REFEDS RESEARCH AND EDUCATION (R&S)

ENTITY CATEGORY

NICOLE HARRIS

What is an Entity Category?

• Entity Categories group federation entities that share common criteria. 

• obliged to conform to the characteristics set out in the definition of that category.

• Can be SP or IdP tagged.

• a way to facilitate IdP decisions to release a defined set of attributes to SPs (scaling attribute release policies).

• Other use cases (see hide-from-discovery).

• Expressed as a SAML Attribute.

The Specifications

• SAML V2.0 Metadata Extension for Entity Attributes: http://wiki.oasis-open.org/security/SAML2MetadataAttr.

• The Entity Category SAML Attribute Types: https://tools.ietf.org/html/draft-young-entity-category/.

Research and Scholarship?

• Candidates for the Research and Scholarship (R&S) Category are Service Providers that are operated for the purpose of supporting research and scholarship interaction, collaboration or management, at least in part.

• Example Service Providers: collaborative tools and services such as wikis, blogs, project and grant management tools.

• Example NOT R&S: e-journal providers.

Requirements

• The Service Provider has applied for membership in the Category and complies with the R&S registration criteria.

• The Service Provider’s application for R&S has been reviewed and approved by the registrar.

• By using the Entity Category Attribute, a Service Provider claims that it will not use attributes for purposes that fall outside of the service definition.

• By using the Entity Category Support Attribute, an Identity Provider claims that it supports the release of attributes to R&S Service.

Checks?

• The service enhances the research and scholarship activities of some subset of the registrar’s user community.

• Service metadata has been submitted to the registrar and published in the registrar’s public metadata aggregate.

• The Service Provider is a production SAML deployment, supports SAML V2.0 HTTP-POST binding, claims to refresh federation metadata at least daily, provides an mdui:DisplayName and mdui:InformationURL provides one or more technical contacts in metadata, provides requested attributes in metadata.

Attributes

• Identity Providers are strongly encouraged to release the following bundle of attributes to R&S category Service Providers:• personal identifiers: email address, person name,

eduPersonPrincipalName.• pseudonymous identifier: eduPersonTargetedID.• affiliation: eduPersonScopedAffiliation.

• Minimum set:• eduPersonPrincipalName• mail• displayName OR (givenName AND sn)• (must use eduPersonTargetedID if PN is reassigned)

Useful Resources

• R&S FAQ:https://wiki.refeds.org/display/ENT/Research+and+Scholarship+FAQ/.

• The Category: https://wiki.refeds.org/display/ENT/Research+and+Scholarship.

• Guidance on justification for attribute release: https://wiki.refeds.org/display/ENT/Guidance+on+justification+for+attribute+release.

CONSENT The data subject has unambiguously given his consent.

CONTRACTUAL Processing is necessary for the performance of a contract to which the data subject is party.

LEGAL OBLIGATION Processing is necessary for compliance with a legal obligation to which the data controller is subject.

VITAL INTEREST Processing is necessary in order to protect the vital interests of the data subject.

PUBLIC INTEREST Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed.

LEGITIMATE INTERESTS

Processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed.

What do the important people say?

Article29 Working Party:

"The current text of Article 7(f) of the Directive is open ended. This flexible wording leaves much room for interpretation and has sometimes as experience has shown led to lack of predictability and lack of legal certainty. However, if used in the right context, and with the application of the right criteria, as set out in this Opinion, Article 7(f) has an essential role to play as a legal ground for legitimate data processing.”

7(f) = legitimate interests

What do the important people say?

Article29 Working Party:

"...an appropriate assessment of the balance under Article 7(f), often with an opportunity to opt-out of the processing, may in other cases be a valid alternative to inappropriate use of, for instance, the ground of 'consent' or 'necessity for the performance of a contract'. Considered in this way, Article 7(f) presents complementary safeguards - which require appropriate measures - compared to the other pre-determined grounds.”

PERFORM A BALANCE TEST

SAFGUARDS TRANSPARENCY

IMPACT MANAGEMENT

LEGITIMATE REASONS

BALANCE CASE BY CASE

https://wiki.refeds.org/display/ENT/Guidance+on+justification+for+attribute+release

7-STEP PLAN

• Check that Legitimate Interests is the best approach.

STEP ONE

• Qualify the legitimacy of the request – lawful, clearly articulated, real need.

STEP TWO

• Determine whether the processing is necessary to achieve the goal.

STEP THREE

7-STEP PLAN

• Balance the data controller’s needs against the interests of the subjects.

STEP FOUR

• Identity safeguards you can put in place (tech design etc).

STEP FIVE

• Demonstrate (publish) compliancy.

STEP SIX

• Allow the user to opt-out.

STEP SEVEN