Attribute release from Unified Login to federations
MUNI Unified Login is a member of the Czech academic identity federation eduID.cz and the global interfederation eduGAIN, as an identity provider (IdP). Services (service providers, SP) participating in these federations do not have to individually register with Unified Login, the integration is automatic. MUNI Unified Login automatically downloads the current list of federation members, including technical metadata, several times a day, which replaces registration. Federation members can be viewed, for example, using the Metadata Explorer Tool. Federation members include various services provided by universities, CESNET, and electronic information resources.
To achieve protection of personal data, MUNI Unified Login does not automatically release all attributes to all federated services. In order to receive basic user attributes (name, email, etc.) without the need to register through SP reg app (see How to Connect a Service to MUNI Unified Login), a service connected through a federation must meet two conditions:
- the SP metadata in the federation must list all the attributes that the service requires (RequestedAttribute tags),
- the SP must be a member of eduID.cz (it is recommended to have the PrivacyStatementURL tag in the SP metadata) or the SP must be a member of eduGAIN and must conform to Code of Conduct (and therefore have the PrivacyStatementURL tag in the metadata).
Only with such services is it possible to ensure the minimization of personal data and inform users about the purpose of processing and who receives their personal data. MUNI Unified Login does not issue any personal data to other services.
For the release of some attributes, it is also necessary to meet additional conditions:
| Attribute | Description | Condition for release without SP registration |
| pkcs9email (urn:oid:1.2.840.113549.1.9.1) | list of all user email addresses including private ones | SP is a member of eduID.cz and has a PrivacyStatementURL |
| mefaperson (http://www.mefanet.cz/mefaperson/) | Mefanet educational network – affiliation to the faculty of medicine | SP is a member of eduID.cz and is in the MEFANET category (http://eduid.cz/uri/group/mefanet) |
| schacPersonalUniqueCode (urn:oid:1.3.6.1.4.1.25178.1.2.14) | European Student Identifier – Erasmus Without Paper | SP is in the European Student Identifier category (https://myacademicid.org/entity-categories/esi) |
MUNI Unified Login does not support the Research & Scholarship entity category. If the SP is in this entity category and does not have a list of required attributes, the list of attributes for this entity category is used (so condition number one does not need to be met, see above), but condition number two still needs to be fulfilled.
More sensitive personal data (e.g., date of birth or home address) are not released by MUNI Unified Login to services in the federation. To obtain this data (in justified cases), it is necessary to register the service in SP reg app (see How to Connect a Service to MUNI Unified Login) and conclude a data processing agreement with Masaryk University.
If you are an administrator of a service in the eduID.cz or eduGAIN federation and want MUNI Unified Login to release attributes to your service:
- Check that the metadata contains RequestedAttribute tags for all the attributes you need, and add them if necessary.
- Check that the metadata contains the PrivacyStatementURL tag with a link to your privacy policy (ideally in both Czech and English versions), and add it if necessary.
- If it is a service outside the eduID.cz federation, check that it conforms to the Code of Conduct entity category, and add it if necessary (if the service is conformant).
Instructions on how to prepare and publish your metadata are available on eduID.cz.
If you need MUNI Unified Login to release attributes to a service in the eduID.cz or eduGAIN federation, but you are not its administrator:
- register the service in SP reg app (see How to Connect a Service to MUNI Unified Login).
- When registering, choose SAML protocol;
- fill in all the necessary items according to the service metadata in the federation (see e.g. the Metadata Explorer Tool);
- if you need to insert multiple URL addresses into one field (Assertion consumer service, Single logout service), separate them with a comma;
- list your email address as the registrator contact, also add it as one of the administrative contacts;
- choose the list of required attributes as needed - it can be more extensive than the list in the federation metadata;
- into the URL metadata field, insert:
- https://metadata.eduid.cz/entities/eduid+sp if it is a service in the Czech federation eduID.cz;
- https://metadata.eduid.cz/entities/edugain+sp if it is a service in the eduGAIN federation (and is not in the Czech federation).
When the registration is approved, MUNI Unified Login starts using the metadata entered into SP reg app instead of the metadata from the federation, and it is no longer necessary to meet the above conditions.