Page History

urn:mace

urn:mace:dir:attribute-def:sn

urn:oid

urn:oid:2.5.4.4

Multiplicity

single-valued

Description

The surname of a person (including any words such as “van”, “de”, “von” etc.) used for Personalizationpersonalization; this can be a combination of existing attributes.

Vermeegen 

Valk, van der
孝慈

Notes

urn:mace

urn:mace:dir:attribute-def:uid

urn:oid

urn:oid:0.9.2342.19200300.100.1.1

Multiplicity

Description

The unique code for a person that is used as the login name within the institution.

s9603145 
piet 
flåp@example.edu (See note below)

Notes

• The uid is not a unique identifier for SURFconext users.  Uid values are at most unique for each IdP.
• Ideally the uid is not only a login name/code but also an identifier that is guaranteed as being unique within the institution over the course of time. At the moment, there is no such guarantee.
• Use the NameId for unique identifiers in SURFconext rather than uid.
• Use the eduPersonPrincipalName attribute if a human-readable unique identifier is required
• A uid may contain any unicode character. E.g., "org:surfnetsurf.nl:joe von stühl" is a valid uid.
• SURFconext translates @-characters in the uid to underscores before constructing the NameID. flåp@example.edu translates to flåp_example.edu.

urn:mace

urn:mace:terena.org:attribute-def:schacHomeOrganization

urn:oid

urn:oid:1.3.6.1.4.1.25178.1.2.9

Multiplicity

single-valued

Description

The user's organization using the organization's domain name; syntax in accordance with RFC 1035.

uniharderwijk.nl
example.nl 

Notes

•  In the past, SURFconext used to send the home organization in the attribute urn:oid:1.3.6.1.4.1.1466.115.121.1.15, which was incorrect.  Since 2013, the correct oid urn:oid:1.3.6.1.4.1.25178.1.2.9 is in use.  For reasons of compatibility, the old (wrong) key is still sent.  It will be removed in 2020the near future.
• Matching values against this attribute should be case-insensitive, i.e. the values "uniharderwijk.nl" and "UniHarderwijk.nl" should be considered equal. For Interoperability reasons however we require lower-case values as specified above in SURFconext.
• It is desirable to have the same value for all your users.
• SURFconext will store the allowed value for your institution in our configuration so we can check that no illegal values are being sent.

urn:mace

urn:mace:terena.org:attribute-def:schacHomeOrganizationType

urn:oid

urn:oid:1.3.6.1.4.1.25178.1.2.10

Multiplicity

single-value

Description

designation of the type of organization as defined on httphttps://wwwwiki.terenarefeds.org/registry/terena.org/schac/homeOrganizationTypedisplay/STAN/SCHAC+Releases?preview=/44957731/128909315/SCHAC%2B1.6.0-final.pdf

Notes

• Attribute values are registered by Terena Géant on httphttps://wwwwiki.terenarefeds.org/registrydisplay/terena.org/schac/homeOrganizationTypeSTAN/SCHAC+Releases
• In practice, this attribute is not/hardly used by IdP's or SP's
• Please contact support@surfconext.nl if you would like to use this attribute

urn:mace

urn:oid

urn:oid:1.3.6.1.4.1.25178.1.2.14

Multiplicity

multi-value

Description

The user's student, employee, and/or member id as used in the university's internal systems. Also used for the Erasmus Student Identifier for international student exchange.

urn:schac:personalUniqueCode:nl:local:example.edu:employeeid:x12-3456
urn:schac:personalUniqueCode:nl:local:example.nl:studentid:s1234567
urn:schac:personalUniqueCode:int:esi:example.nl:123321

Notes

• Attribute values are registered by SURFnet SURF as shown on this page.
• Please contact the SURFnet SURFconext support team if you would like to use this attribute as an SP, or if you would like to provide it as an IdP.
• This attribute's main use is for matching user accounts to the university's internal systems
• It is also used in the Erasmus+ student exchange program. See Toevoegen European Student Identifier aan instellingssystemen.

urn:mace

urn:mace:dir:attribute-def:eduPersonAffiliation

urn:oid

urn:oid:1.3.6.1.4.1.5923.1.1.1.1

Multiplicity

multi-valued

Description

Indicates the relationship between the user and his home organization (institution). The following values are permitted within SURFconext:

• student — A person enrolled at an institution, an external student or course participant.
• employee — A person with a position at or labor agreement with an institution.
• staff — All academic staff and teachers. (deprecated; do not use in new deployments)
• faculty — A person whose primary role is teaching or research. (Commonly called WP at Dutch universities. Please note, PhD students are also perfectly allowed to carry this value.)
• member — Anyone that holds at least one of the above affiliations is also a member.
  
