Connecting a service to SRAM can be accomplished using three protocols: SAML2, OpenIDConnect and LDAP. For each of these, the same attribute set is available. In this page we give an overview of which attributes you can expect for users, and how they are available in the different protocols.
| Attribute name | Description | SAML attribute | OIDC claim (scope) | LDAP attribute | SCIM https://sram.surf.nl/api/scim/v2/ResourceTypes | Name in SBS UI |
|---|---|---|---|---|---|---|
| Name | Full name for display purposes, possibly including titles | cn (urn:oid:2.5.4.3) |
| displayName | displayName (User Core) | Name |
| First name | First name | givenName (urn:oid:2.5.4.42) | given_name scope: profile |
| name.givenName (User Core) | Not visible in UI |
| Surname | Last name | sn (urn:oid:2.5.4.4) |
| sn | name.familyName (User-Core) | Not visible in UI |
| Email address | Main email address | mail (urn:oid:0.9.2342.19200300.100.1.3) | email scope: email | email.value AND emails.primary eq "true" (UserCore) | ||
| Platform identifier | Unique persistent identifier for the user. It consists of a hash value (random hex string) scoped to SRAM, e.g., 0126789acdef014567@sram.surf.nl . Best non-human readable identifier. Use this as your main identifier for users. | eduPersonUniqueId (urn:oid:1.3.6.1.4.1.5923.1.1.1.13)urn:oasis:names:tc:SAML:attribute:subject-id |
| eduPersonUniqueId | urn:mace:surf.nl:sram:scim:extension:User.eduPersonUniqueId (User SRAM Extension) | UID |
| Institutional identifier | Identifier from the user's original institutional IdP (e.g. pietjansen@uni-harderwijk.nl) | urn:oid:1.3.6.1.4.1.25178.4.1.5 |
| voPersonExternalId | urn:mace:surf.nl:sram:scim:extension:User.voPersonExternalId (User SRAM Extension) | Institute abbreviation? |
| Short username | Short, human-readably username for login to backend systems (e.g., pietjansen03) | urn:oid:0.9.2342.19200300.100.1.1 |
| uid | userName (User Core) | Username |
| Short platform identifier | Human-readable platform identifier (e.g., pietjansen@sram.surf.nl) This is a scoped version of the Short username | urn:oid:1.3.6.1.4.1.5923.1.1.1.6 |
| - | externalId (User Core) | n/a |
| Platform affiliation | User's role in the SRAM platform, typically member@sram.surf.nl | urn:oid:1.3.6.1.4.1.5923.1.1.1.9 |
| eduPersonScopedAffiliation | urn:mace:surf.nl:sram:scim:extension:User.eduPersonScopedAffiliation (User SRAM Extension) | n/a |
| Institutional affiliation | User's role(s) in their home organization (e.g., employee@uni-harderwijk.nl) Only present if supplied by the user's home institution. | urn:oid:1.3.6.1.4.1.25178.4.1.11 |
| voPersonExternalAffiliation | urn:mace:surf.nl:sram:scim:extension:User.voPersonExternalAffiliation (User SRAM Extension) | |
| Group and CO memberships | Membership of collaborations and groups within each collaboration. urn:mace:surf.nl:sram:group:<orgname>:<coname>[:<groupname>] | urn:oid:1.3.6.1.4.1.5923.1.1.1.7 |
|
| members.value is reference to SCIM User identifier. (Group Core) | Entitlements |
| CO labels | Organizational labels set to collaborations
| urn:oid:1.3.6.1.4.1.5923.1.1.1.7 | eduperson_entitlement scope: eduperson_entitlement | businessCategory (NB: attribute of Collaboration) | urn:mace:surf.nl:sram:scim:extension:Group.labels (Group SRAM Extension) | |
| SSH public key | Public ssh key which the user has configured to log into backend systems | urn:oid:1.3.6.1.4.1.24552.500.1.1.1.13 |
| sshPublicKey | x509Certificates.value (User-Core) | SSH public key |
| Status | Status of the user; possible values are "active" and "expired" (for users whose membership has expired or who are inactive) | - (users who are able to login via SAML are always "active") | - (users who are able to login via OIDC are always "active") | voPersonStatus | active (User Core) | - |
See the LDAP directory structure reference for all attributes available in LDAP.
SCIM Schemas: