In eduID.cz federation, Identity Providers (IdPs) and some Service Providers (SPs) have been classified into various Entity Categories (ECs). The categories are helpful for access control at the SP side and for releasing attributes at the IdP side.
Identity Providers within eduID.cz federation have been separated into five categories. Each category represents one type of an organisation. The category is assigned by the federation operator. We try to entitle every IdP exactly one category.
Public and private universities
EC name: |
Institutions of The Czech Academy of Sciences
EC name: |
Libraries
EC name: |
Hospitals
EC name: |
CESNET
EC name: |
Underlined eduPersonAffiliation values mark users who belong to Research & Education (R&E) community.
The following filter rule specifies users eligible to access a service. A filter written this way is relatively long, however, it is very easy to understand and when a new entity category is created, users from corresponding organizations do not have access to a service until the SP administrator decides to update the filter.
(idp_category='university' and ((affiliate='employee') or (affiliate='faculty') or (affiliate='member') or (affiliate='student') or (affiliate='staff'))) or (idp_category='avcr' and (affiliate='member')) or (idp_category='library' and (affiliate='employee')) or (idp_category='hospital' and (affiliate='employee')) or (idp_category='other' and (affiliate='employee'))
Alternatively, an exclude variant would look like this:
not ( (affiliation=='alum') or (idp_category=='library' and (not affiliation=='employee')) )
Specific Shibboleth Service Provider implementation is available in a single document. Any filters written for other SP implementations are welcomed and we will be happy to publish them.
In addition to IdP categories as described above, there are also a few more categories in eduID.cz federation intended for labelling entities belonging to various projects. Such a labelling make sense when a group of SPs needs attributes which are not usually released to other entities in the federation. This greatly helps negotiation with particular IdPs about attribute release policy.
MEFANET (MEdical FAculties NETwork) is a project intended to build and strengthen cooperation between medical and non-medical health faculties in the Czech Republic and Slovakia. The aim of the project is a development of education with modern information and communication technology utilisation.
EC name: |
The following XML fragment depicts that the IdP of the Czech Technical University in Prague belongs to an entity category designated for universities.
<md:EntityDescriptor entityID="https://idp2.civ.cvut.cz/idp/shibboleth"> <md:Extensions> <mdattr:EntityAttributes> <saml:Attribute Name="http://macedir.org/entity-category" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue>http://eduid.cz/uri/idp-group/university</saml:AttributeValue> </saml:Attribute> </mdattr:EntityAttributes> </md:Extensions> <!-- additional metadata information follows -->
Entity category attributes usage is the same as user attributes usage sent by a user's IdP. An example of how to use it in Shibboleth SP is available in a separate document.
CESNET, z. s. p. o.
Generála Píky 26
16000 Praha 6
info@cesnet.cz
Tel: +420 234 680 222
GSM: +420 602 252 531
support@cesnet.cz