...
Friendly name | Attribute name | Definition | Data type | Example |
---|---|---|---|---|
(NameID) | eduPerson (1) | UTF8 string | bd09168cf0c2e675b2def0ade6f50b7d4bb4aae | |
urn:mace:dir:attribute-def:sn | X.520 | UTF8 string | Doe Vermeegen | |
urn:mace:dir:attribute-def:givenName | X.520 | UTF8 string | John Mërgim Lukáš Þrúður | |
urn:mace:dir:attribute-def:cn | X.520 | UTF8 String | John Doe Prof.dr. Mërgim Lukáš Vermeegen 加来 千代, PhD. | |
urn:mace:dir:attribute-def:displayName | UTF8 String | Dr. John Doe Prof.dr. Mërgim L. Vermeegen 加来 千代, PhD. | ||
urn:mace:dir:attribute-def:mail | RFC-5322 address | m.l.vermeegen@university.example.org maarten.'t.hart@uniharderwijk.nl "very.unusual.@.but valid.nonetheless"@example.com mlv@[IPv6:2001:db8::1234:4321] | ||
urn:mace:terena.org:attribute-def:schacHomeOrganization | RFC-1035 domain string | example.nl something.example.org | ||
urn:mace:terena.org:attribute-def:schacHomeOrganizationType | RFC-2141 URN | urn:mace:terena.org:schac:homeOrganizationType:int:university urn:mace:terena.org:schac:homeOrganizationType:es:opi | ||
Employee/student number | urn:schac:attribute-def:schacPersonalUniqueCode | Schac | RFC-2141 URN | urn:schac:personalUniqueCode:nl:local:example.edu:employeeid:x12-3456 urn:schac:personalUniqueCode:nl:local:example.nl:studentid:s1234567 |
urn:mace:dir:attribute-def:eduPersonAffiliation | eduPerson (1) | Enum type (UTF8 String) | employee, student, faculty, member, affiliate, pre-student (staff is deprecated; library-walk-in, alum are not allowed) | |
Scoped affiliation | urn:mace:dir:attribute-def:eduPersonScopedAffiliation urn:oid:1.3.6.1.4.1.5923.1.1.1.9 | eduPerson (1) | UTF8 String user@domain | student@uniharderwijk.nl employee@uniharderwijk.nl |
urn:mace:dir:attribute-def:eduPersonEntitlement | eduPerson (1) | RFC-2141 URN | to be determined per service (see Standardized values for eduPersonEntitlement) | |
urn:mace:dir:attribute-def:eduPersonPrincipalName | eduPerson (1) | UTF8 String | piet.jønsen@example.edu not.a@vålîd.émail.addreß | |
urn:mace:dir:attribute-def:isMemberOf | eduMember | RFC-2141 URN | urn:collab:org:surf.nl urn:collab:org:clarin.org | |
urn:mace:dir:attribute-def:uid | UTF8 String | s9603145 flåp@example.edu | ||
urn:mace:dir:attribute-def:preferredLanguage | List of BCP47 language tags | nl nl, en-gb;q=0.8, en;q=0.7 | ||
ORCID | urn:mace:dir:attribute-def:eduPersonORCID urn:oid:1.3.6.1.4.1.5923.1.1.1.16 | eduPerson (1) | URL registered with ORCID.org | http://orcid.org/0000-0002-1825-0097 |
ECK ID | urn:mace:surf.nl:attribute-def:eckid | SURF / Edu-K | URL conform Edu-K specification | https://ketenid.nl/spv1/eacf3765ad342...cf3a11fe9cab2365f95da3e9965501f7c98e (Attribute made shorter for readability) |
SURF CRM ID | urn:mace:surf.nl:attribute-def:surf-crm-id | SURF | GUID of the instiution as used in SURF CRM | ad93daef-0911-e511-80d0-005056956c1a |
Note that not all identity providers might make all attributes available.
...
Warning | ||
---|---|---|
| ||
There is a minimum amount of attributes to supply when you connect your IdP to SURFconext. Not supplying the attributes urn:mace:dir:attribute-def:uid and urn:mace:terena.org:attribute-def:schacHomeOrganization will cause a fatal error because those are needed to generate the NameID. Your IdP cannot be connected to SURFconext without these. Not supplying the attributes urn:For a list of which of these attributes are required for proper operation, please see on this page , or the explanation in the configuration manuals on the page (Dutch) 'Handleidingen en Richtlijnen'. |
Info | ||
---|---|---|
| ||
SURFconext considers the attributes nlEduPersonOrgUnit, nlEduPersonStudyBranch and nlStudielinkNummer deprecated. When you register a new IdP or SP at SURFconext, these attributes will not be allowed for use with SURFconext. Existing IdP's and SP can use these attributes until further notice. |
Detailed attribute descriptions
Anchor | ||||
---|---|---|---|---|
|
See User identifiers.
Anchor | ||||
---|---|---|---|---|
|
urn:mace | urn:mace:dir:attribute-def: |
...
sn |
urn: |
...
oid | urn: |
...
oid:2.5.4.4 | |
Multiplicity | single-valued |
Data type | UTF8 string (unbounded) |
Description | The surname of a person (including any words such as “van”, “de”, “von” etc.) used for Personalization; this can be a combination of existing attributes. |
Examples | Vermeegen 孝慈 |
Notes |
Anchor | ||||
---|---|---|---|---|
|
urn:mace | urn:mace:dir:attribute-def:givenName |
urn:oid | urn:oid:2.5.4.42 |
Multiplicity | single-valued |
Data type | UTF8 string (unbounded) |
Description | Given name, also known as a first name, forename or Christian name / “name known by”; combinations of title, initials, and “name known by” are possible. |
Examples | Jan Klaassen |
Notes |
Anchor | ||||
---|---|---|---|---|
|
Info | ||
---|---|---|
| ||
SURFconext considers the attributes nlEduPersonOrgUnit, nlEduPersonStudyBranch and nlStudielinkNummer deprecated. When you register a new IdP or SP at SURFconext, these attributes will not be allowed for use with SURFconext. Existing IdP's and SP can use these attributes until further notice. |
Detailed attribute descriptions
...
See User identifiers.
...
urn:mace | urn:mace:dir:attribute-def: |
cn | |
urn:oid | urn:oid:2.5.4. |
3 |
Multiplicity |
multi-valued | |
Data type | UTF8 |
string (unbounded) |
Description |
The surname of a person (including any words such as “van”, “de”, “von” etc.) used for Personalization; this can be a combination of existing attributes.
孝慈
Notes
...
Full name. | |
Examples | Prof.dr. Mërgim Lukáš Vermeegen 加来 千代, PhD. |
Notes | For example, a typical name of a person in an English-speaking country comprises a personal title (e.g. Mr., Ms., Rd, Professor, Sir, Lord), a first name, middle name(s), last name, generation qualifier (if any, e.g. Jr.) and decorations and awards (if any, e.g. CBE). |
Anchor | ||||
---|---|---|---|---|
|
urn:mace | urn:mace:dir:attribute-def:givenNamedisplayName |
urn:oid | urn:oid:2.5.4.42.16.840.1.113730.3.1.241 |
Multiplicity | single-valued |
Data type | UTF8 string string (unbounded) |
Description | Given name, also known as a first name, forename or Christian name / “name known by”; combinations of title, initials, and “name known by” are possible. |
Examples | Jan Klaassen | Notes |
...
Name as displayed in applications | |
Examples | Prof.dr. Mërgim Lukáš Vermeegen 加来 千代, PhD. |
Notes |
|
Anchor | ||||
---|---|---|---|---|
urn:mace | urn:mace:dir:attribute-def:cnmail |
urn:oid | urn:oid:2.5.40.9.2342.19200300.100.1.3 |
Multiplicity | multi-valued |
Data type | UTF8 string (unboundedRFC-5322 address (max 256 chars) |
Description | Full name. |
Examples | Prof.dr. Mërgim Lukáš Vermeegen 加来 千代, PhD. |
Notes | For example, a typical name of a person in an English-speaking country comprises a personal title (e.g. Mr., Ms., Rd, Professor, Sir, Lord), a first name, middle name(s), last name, generation qualifier (if any, e.g. Jr.) and decorations and awards (if any, e.g. CBE). |
...
e-mail address; syntax in accordance with RFC 5322 | |
Examples | m.l.vermeegen@university.example.org "very.unusual.@.unusual.com"@example.com mlv@[IPv6:2001:db8::1234:4321]; the |
Notes |
|
Anchor | ||||
---|---|---|---|---|
|
urn:mace | urn:mace:dir:attribute-def:displayNameuid |
urn:oid | urn:oid:20.169.8402342.119200300.113730100.31.1.241 |
Multiplicity | single-valued (multi-valued in the specification, but within SURFconext only 1 value is allowed) |
Data type | UTF8 string String (unbounded) |
Description | Name as displayed in applications |
Examples | Prof.dr. Mërgim Lukáš Vermeegen 加来 千代, PhD. |
Notes |
|
...
urn:mace
...
urn:mace:dir:attribute-def:mail
...
urn:oid
...
urn:oid:0.9.2342.19200300.100.1.3
...
Multiplicity
...
multi-valued
...
Description
...
e-mail address; syntax in accordance with RFC 5322
...
Notes
...
