====== Entity Categories in eduID.cz ======
In eduID.cz federation, Identity Providers (IdPs) and some Service Providers (SPs) have been classified into various Entity Categories (ECs). The categories are helpful for access control at the SP side and for releasing attributes at the IdP side.
===== IdP categories =====
Identity Providers within eduID.cz federation have been separated into five categories. Each category represents one type of an organisation. The category is assigned by the federation operator. We try to entitle every IdP exactly one category.
{{ :cs:university.png?40|}}
**Public and private universities**\\
eduPersonAffiliation values: alum, affiliate, __employee__, __faculty__, __member__, __student__, __staff__
EC name: ''%%http://eduid.cz/uri/idp-group/university%%''
{{ :cs:av_logo.png?40|}}
**Institutions of The Czech Academy of Sciences**\\
eduPersonAffiliation values: __member__
EC name: ''%%http://eduid.cz/uri/idp-group/avcr%%''
{{ :cs:library.png?40}}
**Libraries**\\
eduPersonAffiliation values: affiliate, __employee__, member
EC name: ''%%http://eduid.cz/uri/idp-group/library%%''
{{ :cs:hospital3.png?40|}}
**Hospitals**\\
eduPersonAffiliation values: __employee__ //(check)//
EC name: ''%%http://eduid.cz/uri/idp-group/hospital%%''
{{ :cs:cesnet-logo-400.png?150|}}
**CESNET** \\
eduPersonAffiliation values: affiliate, __employee__, __member__\\
EC name: ''%%http://eduid.cz/uri/idp-group/cesnet%%''
Underlined [[cs:tech:attributes:edupersonaffiliation#vyznam_hodnot|eduPersonAffiliation]] values mark users who belong to Research & Education (R&E) community.
The following filter rule specifies users eligible to access a service. A filter written this way is relatively long, however, it is very easy to understand and when a new entity category is created, users from corresponding organizations do not have access to a service until the SP administrator decides to update the filter.
{{page>cs:tech:include-filter&nofooter}}
Alternatively, an exclude variant would look like this:
{{page>cs:tech:exclude-filter&nofooter}}
Specific Shibboleth Service Provider implementation is available in a single [[:en:tech:userfiltering|document]]. Any filters written for other SP implementations are welcomed and we will be happy to publish them.
===== IdP and SP categories =====
In addition to IdP categories as described above, there are also a few more categories in eduID.cz federation intended for labelling entities belonging to various projects. Such a labelling make sense when a group of SPs needs attributes which are not usually released to other entities in the federation. This greatly helps negotiation with particular IdPs about attribute release policy.
{{ :cs:logo-mefanet.png|}}
MEFANET (MEdical FAculties NETwork) is a project intended to build and strengthen cooperation between medical and non-medical health faculties in the Czech Republic and Slovakia. The aim of the project is a development of education with modern information and communication technology utilisation.
EC name: ''%%http://eduid.cz/uri/group/mefanet%%''
===== An example of entity label in metadata =====
The following XML fragment depicts that the IdP of the Czech Technical University in Prague belongs to an entity category designated for universities.
http://eduid.cz/uri/idp-group/university
Entity category attributes usage is the same as user attributes usage sent by a user's IdP. An example of how to use it in Shibboleth SP is available in a separate [[:cs:tech:filtrovani-uzivatelu-dokumentace|document]].