Policies: Attribute Release Policy (ARP)
The ProtectNetwork service releases end-user attributes on-demand after user authentication to remote websites based on user’s request. Attributes are released when end-users try to access a Shibboleth/SAML or OpenID protected site and only after successful user authentication at ProtectNetwork. These attributes are released as assertions via secure channels (SSL/HTTPS) to the requesting website.
This ARP is subject to change depending on negotiations between ProtectNetwork and the SP site. We make our best efforts to require the SP websites to use the attributes only for the stated business purpose for which they are authorized. You may report misuse of attributes at support@protectnetwork.org.
Default ARP for Untrusted SAML/Shibboleth SP Sites
If ProtectNetwork service is not configured with SP site’s Shibboleth/SAML SP metadata, then the SP website is considered Untrusted. We may provide only user authentication assertions to such sites but no user attributes. In order for us to provide user attributes, ProtectNetwork service needs to be configured with the SP site’s Shibboleth/SAML SP metadata.
Default ARP for Trusted SAML/Shibboleth SP Sites
If ProtectNetwork service is configured with the SP site’s Shibboleth/SAML SP metadata, then the SP website is considered Trusted. ProtectNetwork, in such cases, provides user authentication assertions along with user attributes to such trusted sites, either for free or fee. User authentication and user attribute assertions are provided for free for the first thirty days. Thereafter, only user authentications are provided for free. An annual subscription fee is charged if a trusted SP site wished to consume user attribute assertions after the first thirty days. Our default policy of attribute release for trusted SP sites is as follows:
| Attribute | SAML 1 Attribute Name | SAML 2 Attribute Name |
|---|---|---|
| First Name | urn:mace:dir:attribute-def:givenName | urn:oid:2.5.4.42 |
| Last Name | urn:mace:dir:attribute-def:sn | urn:oid:2.5.4.4 |
| User ID | urn:mace:dir:attribute-def:eduPersonPrincipalName | urn:oid:1.3.6.1.4.1.5923.1.1.1.6 |
| Level of Assurance | http://protectnetwork.org/pn/loa | urn:oid:1.3.6.1.4.1.30847.1.1.1.6 |
| Targeted ID* | urn:mace:dir:attribute-def:eduPersonTargetedID | N/A |
* The ProtectNetwork service provides appropriate values for the eduPersonTargetedID attribute as defined in the EduPerson Object Class Specification (200604). These values are opaque, persistent, randomly generated strings that are particular to each user AND service provider (SP) or service provider group. Each user will have a different eduPersonTargetedID value for each SP he/she accesses, and each SP will always receive the same value for the same user every time he/she accesses the service. The eduPersonTargetedID attribute allows an SP to identify multiple accesses by the same user, while at the same time protecting the anonymity of the individual. The ProtectNetwork service generates a unique random value the first time a user accesses an SP and stores that value in a database for use in subsequent requests.
Note that in order to generate and release the eduPersonTargetedID attribute for an SP, ProtectNetwork needs the SP’s metadata first. Please upload your SP metadata by registering for an Administrator Account with ProtectNetwork.
Custom ARP for Shibboleth/SAML enabled trusted Sites
Registered Site Administrators can request for release of additional attributes (besides the default ones) from ProtectNetwork. Some of these attributes include but are not limited to:
| Attribute | SAML 1 Attribute Name | SAML 2 Attribute Name |
|---|---|---|
| urn:mace:dir:attribute-def:mail | urn:oid:0.9.2342.19200300.100.1.3 | |
| PN Entitlement | http://protectnetwork.org/pn/entitlement | urn:oid:1.3.6.1.4.1.31573.1.1.1.7 |
| Affiliation | urn:mace:dir:attribute-def:eduPersonAffiliation | urn:oid:1.3.6.1.4.1.5923.1.1.1.1 |
| Scoped Affiliation | urn:mace:dir:attribute-def:eduPersonScopedAffiliation | urn:oid:1.3.6.1.4.1.5923.1.1.1.9 |
| Organization | urn:mace:dir:attribute-def:o | urn:oid:2.5.4.10 |
| Home Phone Number | urn:mace:dir:attribute-def:homePhone | urn:oid:0.9.2342.19200300.100.1.20 |
ARP for OpenID Enabled ASP Sites
ProtectNetwork service releases all attributes requested by the OpenID site after user authentication at ProtectNetwork. The attributes may be displayed inline in users web browser before being released to the requesting OpenID site and users may get the option to deny such release.