Policies: Attribute Release Policy (ARP)
The ProtectNetwork service releases end-user attributes on-demand after user authentication to remote websites based on user’s request. Attributes are released when end-users try to access a Shibboleth/SAML enabled website/app and only after successful user authentication at ProtectNetwork. These attributes are released as SAML assertions via secure channels (SSL/HTTPS) to the requesting website.
This ARP is subject to change depending on negotiations between ProtectNetwork and the SP website/app. We make our best efforts to require the SP websites to use the attributes only for the stated business purpose for which they are authorized. You may report misuse of attributes at support@protectnetwork.org.
Default ARP for Trusted SAML/Shibboleth SP Sites
User authentication and user attribute assertions are provided for free for the first thirty days. Thereafter, an annual subscription fee is charged if a trusted SP site wished to consume SAML assertions. Our default policy of attribute release for trusted SP sites is as follows:
| Attribute | SAML 1 Attribute Name | SAML 2 Attribute Name |
|---|---|---|
| First Name | urn:mace:dir:attribute-def:givenName | urn:oid:2.5.4.42 |
| Last Name | urn:mace:dir:attribute-def:sn | urn:oid:2.5.4.4 |
| User ID | urn:mace:dir:attribute-def:eduPersonPrincipalName | urn:oid:1.3.6.1.4.1.5923.1.1.1.6 |
| Level of Assurance | http://protectnetwork.org/pn/loa | urn:oid:1.3.6.1.4.1.30847.1.1.1.6 |
| Targeted ID* | urn:mace:dir:attribute-def:eduPersonTargetedID | N/A |
* The ProtectNetwork service provides appropriate values for the eduPersonTargetedID attribute as defined in the EduPerson Object Class Specification (200604). These values are opaque, persistent, randomly generated strings that are particular to each user AND service provider (SP) or service provider group. Each user will have a different eduPersonTargetedID value for each SP he/she accesses, and each SP will always receive the same value for the same user every time he/she accesses the service. The eduPersonTargetedID attribute allows an SP to identify multiple accesses by the same user, while at the same time protecting the anonymity of the individual. The ProtectNetwork service generates a unique random value the first time a user accesses an SP and stores that value in a database for use in subsequent requests.
Note that in order to generate and release the eduPersonTargetedID attribute for an SP, ProtectNetwork needs the SP’s metadata first. Please upload your SP metadata by registering for an Administrator Account with ProtectNetwork.
Custom ARP for Shibboleth/SAML enabled trusted Sites
Registered Administrators with licensed subscription(s) can request for release of additional attributes (besides the default ones) from ProtectNetwork. Some of these attributes include but are not limited to:
| Attribute | SAML 1 Attribute Name | SAML 2 Attribute Name |
|---|---|---|
| urn:mace:dir:attribute-def:mail | urn:oid:0.9.2342.19200300.100.1.3 | |
| PN Entitlement | http://protectnetwork.org/pn/entitlement | urn:oid:1.3.6.1.4.1.31573.1.1.1.7 |
| Affiliation | urn:mace:dir:attribute-def:eduPersonAffiliation | urn:oid:1.3.6.1.4.1.5923.1.1.1.1 |
| Scoped Affiliation | urn:mace:dir:attribute-def:eduPersonScopedAffiliation | urn:oid:1.3.6.1.4.1.5923.1.1.1.9 |
| Organization | urn:mace:dir:attribute-def:o | urn:oid:2.5.4.10 |
| Home Phone Number | urn:mace:dir:attribute-def:homePhone | urn:oid:0.9.2342.19200300.100.1.20 |