Background

One of the biggest problems faced in the Identity Federation ecosystem is support for the safe and appropriate release of user data to services in the form of attributes.  Organisations have a duty of care to ensure that any data they pass on about their users is appropriate, required and in line with legislative requirements.  Services need certain amounts of data to be consistently released to give users an appropriate experience.  Both Identity Providers and Service Providers need this all to be managed in a scalable way so that decisions can be made appropriately across a large range of different services.  This picture is further complicated by a lot of fear, uncertainty and doubt around who can make decisions concerning data release.

The Solution?

The REFEDS community has developed a set of three access entity categories to help support the most common sets of user data needed by services. These are:

  • Anonymous: by flagging this entity category, the Service Provider is communicating that it does not want to receive any personal data about a user and it is happy to manage a simple authentication request based on the user’s organisation and affiliation status.
  • Pseudonymous: this category allows a Service Provider to successfully authenticate a user and provide some consistency of experience without needing fully personalized data for the user.
  • Personalized: this category allows the Service Provider to receive a small subset of personal data for the user to effectively provide a personalized experience (e.g. name, email).

Benefits

Use of these categories provides a range of benefits for both organisations and services:

  • The entity categories are vetted by Identity Federations before being applied, which means that the Service Provider can prove its eligibility once – rather than having to enter into multiple negotiations around attribute requirements.
  • The categories are scalable and can be easily managed by system administrators responsible for connecting with a wide range of services.
  • The categories are clear and simplified – ensuring that the minimum data needed is released to each service appropriately.
  • The standardised approach cuts down on errors in attribute requests or uncertainty about what should be requested and how.

We strongly encourage both Identity Providers and Service Providers to support this standardised approach to entity categories to make the process of requesting attributes simpler for all the parties involved.

Further Information

Full details of the entity categories can be found on the REFEDS website and the supporting material on the REFEDS wiki.  If you would like to discuss more information about these categories please reach out to your home federation or join the REFEDS community.