Versions Compared

Old Version 18

changes.mady.by.user Unknown User (urn:collab:person:surfguest.nl:d09fa6a3-58f5-48a7-aa62-17f02489c888)

Saved on

compared with

New Version 19

changes.mady.by.user Unknown User (urn:collab:person:surfguest.nl:d09fa6a3-58f5-48a7-aa62-17f02489c888)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Friendly name

Attribute name

Definition

Data type

Example

 ID

(NameID) 
urn:mace:dir:attribute-def:eduPersonTargetedID
urn:oid:1.3.6.1.4.1.5923.1.1.1.10

eduPerson (1)

UTF8 string 
(unbounded)

bd09168cf0c2e675b2def0ade6f50b7d4bb4aae

Attributes

urn:mace:dir:attribute-def:sn
urn:oid:2.5.4.4

X.520

UTF8 string 
(unbounded)

Vermeegen 
孝慈

Given nameAttributes

urn:mace:dir:attribute-def:givenName
urn:oid:2.5.4.42

X.520

UTF8 string 
(unbounded)

Mërgim Lukáš 
Þrúður

Common nameAttributes

urn:mace:dir:attribute-def:cn
urn:oid:2.5.4.3

X.520

UTF8 String 
(unbounded)

Prof.dr. Mërgim Lukáš Vermeegen 
加来 千代, PhD.

Display nameAttributes

urn:mace:dir:attribute-def:displayName
urn:oid:2.16.840.1.113730.3.1.241

RFC2798

UTF8 String 
(unbounded)

Prof.dr. Mërgim L. Vermeegen 
加来 千代, PhD.

Email addressAttributes

urn:mace:dir:attribute-def:mail
urn:oid:0.9.2342.19200300.100.1.3

RFC4524

RFC-5322 address 
(max 256 chars)

m.l.vermeegen@university.example.org 
maarten.'t.hart@uniharderwijk.nl 
"very.unusual.@.but valid.nonetheless"@example.com
mlv@[IPv6:2001:db8::1234:4321]

OrganizationAttributes

urn:mace:terena.org:attribute-def:schacHomeOrganization 
urn:oid:1.3.6.1.4.1.25178.1.2.9

Schac

RFC-1035 domain string

example.nl
something.example.org  

Organization TypeAttributes

urn:mace:terena.org:attribute-def:schacHomeOrganizationType 
urn:oid:1.3.6.1.4.1.25178.1.2.10

Schac

RFC-2141 URN 
see Schac standard  

urn:mace:terena.org:schac:homeOrganizationType:int:university 
urn:mace:terena.org:schac:homeOrganizationType:es:opi

Employee/student numberAttributes

urn:schac:attribute-def:schacPersonalUniqueCode
urn:oid:1.3.6.1.4.1.25178.1.2.14

Schac

RFC-2141 URN
see SURFnet registry 

urn:schac:personalUniqueCode:nl:local:example.edu:employeeid:x12-3456
urn:schac:personalUniqueCode:nl:local:example.nl:studentid:s1234567

AffiliationAttributes

urn:mace:dir:attribute-def:eduPersonAffiliation
urn:oid:1.3.6.1.4.1.5923.1.1.1.1

eduPerson (1)

Enum type (UTF8 String)

employee, student, staff, member (alum, affiliate, faculty, library-walk-in are not allowed)

Scoped affiliationAttributesurn:mace:dir:attribute-def:eduPersonScopedAffiliation
urn:oid:1.3.6.1.4.1.5923.1.1.1.9		eduPerson (1)UTF8 String 
user@domain

student@physics.uniharderwijk.nl
employee@facilities.uniharderwijk.nl

EntitlementAttributes

urn:mace:dir:attribute-def:eduPersonEntitlement
urn:oid:1.3.6.1.4.1.5923.1.1.1.7

eduPerson (1)

RFC-2141 URN 
Multi-valued

to be determined per service (see Standardized values for eduPersonEntitlement)

PrincipalNameAttributes

urn:mace:dir:attribute-def:eduPersonPrincipalName 
urn:oid:1.3.6.1.4.1.5923.1.1.1.6

eduPerson (1)

