AMDG Attribute Use Cases

The "Attribute Use Cases" section exists to collect information on how attributes are being used, either in the form of use cases or links to additional conversations.

Kantara

TFMM (Trust Framework Meta Model) Use Cases

• C10: Delegated Identity Management (basic use case with IdP managing attributes)
• C20: Service Provider Centric model (IdP provides attributes)
• C32: Identity Federation
• C33: Cross Border Identity Federation
• C40: Attribute Provider separate from IdP
• C41: Attribute Provider with RP (Canada Gov. use case)
• C50: Enterprise user
• C60: Subject Types (devices)

Health Care

Emergency System for Advance Registration of Volunteer Health Professionals (ESAR-VHP):  http://www.phe.gov/esarvhp/pages/about.aspx

• Within the US, the states and territories were mandated to establish a voluntary registry for health professionals.  The information gathered includes certifications, trainings (etc) and is used for responding to public health disasters.  There is a standard attribute definition namespace for the certifications and trainings since the information is requested / shared across legal and electronic boundaries. In addition, there are over 100+ official repositories (e.g. AAMVA etc) where the certification and training information is registered, managed and validated - and these repositories are considered the Authoritative Source.
• The detailed scenario / use case could be:  There is a disaster in location X.  Physicians and nurses from around the country / world react and provide telemedicine support (reviewing xrays etc electronically).  Person A (Identity) needs access to medical records at an institution (Relying Party: Hospital or EHR system).   Person A attributes need to be verified to a very high level (i.e. can't be self-asserted attributes) to ensure Person A is a registered physician with board certified skills (etc) and can provide a diagnosis and access the patient information. 

SHARPS is also engaged in electronic medical records, telemedicine and advanced attribute based access control research:  http://sharps.org/research/an-illustrative-scenario

Higher Education & Research

Virtual Organizations and Research Groups

• A large, international group of scientists are funded to research gravitational waves. They come from dozens of institutions - universities and research laboratories - around the world. They consume federated identity and associated attributes from institutions that support federated authentication, but also add their own VO-specific attributes to their members as they participate in the research group.

Attribute Aggregation

• The simplest use case for attribute aggregation is when an SP/RP wants to supplement identity information received from the authenticating IdP with information maintained by a third-party attribute authority (such as a VO)
• In the more general case, things get more complicated.  How is trust established between SPs and a collection of Attribute Authorities? How are identifiers from one assertion mapped to identifiers for the same subject in another attribute authority?

Account Linking

• There are a variety of issues related to attribute management in the problem space of account linking. The document linked above discusses a variety of use cases around account linking.

Social2SAML Gateways

• Universities are showing increased interest in allowing certain classes of potential users to authenticate via Social IdPs (Twitter, Facebook, Gmail, Yahoo,...) and access SAML-protected services and resources.  The only path open at present is to rely on a Social2SAML gateway of some sort that authenticates a user via a social IdP and then transforms that into a SAML authentication and attribute assertion.  Since multiple gateways already exist, there are multiple ways the transformation is being accomplished.  There is wide agreement that gateways are always a sub-optimal solution, but they are hard to get rid of once usage is entrenched.  The ideal would be to include multiple protocol support in the native SP package.  Now is the time to see if gateway providers can agree on how social IdP information is represented in SAML assertions.  If we have one, or a small number, of ways of doing this, it becomes easier to incorporate that support in a native SP package.
• The Social Identity WG of Internet2 Middleware is also working in this space.

US Government

PIV, ICAM, SAML

• SAML2.0  Metadata Profile for Back End Attribute Exchange Version 2.0 
• SAML 2.0 Identifier and Protocol Profiles for Back End Attribute Exchange Version 2.0
• FICAM SAML SSO Profile

DHS First Responders

• Emergency response official support function attributeshttp://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_fero.pdf

Identity Documents

• Attributes of Identity Documents