This page contains information on the IdP test results of the eduGAIN Attribute Release Check Service (EARCS), which allows users from an eduGAIN Identity Provider to check whether it properly releases information in form of attributes is to eduGAIN-enabled services.
The check results are reflected by the following verdicts:
IdP sends all necessary information
IdP sends minimal information
IdP sends basic information while some required information is missing
IdP sends eduPersonTargetedID with the wrong (legacy) syntax
IdP sends superfluous personal information
IdP sends some subset of the requested information, but not the basic information (see definition below)
Incorrect value syntax (except for eduPersonTargetedID above)
R&S category support is indicated but its requirements are not satisfied
No attributes received
|To get a better understanding of attribute release in general, how it affects services in eduGAIN and what to consider to properly implement it, we strongly recommend to have a look at the GÉANT online course on "Successful Attribute Release".|
For this test a Service Provider is used that does have no entity categories such as REFEDS R&S or the GÉANT Data Protection Code of Conduct but just declares the attributes eduPersonScopedAffiliation, schacHomeOrganization, email and eduPersonPrincipalName as required attributes in metadata. The result of this test is one of the following two statements:
"Good data privacy but bad usability":
This means that the IdP was not releasing any attributes to this test SP even though it requested them. This behaviour is rather restrictive from a usability point of view because users most likely won't get access to eduGAIN services that have no entity categories unless the IdP has configured any specific attribute release rules. Still, IdP administrators in some countries feel safer with this setup from a legal/data privacy perspective.
"Good usability but bad data privacy":
This means that the IdP released some or all required attributes to this test SP just because the SP requested them. This policy is used by few Identity Providers. It is easy to implement and in most cases is beneficial to users because they gain access to more services because their attributes are released by default. From a privacy point of view some argue that IdPs using this approach might be a bit too generous in releasing data about the user, especially in case there is no user consent enforced during the login process (which the EARCS check does not know about) or for services that are not relevant for the users studies or job. However, so far there are worldwide no cases known in the community where IdPs got into legal issues using this approach.
RequestedAttributemetadata element or indirectly by declaring R&S entity category.
There is a simple API to query the test verdicts for all Identity Providers and for a particular one.
Query Format: HTTP GET to
This will return all the tested Identity Providers with their basic information, test verdicts and a URL to the details page. The response is a JSON-encoded.
Query Format: HTTP GET to
https://release-check.edugain.org/api/results/#URL-encoded IdP EntityID#
This will return information for the specific Identity Provider whose URL-encoded entityID is added to the query URL.