This page will list all the SAML2 attributes that SURFconext and their Identity Providers identity providers have to offer. An attribute is a characteristic that describes a user. It is a 'name:value' pair. The attributes included in the SAML assertion correspond to certain attributes a service provider needs to work properly. In general they are needed to:
- Convey user information from the Identity identity provider or (IdP) to the service provider (SP)
- Create an account for the user at the service provider
- Authorize specific services at the service provider
Now, when a user logs in to a Service Providerservice provider, SURFconext sends a SAML assertion to the Service Provider service provider via the browser of the user, that contains a:
- User identifier. Al All services reveice receive these and are either a configurable Transient or Persistent NameIDa transient or persistent NameID (chosen via SP Dashboard).
and Additional attributes. These are optional and differ per Service per service.
Note |
---|
SURFconext's SAML2 implementation adheres to the SAML2int standard 0.2.1. The header on the link above states that work on saml2int has moved to Kantara Initiative. True as this isUntil further notice, the SAML2int standard SURFconext adheres to is until further notice remains at 0.2.1. |
Note | ||
---|---|---|
| ||
For content providers, SURFconext (in consultation with the partnership of the Dutch university libraries and the Koninklijke Bibliotheek (UKB), Hogeschoolbibliotheken (SHB)) applies a separate attribute release policy. The following are allowed:
|
Info |
---|
Before you start digging into the theoretical stuff on this |
Info |
Before you start digging into the theoretical stuff on this page, you might want to start with our 'best practice' page for an introduction to and how attributes are best used. |
...
Warning | ||
---|---|---|
| ||
The NameID and eduPersonTargetedID, which which is basically a copy of the NameID, when set to persistent is unlikely to change and very privacy aware but can change when service providers or identity provider make critical make critical changes. This can cause user profiles for services to be lost. The NameID, as used in the SAML assertion to a service provider when loggin' on, is generated using the uid, schacHomeOrganization, the Entity ID of the service provider together with a secret that uses a SHA algorithm. Institutions or services that are in production and change one of these attributes, will cause a new NameID and eduPersonTargetedID to be generated by SURFconext when doing so. This can cause loss of access to profiles at services. We will notify identity providers and service providers when we see a change in one of these attributes to prevent user data being lost. |
...
Friendly name | Attribute name | Definition | Data type | Example | |
---|---|---|---|---|---|
(SAML NameID ) element | eduPerson (1) | UTF8 string | bd09168cf0c2e675b2def0ade6f50b7d4bb4aae | bd09168cf0c2e675b2def0ade6f50b7d4bb4aae | |
urn:mace:dir:attribute-def:sn | X.520 | UTF8 string | Doe Vermeegen | ||
urn:mace:dir:attribute-def:givenName | X.520 | UTF8 string | John Mërgim Lukáš Þrúður | ||
urn:mace:dir:attribute-def:cn | X.520 | UTF8 String | John Doe Prof.dr. Mërgim Lukáš Vermeegen 加来 千代, PhD. | ||
urn:mace:dir:attribute-def:displayName | UTF8 String | Dr. John Doe Prof.dr. Mërgim L. Vermeegen 加来 千代, PhD. | |||
urn:mace:dir:attribute-def:mail | RFC-5322 address | m.l.vermeegen@university.example.org maarten.'t.hart@uniharderwijk.nl "very.unusual.@.but valid.nonetheless"@example.com mlv@[IPv6:2001:db8::1234:4321] | |||
urn:mace:terena.org:attribute-def:schacHomeOrganization | RFC-1035 domain string | example.nl something.example.org | |||
urn:mace:terena.org:attribute-def:schacHomeOrganizationType | RFC-2141 URN | urn:mace:urn:mace:terena.org:schac:homeOrganizationType:int:university urn:mace:terena.org:schac:homeOrganizationType:es:opi | |||
Employee/student number | urn:schac:attribute-def:schacPersonalUniqueCode | Schac | RFC-2141 URN | urn:schac:personalUniqueCode:nl:local:example.edu:employeeid:x12-3456 urn:schac:personalUniqueCode:nl:local:example.nl:studentid:s1234567 | |
urn:mace:dir:attribute-def:eduPersonAffiliation | eduPerson (1) | Enum type (UTF8 String) | employee, student, faculty, member, affiliate, pre-student(staff is deprecated; library-walk-in, alum are not allowed) | ||
