Attributes are data elements about individuals or institutions, with standardized syntax and semantics. They describe information essential for applications and services, e.g. your name and your relation to the institution issuing those attributes. Often attributes will be used for distributed access control, where the evaluation of attributes (authorization, happening at the Service Provider) is decoupled from the creation of the data (by the Identity Provider, after authenticating the subject).
For Attribute Based Access Control (ABAC, a model better suited to distributed systems than RBAC) to work all parties must have a shared understanding of the data elements transmitted, their exact form(at) and their meaning. Therefore standardizing attibutes and their use is an essential component of all Identity Federation and Interfederation efforts.
- Attributes are defined in Attribute Schemas, which range from IETF-standarized schemas (COSINE/inetOrgPerson/Schema for User Application) to ones specific to Higher Education, Research and Academia (eduPerson, SCHAC)
- Attributes often consitute personal data (Personally Identifiable Information, PII), so for controlled attribute release to third party Service Providers the use of Service Categories is recommended.
- At this time no formal eduID.at Attribute Profile exists, but all eduID.at IDPs should be able to generate the list of attributes documented as part of our Shibboleth IDPv4 attribute resolver documentation and again specified in the section "Make attributes available" of Preparing an IDP for Interfederation.
- For Service Providers the GÉANT/eduGAIN community has created a guide detailling What attributes are relevant for a Service Provider as part of the GÉANT Data Protection Code of Conduct work.
See child pages (below) for details on specific attributes, including usage and implementation considerations.
Overview
Content Tools
Tasks