UTF8 String 
user@domain

piet.jønsen@example.edu
not.a@vålîd.émail.addreß

isMemberOfAttributes

urn:mace:dir:attribute-def:isMemberOf
urn:oid:1.3.6.1.4.1.5923.1.5.1.1

eduMember

RFC-2141 URN 
Multi-valued

urn:collab:org:surf.nl 
urn:collab:org:clarin.org

uidAttributes

urn:mace:dir:attribute-def:uid 
urn:oid:0.9.2342.19200300.100.1.1

RFC4519

UTF8 String 
(max 256 chars)

s9603145 
flåp@example.edu

preferredLanguageAttributes

urn:mace:dir:attribute-def:preferredLanguage
urn:oid:2.16.840.1.113730.3.1.39

RFC2798
BCP47

List of BCP47 language tags

nl 
nl, en-gb;q=0.8, en;q=0.7

ORCID

urn:mace:dir:attribute-def:eduPersonORCID

urn:oid:1.3.6.1.4.1.5923.1.1.1.16

eduPerson (1)

URL registered with ORCID.org

http://orcid.org/0000-0002-1825-0097

...

urn:mace

urn:mace:dir:attribute-def:sn

urn:oid

urn:oid:2.5.4.4

Multiplicity

single-valued

Data typeUTF8 string (unbounded)

Description

Surname of a person (including words as "van", "de", "von", etc.) used for personalisation; can be a combination of existing attributes.

ExamplesVermeegen 
孝慈

Notes

 

Anchor
Given name
Given name
Given name

urn:mace

urn:mace:dir:attribute-def:givenName

urn:oid

urn:oid:2.5.4.42

Multiplicity

single-valued

Data typeUTF8 string (unbounded)

Description

Given name / "name known by"; combinations of title, initials, and "name known by" are possible.

Examples

Jan Klaassen
Mërgim K. Lukáš 
Þrúður

Notes

 

Anchor
Common name
Common name
Common name

urn:mace

urn:mace:dir:attribute-def:cn

urn:oid

urn:oid:2.5.4.3

Multiplicity

multi-valued

Data typeUTF8 string 
(unbounded)

Description

Full name.

ExamplesProf.dr. Mërgim Lukáš Vermeegen 
加来 千代, PhD.

Notes

For example, a typical name of a person in an English-speaking country comprises a personal title (e.g. Mr., Ms., Rd, Professor, Sir, Lord), a first name, middle name(s), last name, generation qualifier (if any, e.g. Jr.) and decorations and awards (if any, e.g. CBE).

Anchor
Display name
Display name
Display name

urn:mace

urn:mace:dir:attribute-def:displayName

urn:oid

urn:oid:2.16.840.1.113730.3.1.241

Multiplicity

single-valued

Data typeUTF8 string (unbounded)

Description

Name as displayed in applications

ExamplesProf.dr. Mërgim Lukáš Vermeegen 
加来 千代, PhD.

Notes

Can be changed by the end-users themselves and is therefore not suitable for identification.

Anchor
Email address
Email address
Email address

urn:mace

urn:mace:dir:attribute-def:mail

urn:oid

urn:oid:0.9.2342.19200300.100.1.3

Multiplicity

multi-valued

Data typeRFC-5322 address (max 256 chars)

Description

e-mail address; syntax in accordance with RFC 5322

Examplesm.l.vermeegen@university.example.org 
"very.unusual.@.unusual.com"@example.com 
mlv@[IPv6:2001:db8::1234:4321]

Notes

  • Multiple email addresses are allowed
  • Is not necessarily the email address of this person at his institution.
  • Do not use Email address to identify a user: use NameId. Also do not use it for authentication and authorization: email addresses may change over time.

...

Anchor
Organization
Organization
Organization

urn:mace

urn:mace:terena.org:attribute-def:schacHomeOrganization

urn:oid

urn:oid:1.3.6.1.4.1.25178.1.2.9

Multiplicity

single-valued

Data typeRFC-1035 domain string. Must be a secondary-level domain under control by the institution. Preferably use the institutions main domain name.

Description

Domain name of the users organisation; syntax conform RFC 1035.

Examples

uniharderwijk.nl
example.nl 

Notes

  • In the past SURFconext used to send the home organisation organization in the attribute urn:oid:1.3.6.1.4.1.1466.115.121.1.15, which was incorrect. Since 2013, the correct oid urn:oid:1.3.6.1.4.1.25178.1.2.9 is in use. For reasons of compatibility, the old (wrong) key is also still sent. It should not be used in new implementations.
  • Matching values should be case-insensitive, i.e. "uniharderwijk.nl" and "UniHarderwijk.nl" should be considered as equal.
  • Use the same value for all your users.
  • The value of Organisation is stored in the SURFconext configuration. So we can check that no illegal values are sent.are sent.