- Multiple email addresses are allowed. However, there's no clear strategy for SP's on how to interpret multiple addresses (use both? pick one? ask user to pick one?); the SP should devise a strategy that makes sense within the context of the application. As an IdP, in the interest of interoperability, it's advisable to avoid sending multiple addresses where possible.
- An email address is not necessarily the email address of this person at the institution.
- Do not use this attribute to uniquely identify a user. Use the NameId instead.
- A user's email address may change over time, or an IdP may allow a user to change this value themselves. This makes that attribute unsuitable for authentication and authorization purposes.
max 256 chars); use of spaces and @ -characters is discouraged. | |
Description | The unique code for a person that is used as the login name within the institution. |
Examples | s9603145 |
Notes |
|
...
urn:mace | urn:mace:dir:attribute-def:uid |
urn:oid | urn:oid:0.9.2342.19200300.100.1.1 |
Multiplicity | single-valued (multi-valued in the specification, but within SURFconext only 1 value is allowed) |
Data type | UTF8 String (max 256 chars); use of spaces and @ -characters is discouraged. |
Description | The unique code for a person that is used as the login name within the institution. |
Examples | s9603145 |
Notes |
|
...
urn:mace | urn:mace:dir:attribute-def:eduPersonOrcid |
urn:oid | urn:oid:1.3.6.1.4.1.5923.1.1.1.16 |
Multiplicity | multi-valued (see remark below) |
Data type | URL, registered with ORCID.org |
Description | The ORCID is a persistent digital identifier that distinguishes the account holder from every other researcher. Through integration in research workflows such as manuscript and grant submission, the ORCID identifier supports automated linkages between the account holder and his/her professional activities ensuring that the account holder's work is recognized. Values MUST be valid ORCID identifiers in the ORCID preferred URL representation, i.e. http://orcid.org/0000-0002-1825-0097 |
Examples | |
Notes | For more information see https://www.surf.nl/en/news/2016/02/global-author-identifier-service-orcid-now-available-through-surfconext-and-edugain.html Although the attribute is in theory multi-valued, in practice it probably makes sense that it has no more than one value. |
...
attribute is in theory multi-valued, in practice it probably makes sense that it has no more than one value. |
Anchor | ||||
---|---|---|---|---|
|
urn:mace | urn:mace:surf.nl:attribute-def:eckid |
urn:oid | - |
Multiplicity | single-valued |
Data type | URL as specified by Edu-K, all-lowercase |
Description | Educatieve Content Keten Identifier (ECK ID) is a pseudonymous identifier for access to content for primary, secondary and vocational education. |
Examples |
|
Notes | This attribute may only be used for “the access to and use of digital learning resources or the digital administration of tests and exams”. For more information see https://www.eck-id.nl (Dutch). Also, if you query this claim information from an external data stores, such as an Enterprise Active Directory, Lightweight Directory Access Protocol (LDAP) directories or a Microsoft SQL Server, you can also define custom attribute stores to query the ECK ID claim from external data stores. Read this Microsoft blog to get to know more. |
Anchor | ||||
---|---|---|---|---|
|
urn:mace | urn:mace:surf.nl:attribute-def:surf-crm-id |
urn:oid | urn:oid:1.3.6.1.4.1.1076.20.100.10.50.2 |
Multiplicity | single-valued |
Data type | Microsoft GUID |
Description | GUID of the organization to which the IdP belongs, as used in the SURF CRM. |
Examples | ad93daef-0911-e511-80d0-005056956c1a |
Notes | SURF specific and only to be used by SURF SPs that have to interface with the SURF CRM. Only to be used after consultation with SURFnet |
urn:mace
urn:mace:surf.nl:attribute-def:eckid
urn:oid
-
Multiplicity
single-valued
URL as specified by Edu-K, all-lowercase
Description
Educatieve Content Keten Identifier (ECK ID) is a pseudonymous identifier for access to content for primary, secondary and vocational education.
- https://ketenid.nl/spv1/eacf3765ad342feb5f65c2bf8194b4ccc3d68cec3c01d3c260636747a2b06d092fcc3a8d655bbdc4ae7d815ed005cf3a11f e9cab2365f95da3e9965501f7c98e
- https://ketenid.nl/201703/1a5c9c7203901866532c2d72ce056e1d29cacc70836fe2bc3a517f3f9a53eed3d77ef370ad6dcf80b3f34ced1c547c7d2e679e8e47002355f938213b3656b206
Notes
This attribute may only be used for “the access to and use of digital learning resources or the digital administration of tests and exams”.
For more information see https://www.eck-id.nl (Dutch). Also, if you query this claim information from an external data stores, such as an Enterprise Active Directory, Lightweight Directory Access Protocol (LDAP) directories or a Microsoft SQL Server, you can also define custom attribute stores to query the ECK ID claim from external data stores. Read this Microsoft blog to get to know more. |