This is a set of entity categories in use by SWAMID. Entity categories for SAML is defined by REFEDS in the RFC8409 specification.

For an example on how to consume and process this information in an Identity Provider look at the page Example of a standard attribute filter for Shibboleth IdP v3.4.0 and above. ADFS Toolkit support the use of entity categories.

REFEDS Personalized Access Entity Category

entity-category URI

https://refeds.org/category/personalized

eduGAIN enabledYes


Candidates for the REFEDS Personalized Access Entity Category are Service Providers that have a proven need to receive a small set of personally identifiable information about their users in order to effectively provide their service to the user or to enable the user to signal their identity to other users within the service. The Service Provider must be able to effectively demonstrate this need to their registrar and demonstrate their compliance with regulatory requirements concerning personal data through a published Privacy Notice.

Please note that the REFEDS Personalized Access Entity Category was published at the end of 2021 and therefore not so many Identity Providers has support for it yet. SWAMID recommends that you complement the REFEDS Personalized Access Entity Category with the entity category GÉANT Data Protection Code of Conduct until end of 2023 to get the expected attribute release.

The Personalized Access Entity Category is used both within SWAMID and in the eduGAIN interfederation to make services available to users of the higher education institutions in Sweden and around the world. The entity category makes it possible to automatically release a set of mostly harmless attributes to Service Providers registered in the academic federations.

The expected Identity Provider behaviour is to release to the Service Provider a predefined set of attributes. Service Providers signals their need of Personalized Access Entity Category via an entity category tag in metadata. There is furthermore an identity provider entity support category that should be registered for all Identity Providers that supports the Personalized Access Entity Category.

For REFEDS Personalized Access Entity Category there is a formal requirement that the service shall publish a public Privacy Policy. SWAMID have published a Service Provider Privacy Policy Template for GÉANT Data Protection Code of Conduct that can be used except for the requirement for mention the GÉANT Data Protection Code of Conduct.

Expected attribute release from an Identity Provider

Attribute(s)SAML2 Attribute IdentifierComment
subject-idurn:oasis:names:tc:SAML:attribute:subject-id
mailurn:oid:0.9.2342.19200300.100.1.3Can be more than one address released but Identity Providers are recommended to release only one.
displayName

urn:oid:2.16.840.1.113730.3.1.241


givenNameurn:oid:2.5.4.42
snurn:oid:2.5.4.4
eduPersonAssuranceurn:oid:1.3.6.1.4.1.5923.1.1.1.11
eduPersonScopedAffiliationurn:oid:1.3.6.1.4.1.5923.1.1.1.9
schacHomeOrganizationurn:oid:1.3.6.1.4.1.25178.1.2.9

Process for applying for tagging a service with entity category REFEDS Personalized Access Entity Category

For a service to be tagged with REFEDS Personalized Access Entity Category it must contact the federation that it has registered with. If the service is registered within the SWAMID federation the service operator updates the service metadata in the SWAMID Metadata Tool.

The request must besides the metadata update contain the following administrative information:

The entity category has the following metadata requirements:

The request is highly recommended to also have the following information for metadata publication:

Besides the formal requirements and recommendations of REFEDS Personalized Access Entity Category are Service Providers it is highly recommended that the service also adheres to the REFEDS Security Incident Response Trust Framework for Federated Identity (Sirtfi).

REFEDS Research and Scholarship

entity-category URI

http://refeds.org/category/research-and-scholarship

eduGAIN enabledYes


Candidates for the Research and Scholarship (R&S) Category are Service Providers that are operated for the purpose of supporting research and scholarship interaction, collaboration or management, at least in part. For more information please see REFEDS Entity Category Research and Scholarship.

R&S is used both within SWAMID and in the eduGAIN interfederation to make services available to users of the higher education institutions in Sweden and around the world. The R&S makes it possible to automatically release mostly harmless attributes to Service Providers within the higher educational sector.

The expected IdP behaviour is to release to the Service Provider a predefined set of R&S Category Attributes. Service Providers signals their need of R&S via an entity category tag in metadata. There is furthermore an identity provider entity support category that should be registered for all Identity Providers that supports the R&S entity category and this can be used for filter purpose in a discovery service.

Example of services that uses the entity category includes (but are not limited to) collaborative tools and services such as wikis, blogs, project and grant management tools that require some personal information about users to work effectively. This Entity Category should not be used for access to licensed content such as e-journals.

For REFEDS Research and Scholarship there is no formal requirement that the service shall publish a public Privacy Policy. However all services that are registered in SWAMID must have a Privacy Policy to inform end users about how personal data are processed. SWAMID have published a Service Provider Privacy Policy Template for GÉANT Data Protection Code of Conduct that can be used except for mention the GÉANT Data Protection Code of Conduct.