Anchor
Organization type
Organization type
Organization type

urn:mace

urn:mace:terena.org:attribute-def:schacHomeOrganizationType

urn:oid

urn:oid:1.3.6.1.4.1.25178.1.2.10

Multiplicity

single-value

Data typeRFC-2141 URN (see Schac standard)

Description

Organisation type as defined by Terena.

Examplesurn:mace:terena.org:schac:homeOrganizationType:int:university 
urn:mace:terena.org:schac:homeOrganizationType:es:opi

Notes

In practice this attribute is almost not used by IdPs or SPs; contact support@surfconext.nl if you would like to use it.

Anchor
Employee/student number
Employee/student number
Employee/student number

urn:mace

urn:schac:attribute-def:schacPersonalUniqueCode

urn:oid

urn:oid:1.3.6.1.4.1.25178.1.2.14

Multiplicity

multi-value

Data typeRFC-2141 URN (see SURFnet registry).

Description

The id used in the university's internal systems.

Examplesurn:schac:personalUniqueCode:nl:local:example.edu:employeeid:x12-3456
urn:schac:personalUniqueCode:nl:local:example.nl:studentid:s1234567

Notes

Anchor
Affiliation
Affiliation
Affiliation

urn:mace

urn:mace:dir:attribute-def:eduPersonAffiliation

urn:oid

urn:oid:1.3.6.1.4.1.5923.1.1.1.1

Multiplicity

multi-valued

Data typeUTF8 String (only the values below are allowed).

Description

Relationship between user and his home organisation:

  • student — person enrolled at an institution, an external student or course participant
  • employee — person with a position at or labour agreement with an institution
  • staff — academic staff (in Dutch: wetenschappelijk personeel) and teachers
  • member — someone holding at least one of the above affiliations
  • affiliate — person who is authorized by the Institution (not (yet) used by any services)
Examplessee above

Notes

  • Users with the affiliation studentemployee, or staff, should also have the value member.
  • Identity Providers can use other values (e.g. alum). However they are not allowed to access SURFconext.
  • Other values mentioned in the eduPerson specification like faculty and library-walk-in are not allowed within SURFconext.
  • Use only lower-case values.

Anchor
Scoped Affiliation
Scoped Affiliation
Scoped Affiliation

urn:mace

urn:mace:dir:attribute-def:eduPersonScopedAffiliation

urn:oid

urn:oid:1.3.6.1.4.1.5923.1.1.1.9 

Multiplicity

multi-valued

Data typeUTF8 String of the form affiliation@subdomain.

Description

Indicates the relationship between the user and a specific (security) domain with his home organisation in a fine-grained way. For example, it can specify that a user is a student in the Physics department or a secretary working in a specific department.The value consists of an affiliation-part and a domain-part, i.e. <affiliation>@<sub.domain.nl>.

  • The affiliation-part must be one of the values allowed for Affiliation (see above).
  • The domain-part must be a subdomain of the user's schacHomeOrganization. This subdomain does not necessarily need to exist in DNS. E.g if schacHomeOrganization = uniharderwijk.nl, the domain-part could be science.uniharderwijk.nl or physics.science.uniharderwijk.nl,
Examples

student@physics.uniharderwijk.nl
employee@facilities.uniharderwijk.nl

Notes

  • Can be used to express the faculty, field of study, department, etc. to which a user is affiliated.
  • The attribute is multi-valued: a user can be a student in a certain field and at the same time an employee of a certain department of the university.
  • There is no register of valid subdomains. SP's wanting to use this attribute, need to confer with the IdP to interpret the values of Scoped Affiliation.

Anchor
Entitlement
Entitlement
Entitlement

urn:mace

urn:mace:dir:attribute-def:eduPersonEntitlement

urn:oid

urn:oid:1.3.6.1.4.1.5923.1.1.1.7

Multiplicity

multi-value

Data typeRFC-2141 URN

Description

Custom URI (URL or URN) indicating an entitlement to something.

Examples

urn:mace:terena.org:tcs:personal-admin
urn:x-surfnet:surfdomeinen.nl:role:dnsadmin

Notes

  • Can be used to communicate entitlements, roles, etc, from identity providers to services, which can be used for example for authorization.
  • The values of this attribute are scoped to the identity provider that is authoritative for the attribute. 
  • Formatting rules apply.

