Role-based authentication

• Attributes transferred from IdP to SP

• May or may not include real-world identity

• • supports privacy (good for users)
  • reduces data protection issues (good for SPs and IdPs)

• Non-anonymous attributes also supported

• Many attributes based on existing LDAP schema, but this isn't required