Expected attribute release from an Identity Provider

Attribute(s)SAML2 Attribute IdentifierComment
eduPersonTargetedIDurn:oid:1.3.6.1.4.1.5923.1.1.1.10

Should only be released by the Identity Provider if eduPersonPrincipalName is re-assignable to another user.

eduPersonPrincipalNameurn:oid:1.3.6.1.4.1.5923.1.1.1.6
mailurn:oid:0.9.2342.19200300.100.1.3Can be more than one address released but Identity Providers are recommended to release only one.
displayName and/or givenName and sn

urn:oid:2.16.840.1.113730.3.1.241
urn:oid:2.5.4.42
urn:oid:2.5.4.4

A user's name can be released in different ways and it's expected that the Service Provider can handle this.
eduPersonAssuranceurn:oid:1.3.6.1.4.1.5923.1.1.1.11Local addon within SWAMID. Services shall only expect this attribute to be available from Identity Providers within SWAMID.
eduPersonScopedAffiliationurn:oid:1.3.6.1.4.1.5923.1.1.1.9

Process for applying for tagging a service with entity category REFEDS Research and Scholarship

For a service to be tagged with REFEDS Research and Scholarship (R&S) it must contact the federation that it has registered with. If the service is registered within the SWAMID federation the service operator sends an e-mail to operations@swamid.se with a formal request that contains the information below. Upon receiving the request SWAMID operations will respond within two weeks.

The request must besides the metadata update contain the following administrative information:

Unless the following is already published in current service metadata, the metadata update request must contain:

The request is highly recommended to also have the following information for metadata publication:

Besides the formal requirements and recommendations of REFEDS R&S it is highly recommended that the service also adheres to the REFEDS Security Incident Response Trust Framework for Federated Identity (Sirtfi).

REFEDS/GÉANT Data Protection Code of Conduct

entity-category URI

https://refeds.org/category/code-of-conduct/v2 and
http://www.geant.net/uri/dataprotection-code-of-conduct/v1

eduGAIN enabledYes


The REFEDS Data protection Code of Conduct (CoCo v2) defines an approach at a European level to meet the requirements of the European General Data Protection Regulation (GDPR) for releasing mostly harmless personal attributes to a Service Provider (SP) from an Identity Provider (IdP). For more information please see REFEDS Data Protection Code of Conduct.

The earlier GÉANT Data protection Code of Conduct (CoCo v1) defines an approach at a European level to meet the requirements of the European Union Data Protection Directive. The Data Protection Directive has been superseeded by GDPR and therefore GDPR must be taken into account for CoCo v1. CoCo v1 is in the same spirit as GDPR, i.e. the Charter of Fundamental Rights of the European Union. For more information please see GEANT Data Protection Code of Conduct.

CoCo v1 will exist in parallell with CoCo v2 for an extended time and therefore we recommend all services that uses CoCo v2 to also declare CoCo v1 and the other way around.

CoCo is used both within SWAMID and in the eduGAIN interfederation to make services available to users of the higher education institutions in Sweden and around Europe. The CoCo makes it possible to automatically release mostly harmless attributes to Service Providers which fulfil the EU Data Protection legislation. The expected Identity Provider behaviour is to release the Service Provider required attributes if the IdP is able to. Required attributes means attributes the service must have to be able to work for the user. However it's possible to require more than one attribute of a specific type, i.e. name and identifier attributes, to increase the possibility to get the needed set of attributes. The required attributes for a specific service is defined in the the service metadata and must be described in the mandatory Service Provider Privacy Policy. There is furthermore an identity provider entity support category that should be registered for all Identity Provider that supports the CoCo entity category that can be used for filter purpose in a discovery service.

Expected attribute availability from an Identity Provider for attributes required by indication in metadata

Attribute(s)SAML2 Attribute IdentifierComment
eduPersonTargetedIDurn:oid:1.3.6.1.4.1.5923.1.1.1.10


eduPersonPrincipalNameurn:oid:1.3.6.1.4.1.5923.1.1.1.6
eduPersonOrcidurn:oid:1.3.6.1.4.1.5923.1.1.1.16
norEduPersonNINurn:oid:1.3.6.1.4.1.2428.90.1.5

This attribute is for students systems that needs to be synchronised with the the student documentations system directly or indirectly. Within SWAMID norEduPersonNIN can besides Swedish Personal Numbers and Swedish Co-ordination Numbers also contain Interim Personal Numbers from the student documentation system Ladok and the Swedish national study enrolment system.

SWAMID Identity Providers only release this attribute to services registered in SWAMID.

personalIdentityNumberurn:oid:1.2.752.29.4.13

Within SWAMID personalIdentityNumber only contain Swedish Personal Numbers or Swedish Co-ordination Numbers.