Anchor
PrincipalName
PrincipalName
PrincipalName

urn:mace

urn:mace:dir:attribute-def:eduPersonPrincipalName

urn:oid

urn:oid:1.3.6.1.4.1.5923.1.1.1.6

Multiplicity

single-valued

Data typeUTF8 String of the form user@domain. Domain must be equal to or a subdomain of schacHomeOrganization.

Description

Unique identifier for a user.

Examplespiet.jønsen@example.edu
not.a@vålîd.émail.addreß

Notes

  • Do not use as an email address!
  • All though uniquely identifying a user, it is not guaranteed that PrincipalName is persistent over sessions.
  • Do not use to identify users. Use NameId for this.
  • The allowed domain part for your institution is stored in the SURFconext configuration. So we can check that no illegal values are sent.

Anchor
isMemberOf
isMemberOf
isMemberOf

urn:mace

urn:mace:dir:attribute-def:isMemberOf

urn:oid

urn:oid:1.3.6.1.4.1.5923.1.5.1.1

Multiplicity

multi-valued

Data typeRFC-2141 URN 

Description

Organisations the user is member of.

Examplesurn:collab:org:surf.nl

Notes

  • Only urn:collab:org:surf.nl is supported. It indicates that the user's home institution is a member of SURFnet.
  • This attribute is generated by SURFconext and is available to SPs; it should not be set by IdPs.

Anchor
uid
uid
uid

urn:mace

urn:mace:dir:attribute-def:uid

urn:oid

urn:oid:0.9.2342.19200300.100.1.1

Multiplicity

multi-valued

Data typeUTF8 string (max 256 chars); do not use space or @-sign.

Description

Code for a person, used as login name within his institution.

Examples

s9603145 
piet 
flåp@example.edu

Notes

  • uid is not a unique identifier within SURFconext, only within the specific IdP.
  • Ideally uid is unique within the institution over the course of time. At the moment, there is no such guarantee.
  • Use NameId as a unique identifier in SURFconext.
  • Use eduPersonPrincipalName if a human-readable unique identifier is required.
  • uid may contain any unicode character. E.g., "org:surfnet.nl:joe von stühl" is a valid uid.
  • SURFconext translates @-signs in the uid to underscores when constructing NameID.

Anchor
preferredLanguage
preferredLanguage
preferredLanguage

urn:mace

urn:mace:dir:attribute-def:preferredLanguage

urn:oid

urn:oid:2.16.840.1.113730.3.1.39

Multiplicity

single-valued

Data typeRFC2798 BCP47

Description

two-letter abbreviation for the preferred language, conform ISO 639.

Examples

nl
en

Notes

Can be useful for international correspondence or human-computer interaction. Values MUST conform to the definition of the Accept-Language header field defined in RFC 2068, only ":" should be omitted. 

...

urn:mace

urn:mace:dir:attribute-def:eduPersonTargetedID

urn:oid

urn:oid:1.3.6.1.4.1.5923.1.1.1.10

Multiplicity

single-valued

Data typeUTF8 string (unbounded)

Description 

EduPersonTargetedID is a copy of the Subject -> NameID generated by SURFconext. When an IdP provides the eduPersonTargetedID itself, it is always overwritten by SURFconext.

Examplebd09168cf0c2e675b2def0ade6f50b7d4bb4aae

Note

This attribute is created because the Subject -> NameID itself is not part of the SAML v2.0 response and therefore only available for the application if the local SAML implementation explicitly support this.

 

Anchor
eduPersonOrcid
eduPersonOrcid
eduPersonOrcid

urn:mace

urn:mace:dir:attribute-def:eduPersonOrcid

urn:oid

urn:oid:1.3.6.1.4.1.5923.1.1.1.16

Multiplicity

multi-valued

Data type

URL, registered with ORCID.org

Description 

ORCID is a persistent digital identifier distinguishing the account holder from other researchers. EduPersonOrcid supports automated linkages between the account holder and his professional activities, ensuring that his work is recognized.

Must be valid ORCID identifier in the ORCID-preferred URL representation, i.e. http://orcid.org/0000-0002-1825-0097.

Example

http://orcid.org/0000-0002-1825-0097

Note

For more information: https://www.surf.nl/en/news/2016/02/global-author-identifier-service-orcid-now-available-through-surfconext-and-edugain.html.

...