Attribute Release Policy

This page documents the history of SAFIRE’s Attribute Release Policy and will display the most recent version. You should always reference this page when linking to the Attribute Release Policy, unless you intend to link to a specific, versioned document.

Changes to the Attribute Release Policy are approved by the SAFIRE Steering Committee.

Version History

Attribute Release Policy v20250627

As a revision to the previous version, this ARP refines the REFEDS entity-category based release and makes provision for anonymous and pseudonymous release.

Management of attribute release to Service Providers has been delegated to the Federation Operator in terms of the Participation Agreement.

Attribute Release Profiles

Through a community consensus process, the following attribute release profiles have been approved:

Default

The Default release profile used when no other attribute release policy is defined:

Research & Scholarship

This legacy attribute release profile is no longer in use. See REFEDS Entity Categories.

REFEDS Entity Categories

The REFEDS Entity Categories release profile does not a define a specific set of attributes. Instead it is the superset of attributes specified in various supported REFEDS attribute bundles identified in metadata by entity categories. This profile is used when a service provider’s metadata is tagged with one or more of the supported entity categories but no negotiated service-specific attribute release policy is specified.

Currently supported entity categories are:

The service provider will receive the minimal attribute bundle required by the SAML profile of the corresponding specification. Where a service provider is tagged with more than one supported entity category, it will receive the combined superset of those attributes (e.g. R&S + Pseudonymous Access). Where required by the specification, such providers must have a privacy notice, and a link to this will be displayed to end users during the login process.

While all SAFIRE identity providers automatically support the Research and Scholarship v1.3 and Anonymous Access v.2 attribute bundles, attribute availblity for other REFEDS entity categories varies by identity provider.

REFEDS Code of Conduct v2

Service providers that do not have a negotiated service-specific attribute release policy and that are tagged with the REFEDS Data Protection Code of Conduct v2 entity category (https://refeds.org/category/code-of-conduct/v2) will receive any supported attributes they request.

CoCo providers have demonstrated compliance with the European General Data Protection Regulation (GDPR) and have commited to a voluntary Code of Conduct drafted by the research federation community. They request only the minimal set of attributes required to make their service function. Such providers must have a privacy notice, and a link to this will be displayed to end users during the login process.

Negotiated

Individual service providers can negotiate a customised attribute release policy on a per-entity basis, based on the principle of minimality — requested attributes must be adequate, relevant, and not excessive.

A list of all supported attributes is available.

We are unlikely to release personally-identifiable information unless the service provider’s metadata includes a <mdui:PrivacyStatementURL xml:lang="en"> element that points to a privacy notice that explains how the requested attributes will be used, preferably written in plain English. This is a requirement for SAFIRE-registered service providers.

Inter-federation

The release profiles above apply irrespective of whether we learn about a service provider via inter-federation (e.g. eduGAIN) or whether they are direct participants. This means that, for example, service providers tagged as meeting the Research & Scholarship requirements by another federation will automatically have our Research & Scholarship release profile applied.

However, in practice, how we apply the Negotiated release profile differs depending on whether we’ve learnt about a service provider via inter-federation or whether they’re a direct participant.

For service providers learnt via inter-federation we are generally willing to negotiate attribute release of any attributes listed in the Research & Scholarship profile provided that at least one participating identity provider has expressed interest in using the service. Service providers who require more attributes than the R&S profile supports may be requested to join the Federation as a direct participant, particularly where those attributes constitute personal information.

South African Identity Federation