Changes have been made to SAFIRE’s attribute release policy and supported attributes to provide support for two additional REFEDS attribute release profiles: Anonymous Access and Pseudonymous Access.

Changes to SAFIRE’s Attribute Release Policy

SAFIRE has long supported attribute release based on the REFEDS Research and Scholarship (R&S) entity category. While this has been very useful at unlocking attribute release, it does not cover a number of use cases (particularly in the commercial space). For this reason REFEDS established a number of new attribute release profiles based on entity categories. We’ve been slow at adopting these, but have now added the basics for support into both our metadata aggregator and federation hub.

With this new support available, we’ve consolodated and simplified our attribute release policy. The previous “Research and Scholarship” policy has been removed and replaced with a new “REFEDS Entity Categories” policy. This new policy does not define a specific set of attributes. Instead it defines a number of REFEDS entity-category based profiles that we support, and specifies the attribute release as the superset of the attributes required by those profiles.

Three entity categories are currently supported:

• Anonymous Access [https://refeds.org/category/anonymous]
• Pseudonymous Access [https://refeds.org/category/pseudonymous]
• Research and Scholarship (R&S) [http://refeds.org/category/research-and-scholarship]

The last of these, Research and Scholarship (R&S), is effectively a drop-in replacement for the old “Research and Scholarship” policy with one caveat: the earlier policy provided for two attributes that are not part of the R&S bundle, being eduPersonAffiliation and schacHomeOrganizationType. This was a legacy predating the requirement for eduPersonScopedAffiliation. These will no longer be sent to service providers relying solely on REFEDS R&S for release, but may be separately requested as part of a Negotiated policy.

In addtion to the above, there is an existing “REFEDS Code of Conduct v2” policy that was introduced in 2024. This is effectively also a REFEDS attribute release entity category but remains special-cased because the specification does not specify a particular bundle of attributes but instead describes the policy framework under which any attribute may be requested.

Changes to SAFIRE’s list of supported attributes

In order to facilitate support for the Pseudonymous Access entity category (and future support for the Personalized Access one), support for three new attributes is required.

The first of these, eduPersonAssurance, was added in 2019. However, with this change, support for the SAML V2.0 Subject Identifier Attributes Profile’s two identifiers has also been added. These are the General Purpose Subject Identifier (subject-id) and the Pairwise Subject Identifier (pairwise-id). All three are currently considered “experimental”, which simply means we’re still refining our own processing rules for them. We encourage feedback if you experience any problems with them.

To ensure it’s correctly targeted, the pairwise-id attribute will be generated by the SAFIRE Federation Hub. This will only be done if the upstream identity provider sends the corresponding subject-id attribute, and the generated pairwise-id relies only on this attribute (values of e.g. eduPersonPrincipalName will not be considered). This obviates the previous case folding problems with such identifiers and ensures a well defined future. However, this also implies that the REFEDS Pseudonymous Access profile will only fully work once the corresponding identity provider adds support for both subject-id and eduPersonAssurance.

Identity providers are strongly encouraged to send eduPersonAssurance and subject-id to the Federation. This will in turn unlock the pairwise-id and the above attribute release policies. For those using SimpleSAMLphp, the saml:SubjectID authproc filter can be used for this purpose. For EntraID, see our documentation. Please let us know if you do this so we can tag your entity as supporting Pseudonymous Access.

Service providers are encouraged to consider pairwise-id as an alternative to eduPersonTargetedID.

Caveat: urn:oasis:names:tc:SAML:profiles:subject-id:req requirements signalling

While the above entity-category based profiles will trigger the release of subject-id and pairwise-id as specified, the federation does not currently support the SAML V2.0 Subject Identifier Attributes Profile’s requirements signaling specification for other use cases. This is a large part of why such support must still be considered experimental: we only support the limited use case of the REFEDS entity categories, rather than the more general use case of these two attributes. It is hoped that support for such signalling will be added in future.

Updates to the SAFIRE Test Service Provider

The SAFIRE Test Service Provider has been updated to request and display the above attributes.