KNF:BRIN scoping/en

Uit Kennisnet Developers Documentatie
Ga naar: navigatie, zoeken

KNF-symbol.png Entree Federation: Entree Federation BRIN scoping

Nl.gif Nederlands En.gif English


Identity Providers like Learning Management Systems, are often being used by several different schools. Therefore these systems have a WAYF (Where Are You From) screen where users have to select their school before logging in. In order to prevent users from having first to select their school on the WAYF screen from Entree Federation and subsequently select their school on the WAYF from the Identity Provider (i.e. the LMS), the BRIN scoping functionality can be implemented.

Attention: BRIN-scoping has also to be configured by Kennisnet for the specific Identity Provider. For this you can contact Kennisnet.

BRIN-number

The Basisregistratie Instellingen (Basicregistration of Institutions or BRIN) is a register that is maintained by the Dutch Ministry of Education. Each educational institution within this registration is uniquely identified by a BRIN-number. This number consists of four alphanumeric characters. The BRIN-number can be supplemented with to extra digits to identify a specific location of the educational institution. This six character code is called a location BRIN or location number.

Examples of BRIN-numbers:

  • BRIN-number: 99ZZ
  • Location number: 99ZZ01

Scoping

Scoping is a part of the SAML 2.0 specification. Therefore BRIN scoping is only available for Identity Providers with a Entree Federation connection based on the SAML 2.0 protocol.

Info.gif Scoping allows a Service Provider to specify an Identity Provider in an AuthnRequest to a proxying Identity Provider. This is an indication to the proxying Identity Provider that the Service Provider will only deal with the Identity Provider specified in the <Scoping> element.

In the case of BRIN scoping the <Scoping> element contains the BRIN-number that is send within the AuthnRequest to the proxy Identity Provider to indicate the school that should be used for the authentication of the user.

<AuthnRequest> 
   ... 
   <Scoping> 
      <IDPList> 
         <IDPEntry ProviderID="99ZZ" /> 
      </IDPList> 
      ... 
   </Scoping> 
   ...
</AuthnRequest>

The ProviderID attribute of the IDPEntry element contains the BRIN number from the school the user selected on the Entree Federation WAYF screen.

Warn.gif In some situations the AuthnRequest won't contain a <Scoping> element. This happens when the user doesn't have to select his school on the Entree Federation WAYF screen, because there is an SSO notifcation cookie available (more information on SSO notification).

When the proxy Identity Provider has no other method to establish to which school the user belongs, the application of the proxy Identity Provider still has to show a WAYF screen.