Obsah

Entity Categories in eduID.cz

In eduID.cz federation, Identity Providers (IdPs) and some Service Providers (SPs) have been classified into various Entity Categories (ECs). The categories are helpful for access control at the SP side and for releasing attributes at the IdP side.

IdP categories

Identity Providers within eduID.cz federation have been separated into five categories. Each category represents one type of an organisation. The category is assigned by the federation operator. We try to entitle every IdP exactly one category.

Public and private universities
eduPersonAffiliation values: alum, affiliate, employee, faculty, member, student, staff

EC name: http://eduid.cz/uri/idp-group/university

Institutions of The Czech Academy of Sciences
eduPersonAffiliation values: member

EC name: http://eduid.cz/uri/idp-group/avcr

Libraries
eduPersonAffiliation values: affiliate, employee, member

EC name: http://eduid.cz/uri/idp-group/library

Hospitals
eduPersonAffiliation values: employee (check)

EC name: http://eduid.cz/uri/idp-group/hospital

CESNET
eduPersonAffiliation values: affiliate, employee, member

EC name: http://eduid.cz/uri/idp-group/cesnet

Underlined eduPersonAffiliation values mark users who belong to Research & Education (R&E) community.

The following filter rule specifies users eligible to access a service. A filter written this way is relatively long, however, it is very easy to understand and when a new entity category is created, users from corresponding organizations do not have access to a service until the SP administrator decides to update the filter.

(idp_category='university' and ((affiliate='employee') or (affiliate='faculty') or (affiliate='member') or (affiliate='student') or (affiliate='staff'))) or
(idp_category='avcr' and (affiliate='member')) or
(idp_category='library' and (affiliate='employee')) or
(idp_category='hospital' and (affiliate='employee')) or
(idp_category='other' and (affiliate='employee'))

Alternatively, an exclude variant would look like this:

not (
  (affiliation=='alum') or
  (idp_category=='library' and (not affiliation=='employee'))
)

Specific Shibboleth Service Provider implementation is available in a single document. Any filters written for other SP implementations are welcomed and we will be happy to publish them.

IdP and SP categories

In addition to IdP categories as described above, there are also a few more categories in eduID.cz federation intended for labelling entities belonging to various projects. Such a labelling make sense when a group of SPs needs attributes which are not usually released to other entities in the federation. This greatly helps negotiation with particular IdPs about attribute release policy.

MEFANET (MEdical FAculties NETwork) is a project intended to build and strengthen cooperation between medical and non-medical health faculties in the Czech Republic and Slovakia. The aim of the project is a development of education with modern information and communication technology utilisation.

EC name: http://eduid.cz/uri/group/mefanet

An example of entity label in metadata

The following XML fragment depicts that the IdP of the Czech Technical University in Prague belongs to an entity category designated for universities.

<md:EntityDescriptor entityID="https://idp2.civ.cvut.cz/idp/shibboleth">
  <md:Extensions>
    <mdattr:EntityAttributes>
      <saml:Attribute Name="http://macedir.org/entity-category"
        NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
        <saml:AttributeValue>http://eduid.cz/uri/idp-group/university</saml:AttributeValue>
      </saml:Attribute>
    </mdattr:EntityAttributes>
  </md:Extensions>
  <!-- additional metadata information follows -->

Entity category attributes usage is the same as user attributes usage sent by a user's IdP. An example of how to use it in Shibboleth SP is available in a separate document.