | ||
|---|---|---|
| ||
Attributes are a core part of the value proposition of Identity Federation: Identity Providers issue trustworthy attributes about subjects to Service Providers, which then provide levels of service corresponding to those recieved attributes (e.g. according to a contract with the institution or the identity or affiliation of the subject). |
For Attribute Based Access Control (ABAC, a model better suited to distributed systems than RBAC) to work all parties must have a shared understanding of the data elements transmitted, their exact form(at) and their meaning. Therefore standardizing attibutes and their use is an essential component of all Identity Federation and Interfederation efforts.
- Attributes are defined in Attribute Schemas, which range from IETF-standarized schemas (COSINE/inetOrgPerson/Schema for User Application) to ones specific to Higher Education, Research and Academia (eduPerson, SCHAC)
- Attributes often consitute personal data (Personally Identifiable Information, PII), so for controlled attribute release to third party Service Providers the use of Service Categories is recommended.
- At this time no formal eduID.at Attribute Profile exists, but all eduID.at IDPs should be able to generate the list of attributes documented as part of our Shibboleth IDPv3 attribute resolver documentation and again specified in the section "Make attributes available" of Preparing an IDP for Interfederation.
- For Service Providers the GÉANT/eduGAIN community has created a guide detailling What attributes are relevant for a Service Provider as part of the GÉANT Data Protection Code of Conduct work.
...
Overview
Content Tools
Tasks