SWAMID Identity Providers only release this attribute to services registered in SWAMID.

schacDateOfBirthurn:oid:1.3.6.1.4.1.25178.1.2.3
mailurn:oid:0.9.2342.19200300.100.1.3Can be more than one address released but Identity Providers are recommended to release only one.
displayName

urn:oid:2.16.840.1.113730.3.1.241


givenNameurn:oid:2.5.4.42
sn (aka surname)urn:oid:2.5.4.4
cn (aka commonName)urn:oid:2.5.4.3Due to that cn is use for different things in different in different identity management systems it's highly recommended to use the attribute displayName instead.
eduPersonAssuranceurn:oid:1.3.6.1.4.1.5923.1.1.1.11Services shall only expect this attribute to be available from Identity Providers within SWAMID.
eduPersonScopedAffiliationurn:oid:1.3.6.1.4.1.5923.1.1.1.9
eduPersonAffiliationurn:oid:1.3.6.1.4.1.5923.1.1.1.1Due to eduPersonAffiliations non domain scoped nature it's highly recommended to use the attribute eduPersonScopedAffiliation instead.
o (aka organizationName)urn:oid:2.5.4.10This attribute is also be available as an metadata attribute.
norEduOrgAcronymurn:oid:1.3.6.1.4.1.2428.90.1.6
c (aka countryName)urn:oid:2.5.4.6
co (aka friendlyCountryName)urn:oid:0.9.2342.19200300.100.1.43
schacHomeOrganizationurn:oid:1.3.6.1.4.1.25178.1.2.9
schacHomeOrganizationTypeurn:oid:1.3.6.1.4.1.25178.1.2.10


Multivalued attributes that have different values for different services shall not be requested via metadata, examples of such attributes are eduPersonEntitlement, norEduPersonLIN and schacPersonalUniqueCode. The reason for this is that an Identity Provider may unintensional release sensitive information to services that are not eligable for these values. SWAMID recommends member Identity Providers to not release this type of attributes based on reqeusted attributes in metadata.

Process for applying for tagging a service with entity category GÉANT Data Protection Code of Conduct

For a service to be tagged with GÉANT Data Protection Code of Conduct it must contact the federation that it has registered with. If the service is registered within the SWAMID federation the service operator sends an e-mail to operations@swamid.se with a formal request that contains the information below. Upon receiving the request SWAMID operations will respond within two weeks.

The request must besides the metadata update contain the following administrative information:

Unless the following is already published in current service metadata, the metadata update request must contain:

It's also a highly recommended that the service adheres to the REFEDS Security Incident Response Trust Framework for Federated Identity (Sirtfi).

Release without any recognised Entity Categories

Most Identity Providers within SWAMID release no attributes to a service when it is not marked with any entity category.


------------------------------------------------------------------------------


Deprecated entity categories

SWAMID has deprecated old entity categories. All future entity category based attribute release will be based on entity categories described above.


SWAMID Service Provider Attribute Release Entity Categories (deprecated 2020-09-01)

These categories define the release of mostly harmless personal attributes to a Service Provider (SP) from a Identity Provider (IdP). It is used together with SWAMID Data Protection Entity Categories below.

Entity categories is additive, this means that one Service Provider can have both research-and-education and sfs-1993-1153.

name below means givenName, surname, initials, displayName.


Category

Description

research-and-education

SP is an application that directly or indirectly supports HEI institutions.

sfs-1993-1153

SP is an application that fulfills SFS 1993:1153

SWAMID Research & Education (deprecated 2020-09-01)

entity-category URI

http://www.swamid.se/category/research-and-education

eduGAIN enabledNo


SWAMID Research & Education entity category is deprecated and is replaced with REFEDS R&S or GÉANT CoCo depending on service.


The Research & Education category applies to low-risk services that support research and education as an essential component.

To release attributes to services tagged with the Research & Education category the service must also be tagged with at least one of the SWAMID Data Protection Entity Categories.

For instance, a service that provides tools for both multi-institutional research collaboration and instruction is eligible as a candidate for this category. This category is very similar to InCommons Research & Scolarship Category. The expected IdP behaviour is to release name, eppn, eptid, mail and eduPersonScopedAffiliation only if the services is also in at least one of the safe data processing categories. It is also recommended that static organisational information is released. If the Identity Provider home organisation has fulfilled the requirements for SWAMID Assurance Profiles eduPersonAssurance should also be released.

