KNF:BRIN scoping/en
Entree Federation: Entree Federation BRIN scoping
Nederlands | English |
Identity Providers like Learning Management Systems, are often being used by several different schools. Therefore these systems have a WAYF (Where Are You From) screen where users have to select their school before logging in. In order to prevent users from having first to select their school on the WAYF screen from Entree Federation and subsequently select their school on the WAYF from the Identity Provider (i.e. the LMS), the BRIN scoping functionality can be implemented.
Attention: BRIN-scoping has also to be configured by Kennisnet for the specific Identity Provider. For this you can contact Kennisnet.
BRIN-number
The Basisregistratie Instellingen (Basicregistration of Institutions or BRIN) is a register that is maintained by the Dutch Ministry of Education. Each educational institution within this registration is uniquely identified by a BRIN-number. This number consists of four alphanumeric characters. The BRIN-number can be supplemented with to extra digits to identify a specific location of the educational institution. This six character code is called a location BRIN or location number.
Examples of BRIN-numbers:
- BRIN-number: 99ZZ
- Location number: 99ZZ01
Scoping
Scoping is a part of the SAML 2.0 specification. Therefore BRIN scoping is only available for Identity Providers with a Entree Federation connection based on the SAML 2.0 protocol.
In the case of BRIN scoping the <Scoping> element contains the BRIN-number and is send within the AuthnRequest to the proxy Identity Provider to indicate the school that should be used for the authentication of the user.
<AuthnRequest>
...
<Scoping>
<IDPList>
<IDPEntry ProviderID="99ZZ" />
</IDPList>
...
</Scoping>
...
</AuthnRequest>
The ProviderID attribute of the IDPEntry element contains the BRIN number from the school the user selected on the Entree Federation WAYF screen.
In some situations the AuthnRequest won't contain a <Scoping> element. This happens when the user doesn't have to select his school on the Entree Federation WAYF screen, because there is an SSO notifcation cookie available (more information on SSO notification). When the proxy Identity Provider has no other method to establish to which school the user belongs, the application of the proxy Identity Provider still has to show a WAYF screen. |