Generating eduPersonEntitlement

The eduPersonEntitlement¬†attribute is used to indicate a user’s entitlement to access a specific service or resource. For example, its most widely used value, urn:mace:dir:entitlement:common-lib-terms, is used to indicate eligibility to access licensed content from information publishers.

Relationship to eduPersonScopedAffiliation

Library information providers often support both eduPersonEntitlement and eduPersonScopedAffiliation as a means of limiting access to licensed resources.

It is likely that there is significant overlap between values used for eduPersonAffiliation (and thus eduPersonScopedAffiliation). For instance, many institutions view all members as being eligible to access their library resources. Thus an eduPersonAffiliation of member is likely to have the same semantic meaning as an eduPersonEntitlement of urn:mace:dir:entitlement:common-lib-terms.

However, because eduPersonAffiliation can (and is likely to) contain other values, eduPersonEntitlement is the more privacy-preserving option of the two. This means that using the common-lib-terms entitlement to control access to licensed content may be preferable to using eduPersonScopedAffiliation unless you’ve a specific reason to require scopes.

Generating eduPersonEntitlement

The relationship between eduPersonAffiliation and eduPersonEntitlement means that you can often re-use many of the same techniques you might use to generate eduPersonAffiliation. Our documentation on generating eduPersonAffiliation is a good starting point.

You may also be able to re-map existing attributes (such as eduPersonScopedAffiliation). For an idea of how to do this, see ACOnet’s documentation.

A note about the auto-generated values

To ease transition and lower barriers to entry, we have configured the Federation hub to automatically generate eduPersonEntitlement from eduPersonAffiliation if the former does not exist.

As a general rule, if you’ve any possibility of generating the correct values yourself, you should do this in preference to relying on the automatically generated value.

Any value of eduPersonEntitlement (even an empty one) will suppress the automatic generation of eduPersonEntitlement by the Federation hub. If you need to suppress generation of common-lib-terms for a user who matches the hub’s criteria but your IdP software is not capable of sending an empty value, you may assert as a valid, but useless value.

South African Identity Federation