Expected attribute release when paired with a SWAMID Data Protection Entity Category

Attribute(s)OIDComment
transientId SAML2 session user identifier.
eduPersonTargetedID1.3.6.1.4.1.5923.1.1.1.10 
eduPersonAssurance1.3.6.1.4.1.5923.1.1.1.11One or more Assurance Profiles for the user if it is defined, please see "3.3 Configure Shibboleth SP - Check for Identity Assurance or REFEDS SIRTFI" for more information.
eduPersonPrincipalName1.3.6.1.4.1.5923.1.1.1.6 
mail0.9.2342.19200300.100.1.3Can be more than one address released but Identity Providers are recommended to release only one.
displayName, cn and/or givenName and sn

2.16.840.1.113730.3.1.241,
2.5.4.3, 2.5.4.42, 2.5.4.4

A user's name can be released in different ways and it's recommended that the Service Provider can handle this.
eduPersonScopedAffiliation1.3.6.1.4.1.5923.1.1.1.9 
o2.5.4.10 
norEduOrgAcronym1.3.6.1.4.1.2428.90.1.6 
c2.5.4.6 
co0.9.2342.19200300.100.1.43 
schacHomeOrganization1.3.6.1.4.1.25178.1.2.9 

Process for applying for tagging a service with entity category Research & Education

The service operator sends an e-mail to operations@swamid.se with a formal request.

The request must contain the following information:

  • Purpose and scope of the service.
  • Valid SWAMID Data Protection Entity Category, i.e. what type of organisation is legally responsible for the Service. The options are defined below (HEI Service, NREN Service or EU Adequate Protection).

Upon receiving a request SWAMID operations will respond within two weeks.

SWAMID SFS 1993:1153 (deprecated 2020-09-01)

entity-category URI

http://www.swamid.se/category/sfs-1993-1153

eduGAIN enabledNo


SWAMID SFS 1993:1153 entity category is deprecated and is replaced with GÉANT CoCo.


The SFS 1993:1153 category is strictly reserved for services that are governed by the Swedish legislation SFS 1993:1153.

SFS 1993:1153 limits membership in this category to services provided by Swedish universities, Swedish university colleges and the Swedish government agencies Swedish Council for Higher Education (UHR) and Statistics Sweden (SCB).

The entity category is intended for common government operated student admissions and achieved learning administration services such as NyA and LADOK as well as services for student account enrollment, course registration and learning progression processes at universities and university colleges.

Inclusion in this category is strictly reserved for services that fulfill SFS 1993:1153 which implies that the application may make use of norEduPersonNIN, i.e. the Swedish Personal identity number, the Swedish Co-ordination number or the Higher education personal interim identity number. The expected IdP behavior is to release norEduPersonNIN. If the Identity Provider home organisation has fulfilled the requirements for SWAMID Assurance Profiles eduPersonAssurance should also be released.

Examples of services that are viable for this entity category is a course registration self service and a student account creation service, a learning progression registration service and an internship administration self service.

Expected attribute release

AttributeOIDComment
transientId SAML2 session user identifier.
eduPersonTargetedID1.3.6.1.4.1.5923.1.1.1.10 
eduPersonAssurance1.3.6.1.4.1.5923.1.1.1.11One or more Assurance Profiles for the user if it is defined, please see "3.3 Configure Shibboleth SP - Check for Identity Assurance or REFEDS SIRTFI" for more information.
norEduPersonNIN1.3.6.1.4.1.2428.90.1.5Swedish goverment Personal Identity Number, Swedish goverment temporary Co-ordination number or Swedish National Admission system interim identity number.

Process for applying for tagging a service with entity category SFS 1993:1153

The service operator sends an e-mail to operations@swamid.se with a formal request.

The request must contain the following information:

  • Purpose and scope of the service.
  • Full description of why norEduPersonNIN is needed in the service.

Upon receiving a request SWAMID operations will evaluate against the Swedish legislation SFS 1993:1153 (2 kap. 6 § and 4 kap. 4 §). SWAMID operations will normally respond within two weeks. If the evaluation is positive SWAMID operations will add the requested entity category to the service metadata.

SWAMID Data Protection Entity Categories (deprecated 2020-09-01)

These categories indicate category classifaction of Identity Providers (IdP) that can release mostly harmless personal attributes to a Service Provider (SP) in conjunction with the Swedish Personal Data Act (PUL). It is used together with the Research & Education Entity Category above.

SWAMID HEI Service (deprecated 2020-09-01)

entity-category URI

http://www.swamid.se/category/hei-service

eduGAIN enabledNo



The application is provided by a Swedish Higher Education Institution (HEI) which is ultimately responsible for its operation.

This category is only relevant for attribute release from SWAMID registered IdPs to services at Swedish universities, Swedish university colleges and the Swedish Council for Higher Education.

SWAMID NREN Service (deprecated 2020-09-01)

entity-category URI

http://www.swamid.se/category/nren-service

eduGAIN enabledNo



The application is provided by SUNET (the Swedish National Research and Education Network, NREN) which is ultimately responsible for its operation.

This category is only relevant for attribute release from SWAMID registered IdPs to SUNET services.

SWAMID EU Adequate Protection (deprecated 2020-09-01)

entity-category URI

http://www.swamid.se/category/eu-adequate-protection

eduGAIN enabledNo



The application is compliant with either