Researcher Passport SAML Assertion Requirements
Note: This document is intended for IT personnel for institutions that want to make their InCommon and eduGAIN Single Sign-On solutions integrate with ICPSR for login purposes.
To integrate an Institutional SAML Identity Provider (IDP) with the Researcher Passport Service Provider (SP) a minimum of attributes need to arrive in the SAML Assertion Response. Failing to include this attributes would cause incompatibility. Please reach out to ICPSR at ICPSR-help@umich.edu if you need assistance with compatibility between your IDP and ICPSR Researcher Passport.
Minimal Assertion Attributes
The ICPSR Researcher Passport SAML service provider no longer requires an email attribute to link the SSO account. It will be sufficient to provide at least one of the unique identifier attributes. We prioritize the nameID if it arrives in the appropriate format.
Priority | Attribute | Description |
|---|---|---|
1 | Persistent NameID | Persistent NameID Format |
2 | A long-lived, non re-assignable, omnidirectional identifier suitable for use as a principal identifier by authentication providers or as a unique external key by applications. Only fully supported alternative to persistent nameId format at this time. |
Planned support for pairwise-id attribute planned for next phase, but currently not supported.
Alternative Persistent Identifier Attributes
In cases where the NameID format is not persistent, alternative attributes will be captured to attempt to link the users SSO account with ICPSR Researcher Passport. Ideally either the persistent nameid-format is released or the eduPersonUniqueId is used.
Defaulting to any of the attributes in the table below may cause issues when users login for a second time depending on your institutional infrastructure.
Priority | Attribute | Description | Warning |
|---|---|---|---|
3 | A scoped identifier for a person. It should be represented in the form “user@scope” where ‘user’ is a name-based identifier for the person and where the “scope” portion MUST be the administrative domain of the identity system where the identifier was created and assigned. | May not be persistent enough in certain organizations. | |
4 | A persistent, non-reassigned, opaque identifier for a principal. | To be depricated in favor of “pairwise-id” attribute. | |
5 | email (mail, emailAddress) | Attribute containing the user email address. | Plan to stop support of this attribute is being scheduled. |
6 | nameID (SAML:1.1:nameid-format:emailAddress) | NameID using the format SAML:1.1:nameid-format:emailAddress. This format shares the users email address as a persistent identifier. | Plan to stop support of this nameid-format is being scheduled. |
ICPSR is planning to reach out to institutions for which mapping depends exclusively on the email attribute by the end of year to find a better integration.
ICPSR Service Provider
The Production ICPSR Service Provider is registered under https://identity-provider-proxy.icpsr.umich.edu/incommon/proxy_saml2_backend.xml entityID.
The metadata can be obtained from InCommon or from our own server.
UAT Staging Service Provider
The ICPSR Service Provider for UAT is registered under https://identity-provider-proxy.uat.icpsr.org/incommon/proxy_saml2_backend.xml entityID.
The metadata can be obtained from InCommon or from our own server.
Additional Attributes
As part of efforts of integrating user affiliation with InCommon IDP Assertions, the organization is also capturing the next attributes.
Attribute | Description |
|---|---|
eduPersonScopedAffiliation | |
eduPersonAffiliation | |
eduPersonAssurance | |
givenName* | User’s first name for profile. (If missing requested through form.) |
sn (surname)* | User’s last name for profile. (If missing requested through form.) |
email (mail, emailAddress)* | User’s email for profile. (If missing requested through form.) |
To ascertain the validity of this metadata the SAML issuer and the authentication context class references are also captured as part of session attributes and may be stored as part of the affiliation metadata associated with a user.