  
• pre-student — A person who has registered to start studying, but is not yet a full student. See this page (Dutch only) for more information about pre-students and the terms and conditions under which such users are allowed access. Pre-students will never be allowed access to service providers without prior consent from the service provider.
• affiliate — A person who is authorized by the Institution, pursuant to the lenience model concluded by the Institution, to use the Service.

Use Note: only the above mentioned values are allowed within SURFconext. Use the definitions mentioned to determine which affiliation a user gets. If the definitions are not sufficientyou have doubts whether a user (fully) fits the definition, please use common sense.

Notes

• Any user who has the affiliation student, employee, or faculty, should also have the value member.
• Identity Providers might internally use additional values for the affiliation attribute, such as alum. Per SURFconext policy, the IdP may not allow such users to access SURFconext.
  Other values mentioned in the eduPerson specification include library-walk-in. This value is not currently used within SURFconext.
• According to the eduPerson specification, the values of this attribute are case insensitive; for Interoperability reasons however, we require lower-case values as specified above in SURFconext.
• The document REFEDS eduPerson(Scoped)Affiliation usage comparison is useful to determine the usefulness of values in an international context.

Indicates the relationship between the user and the domain of his home organization. The affiliation part must be one of the allowed values of the eduPersonAffiliation attribute (see definition right above).

The value is the role of the user and the domain name of the organisation. eduPersonScopedAffiliation can hence be defined as: <eduPersonAffiliation> "@" <schacHomeOrganization>. Just like eduPersonScopedAffiliation, this is a multi valued attribute.

The domain part must be the schacHomeOrganization of the user (or a subdomain thereof). 

• This attribute is primarily a different way to convey the same information as is contained in eduPersonAffiliation and schacHomeOrganization. It's recommended to release this attribute next to eduPersonAffiliation and schacHomeOrganization, because some SP's ask for this attribute instead of the two separate ones.
• If desired, this attribute can be used to describe the role of the user within a specific faculty, field, study or department that the user is part of. Because the attribute is multi-valued, a user can be a student at one and an employee at another department.

urn:mace

urn:mace:dir:attribute-def:eduPersonEntitlement

urn:oid

urn:oid:1.3.6.1.4.1.5923.1.1.1.7

Multiplicity

multi-value

Description

entitlement; custom URI (URL or URN) that indicates an entitlement to something.

urn:mace:terena.org:tcs:personal-admin
urn:x-surfnetmace:surf.nl:surfdomeinen.nl:role:dnsadmin

Notes

• This attribute can be used to communicate entitlements, roles, etc, from identity providers to services, which can be used, for example, for authorization.
• The values of this attribute are scoped to the identity provider that is authoritative for the attribute. 
• Formatting rules apply: See also the SURFconext entitlement name-spacing policy.

urn:mace

urn:mace:dir:attribute-def:isMemberOf

urn:oid

urn:oid:1.3.6.1.4.1.5923.1.5.1.1

Multiplicity

multi-valued

Description

Lists the collaborative organizations the user is a member of.

Notes

• Attribute values are URIs (URN or URL)
• The only currently supported value is urn:collab:org:surf.nl, which indicated that the user's home institution is a member of SURFnetSURF
• In the future, this can be used to determine membership of non-institutional collaborative organizations.
• This attribute is generated by SURFconext and is available to SP's; it should not be set by IdP's.

urn:mace

urn:mace:dir:attribute-def:eduPersonTargetedID

urn:oid

urn:oid:1.3.6.1.4.1.5923.1.1.1.10

Multiplicity

single-valued

Description 

The attribute eduPersonTargetedID is a copy of the persistent Subject -> NameID, which is generated by SURFconext itself. When an Identity Provider provides the eduPersonTargetedID itself, it is always overwritten by SURFconext. 

Notes 

This attribute is created because the Subject -> NameID itself is not part of the SAML v2.0 response attribute list and therefore only is available for an application if the local SAML implementation explicitly supports this. Within SURFconext the Subject -> NameID is explicitly copied into the eduPersonTargetedID attribute, including XML, in order for the identifier to be used like any other attribute, but only when NameID is configured to be persistent (as the eduPerson definition of eduPersonTargetedID requires it to be persistent)