By default the user's attributes are released by their Identiy Provider, then filtered by SURFconext in the Attribute Release Policy (ARP), and released to the Service Provider. Attribute Aggregation gives the ability to add attributes for a user from a third party source and release them to the SP in the same set as the original IdP attributes.

SURFconext currently supports the following sources for attribute aggregation:

  • Group information from SURFconext Teams and institutional group providers, like provided by the VOOT-interface, in the isMemberOf attribute.
  • Orcid researcher ID. In proof of concept phase, contact us if you have a use for this to discuss the options.
  • Licence information. Currently only for use by our sister organisation SURFmarket.
  • SAB role information and SURF CRM information; for SURF-internal use only.

More attribute sources will be added later. Let us know what you'd like to use!

Group information

See the VOOT pages for the group information that SURFconext can provide. The standard is to supply this via the REST interface which requires a separate interface to the SURFconext, next to the SAML- or OpenID Connect interface for authentication.

Via Attribute Aggregation we can provide the user's team memberships in the urn:mace:dir:attribute-def:isMemberOf attribute (see Attribute schema). You will receive this as an extra attribute in the standard login flow, and it will contain the full urns of the groups this user is a member of.

However, to prevent the SAML message from growing too large (a user can be in hundreds of groups), we currently only send group names that have been whitelisted by us for your service. Therefore, the functionality is currently useful for those SP's that require only to know if a user is a member of one or a few specific groups. If you need all the groups of a user, you are advised to use the VOOT REST API.

Orcid researcher ID

A proof of concept has been built where SURFconext can provide the eduPersonOrcid attribute to SP's that have a use for this researcher ID, after users have once linked their Orcid ID to their SURFconext account. Contact us if you would be able to make use of this functionality.

Licence information

In collaboration with our procurement sister organisation SURFmarket we are supplying information about individual product licences from SURFmarket to the SPs that provide the licenced content. More details are in a blog about eStudybooks. This is currently limited to participants of this pilot. 

SAB roles and CRM id

For SURF Services only.

If your application requires the knowledge of SAB-roles, we can provide them to you in the SAML login flow in the urn:mace:dir:attribute-def:eduPersonEntitlement attribute. The role will be passed in its full urn notation, e.g. and is multi-valued. You can also get the institution abbreviation and guid. This way, your SP does not require any separate interface to SAB to retrieve this information. See the SAB interfaces space for more information about SAB and the specific instruction for SAB via SURFconext attribuutaggregatie.

We can also pass the SURF CRM guid in the attribute surf-crm-id. Also only for SURF services.

How to get it

Just contact our support team.

  • No labels