Skip to end of metadata
Go to start of metadata

Important

During the current pilot phase of the SCZ project, things can change based on evolving requirements of current pilot partners and expected future customers or new insights.

While we try to keep this documentation up to date, it could be we forgot something; if you encounter deviations from the information provided, please contact us at raoul.teeuwen@surfnet.nl .

General information

Sources of attributes

We currently have the following sources of attributes:

  • what we receive from the IdP
  • what is stored within the COmanage CO's and CO's a person is member of

Attributes COmanage releases

Currently we transport the following attributes from IdP when set, unless COManage overrides.

OpenIDSAML maceSAML oid
uidurn:mace:dir:attribute-def:uidurn:oid:0.9.2342.19200300.100.1.1
address.street_addressurn:mace:dir:attribute-def:postalAddressurn:oid:2.5.4.16
nicknameurn:mace:dir:attribute-def:displayNameurn:oid:2.16.840.1.113730.3.1.241
given_nameurn:mace:dir:attribute-def:givenNameurn:oid:2.5.4.42
emailurn:mace:dir:attribute-def:mailurn:oid:0.9.2342.19200300.100.1.3
nameurn:mace:dir:attribute-def:cnurn:oid:2.5.4.3
family_nameurn:mace:dir:attribute-def:snurn:oid:2.5.4.4
edumember_is_member_ofurn:mace:dir:attribute-def:isMemberOfurn:oid:1.3.6.1.4.1.5923.1.5.1.1
schac_home_organisationurn:mace:terena.org:attribute-def:schacHomeOrganizationurn:oid:1.3.6.1.4.1.25178.1.2.9
eduperson_targeted_idurn:mace:dir:attribute-def:eduPersonTargetedIDurn:oid:1.3.6.1.4.1.5923.1.1.1.10
eduperson_principalnameurn:mace:dir:attribute-def:eduPersonPrincipalNameurn:oid:1.3.6.1.4.1.5923.1.1.1.6
eduperson_scoped_affiliationurn:mace:dir:attribute-def:eduPersonScopedAffiliationurn:oid:1.3.6.1.4.1.5923.1.1.1.9
eduperson_affiliationurn:mace:dir:attribute-def:eduPersonAffiliationurn:oid:1.3.6.1.4.1.5923.1.1.1.1
eduperson_entitlementurn:mace:dir:attribute-def:eduPersonEntitlementurn:oid:1.3.6.1.4.1.5923.1.1.1.7

For mapping SAML to OIDC we use the REFEDS OIDCre  'OpenID Connect SAML mapping' specification (also see https://github.com/surfnet-niels/refeds-oidcre-saml-oidc-mapping/blob/master/refeds-oidcre-oidc-saml-mapping.md ).

Attribute candidates

The following attributes are identified as possible candidates, but it has not been decided whether to incorporate them:

  • 'eduPersonUniqueId', 'urn:oid:1.3.6.1.4.1.5923.1.1.1.13'
  • 'eduPersonOrcid', 'urn:oid:1.3.6.1.4.1.5923.1.1.1.16'
  • 'cn', 'urn:oid:2.5.4.3'
  • 'description', 'urn:oid:2.5.4.13'
  • 'facsimileTelephoneNumber', 'urn:oid:2.5.4.23'
  • 'mobile', 'urn:oid:0.9.2342.19200300.100.1.41'
  • 'o', 'urn:oid:2.5.4.10'
  • 'ou', 'urn:oid:2.5.4.11'
  • 'telephoneNumber', 'urn:oid:2.5.4.20'
  • 'title', 'urn:oid:2.5.4.12'

How we supply group information to SP's

COmanage works with CO's (Collaborative Organisation) and COU's (CO Units). Collaborations use one of more CO's and COU's. Information of which CO's and COU's a person is member of, will be translated to the IsMemberOf attribute. We use the AARC 'Guidelines on expressing group membership and role information' to translate the COmanage CO's and COU's to attributes.

How we supply custom attributes to SP's

COmanage allows CO administrators to add custom attributes. This information is translated to the eduPersonEntitlement attribute, and we use the AARC 'Guidelines on expressing group membership and role information' to translate the COmanage CO's and COU's to attributes.
  • No labels