[Web4lib] Shibboleth -- what default attributes does your institution assert?

[Varnum, Ken]

A question for those of you who are using Shibboleth to provide access to licensed content.  We are starting to test this out ourselves, and along the way discovered that the default set of attributes asserted by our IdP is a bit broader than expected.  Namely, when someone affiliated with the University of Michigan uses our Shibboleth IdP to access a vendor, U-M provides the following data elements by default:

eduPersonScopedAffiliation -- the identity of the institution
eduPersonPrincipalName - the affiliation of the person at that institution
eduPersonEntitlement - specific rights of that person as determined by the institution
eduPersonTargetedID - unique identifier for a particular person
sn - Surname of the person
givenName - first name of the person
displayName - Name to display on a web site (for use in something like "Ken's Saved Searches")
mail - Email address of the person

We can tailor this set for any particular vendor, but were wondering if there is any consensus out there as to what a Shibboleth IdP should be providing, by default, to a vendor who doesn't request it.  My inner librarian is uncomfortable giving every database provider the user's name and email address - that goes well beyond what we offer now (which is nothing, other than a pass-through from our proxy server in almost every case).

If you're using Shibboleth for any library resources, what default attributes do you assert?

Ken


--
Ken Varnum
Web Systems Manager                   E: varnum at umich.edu
University of Michigan Library        T: 734-615-3287
309 Hatcher Graduate Library          F: 734-647-6897
Ann Arbor, MI 48109-1205              http://www.lib.umich.edu/