ProtectNetwork® Support - Policies For Attribute Release (ARP)

HOME

SUPPORT

POLICIES

ATTRIBUTE RELEASE POLICY (ARP)

	Microsoft®

	InCommon®

	UK Federation

	SWAMI

	University of Texas

	Texas A&M University

	MIT

	View all sites

The ProtectNetwork IdP servers release end-user attributes on-demand to Application Service Provider (ASP) sites based on user's request. Attributes are released when end-users try to access a Shibboleth or OpenID protected site and after users have been authenticated at ProtectNetwork. Once a user is authenticated by our site, our identity servers release the requested attributes to the ASP site the user accessed in the first place. These attributes are released as assertions via secure channels (SSL/HTTPS) to the requesting ASP site.

This ARP is subject to change depending on negotiations between our IdM staff and ASP sites. We make our best efforts to require the ASP's to use the attributes only for the stated business purpose for which they are authorized to perform. You may report misuse of attributes at abuse@protectnetwork.org.

If ProtectNetwork service is not configured with your ASP site's metadata, then your site is considered Untrusted. We only provide user authentication assertions to such sites. We do not provide any user attributes. Inorder for us to provide user attributes, we need access to your site's metadata and the ProtectNetwork service needs to be configured with such metadata.

If ProtectNetwork service is configured with your ASP site's metadata, then your site is considered Trusted. We provide user authentication assertions along with user attributes to such trusted sites. Our default policy of attribute release for such sites is as follows:

Attribute Name	Meaning
urn:mace:dir:attribute-def:givenName	First Name
urn:mace:dir:attribute-def:sn	Surname
urn:mace:dir:attribute-def:eduPersonPrincipalName	username
urn:mace:dir:attribute-def:eduPersonTargetedID	Targeted ID*
http://protectnetwork.org/pn/loa	Level of Assurance

* The ProtectNetwork IdP provides appropriate values for the eduPersonTargetedID attribute as defined in the EduPerson Object Class Specification (200604). These values are opaque, persistent, randomly generated strings that are particular to each user AND service provider (SP) or service provider group. Each user will have a different eduPersonTargetedID value for each SP he/she accesses, and each SP will always receive the same value for the same user every time he/she accesses the service. The eduPersonTargetedID attribute allows an SP to identify multiple accesses by the same user, while at the same time protecting the anonymity of the individual. The ProtectNetwork IdP generates a unique random value the first time a user accesses an SP and stores that value in a database for use in subsequent requests.

Note that in order to generate and release the eduPersonTargetedID attribute for an SP, we need to have the SP's metadata first. Please contact support@protectnetwork.org if you wish to have your metadata added to the ProtectNetwork IdP site.

ProtectNetwork IdP servers will release one additional attribute (in addition to the default set outlined above) to the TestShib site. The additional attribute that will be released to the TestShib site is urn:mace:dir:attribute-def:mail.

This attribute is released on-demand to the TestShib site only after the user authenticates at the ProtectNetwork site. This attribute is used by TestShib site to communicate with TestShib registrants about the status of their TestShib SP/IdP metadata entries.

ProtectNetwork IdP servers will release one additional attribute (in addition to the default set outlined above) to different web applications and sites within the University of Texas System Federation. The additional attribute (besides the default ones) requested for release is the urn:mace:dir:attribute-def:mail.

This attribute is released on-demand to various UT System sites only after the user authenticates at the ProtectNetwork site. This attribute is used by UT System for providing seamless authorized access to their applications and sites to legitimate users.

ProtectNetwork IdP servers will release one additional attribute (in addition to the default set outlined above) to the GridShib site. The attribute requested for release by the GridShib site is: urn:mace:dir:attribute-def:mail.

This attribute is released on-demand to the GridShib site only after the user authenticates at the ProtectNetwork site. This attribute is used by GridShib site to communicate with GridShib registrants about their Grid credentials.

ProtectNetwork IdP servers will release one additional attribute (in addition to the default set outlined above) to several University of Washington SP sites. The additional attribute requested for release by the SP's is: urn:mace:dir:attribute-def:mail.

This attribute is released on-demand to the SP sites only after the user authenticates at the ProtectNetwork site. This attribute is used by the SP sites for future communication with SP site registrants.

ProtectNetwork IdP servers release two additional attributes (in addition to the default set outlined above) to the SPs in the SWAMI Federation. The attribute requested for release by the SWAMID federation SP's are: urn:mace:dir:attribute-def:mail and urn:mac:dir:attribute-def:displayName.

These attributes are released on-demand to the SWAMID federation SP's only after the user authenticates at the ProtectNetwork site. These attributes are used by SP's (SAKAI, JIRA and others) for proper functioning.

ProtectNetwork IdP servers will release all attributes requested by the OpenID site after user authentication at the ProtectNetwork site. The attributes will be displayed inline in users web browser before being released to the requesting OpenID site and users will have the option to deny such release. Thus, users have full control over which OpenID site can acquire users attributers. This user control feature however can be turned off by the user by logging into their ProtectNetwork account, in which case attributes may be released to requesting OpenID site without their explicit permission each time.