Scoped affiliation | urn:mace:dir:attribute-def:eduPersonScopedAffiliation urn:oid:1.3.6.1.4.1.5923.1.1.1.9 | eduPerson (1) | UTF8 String user@domain | student@uniharderwijk.nl employee@uniharderwijk.nl | |
urn:mace:dir:attribute-def:eduPersonEntitlement | RFC-2141 URN | to be determined per service (see Standardized values for eduPersonEntitlement) | |||
urn:mace:dir:attribute-def:eduPersonPrincipalName | eduPerson (1) | UTF8 String | piet.jønsen@example.piet.jønsen@example.edu not.a@vålîd.émail.addreß | ||
urn:mace:dir:attribute-def:isMemberOf | eduMember | RFC-2141 URN | urn:collab:org:surf.nl urn:collab:org:clarin.org | ||
urn:mace:dir:attribute-def:uid | UTF8 String (max 256 chars) | s9603145 flåp@example.edu | |||
urn:mace:dir:attribute-def:preferredLanguage | List of BCP47 language tags | nl nl, en-gb;q=0.8, en;q=0.7 | |||
ORCID | urn:mace:dir:attribute-def:eduPersonORCID urn:oid:1.3.6.1.4.1.5923.1.1.1.16 eduPerson (1) | URL registered with ORCID.org | http://orcid.org/0000-0002-1825-0097 | ||
ECK IDAssurance | urn:mace: surf.nldir:attribute-def: eckideduPersonAssurance urn:oid:1.3.6.1.4.1.5923.1.1.1.11 | https://refeds.org/assurance/ID/unique | |||
ECK ID | urn:mace:surf.nl:attribute-def:eckid | https:// | SURF / Edu-K | URL conform Edu-K specification | https://ketenid.nl/spv1/eacf3765ad342...cf3a11fe9cab2365f95da3e9965501f7c98e (Attribute made shorter for readability) |
SURF CRM ID | urn:mace:surf.nl:attribute-def:surf-crm-id | SURF | GUID of the instiution as used in SURF CRM | ad93daef-0911-e511-80d0-005056956c1a | |
MS AuthnMethodsReferences | http://schemas.microsoft.com/claims/authnmethodsreferences | Microsoft | URI | urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport http://schemas.microsoft.com/claims/multipleauthn | |
urn:mace:dir:attribute-def:ou urn:oid:2.5.4.11 | ICT Services | ||||
eduid | urn:mace:eduid.nl:1.1 | 658b6b41-7c13-431d-b3b4-663e9077c24c f4c9afe4-b9e1-42bb-92b8-047ac8711e29 |
Note that not all identity Note that not all identity providers might make all attributes available.
...
Info | ||
---|---|---|
| ||
SURFconext considers the attributes nlEduPersonOrgUnit, nlEduPersonStudyBranch and nlStudielinkNummer deprecated. When you register a new IdP or SP at SURFconext, these attributes will not be allowed for use with SURFconext. Existing IdP's and SP can use these attributes until further notice. |
...
urn:mace | urn:mace:dir:attribute-def:sn |
urn:oid | urn:oid:2.5.4.4 |
Multiplicity | single-valued |
Data type | UTF8 string (unbounded) |
Description | The surname of a person (including any words such as “van”, “de”, “von” etc.) used for Personalizationpersonalization; this can be a combination of existing attributes. |
Examples | Vermeegen Valk, van der |
Notes |
Anchor | ||||
---|---|---|---|---|
|
urn:mace | urn:mace:dir:attribute-def:givenName |
urn:oid | urn:oid:2.5.4.42 |
Multiplicity | single-valued |
Data type | UTF8 string (unbounded) |
Description | Given name, also known as a first name, forename or Christian name / “name known by”; combinations of title, initials, and “name known by” are possible. |
Examples | Jan Klaassen |
Notes | Words such as “van”, “de”, “von” must not be in this attribute, but in Surname. |
Anchor | ||||
---|---|---|---|---|
|
urn:mace | urn:mace:dir:attribute-def:cn |
urn:oid | urn:oid:2.5.4.3 |
Multiplicity | multi-valued |
Data type | UTF8 string (unbounded) |
Description | Full name. |
Examples | Prof.dr. Mërgim Lukáš Vermeegen 加来 千代, PhD. |
Notes | For example, a typical name of a person in an English-speaking country comprises a personal title (e.g. Mr., Ms., Rd, Professor, Sir, Lord), a first name, middle name(s), last name, generation qualifier (if any, e.g. Jr.) and decorations and awards (if any, e.g. CBE). |
...
urn:mace | urn:mace:dir:attribute-def:uid |
urn:oid | urn:oid:0.9.2342.19200300.100.1.1 |
Multiplicity | single-valued (multi-valued in the specification, but within SURFconext only 1 value is allowed) |
Data type | UTF8 String (max 256 chars); use of spaces and @ -characters is discouraged. |
Description | The unique code for a person that is used as the login name within the institution. |
Examples | s9603145 |
Notes |
|
...
urn:mace | urn:mace:terena.org:attribute-def:schacHomeOrganization |
urn:oid | urn:oid:1.3.6.1.4.1.25178.1.2.9 |
Multiplicity | single-valued |
Data type | RFC-1035 domain string. The domain MUST be a secondary-level domain that is under control by the institution. Preferably, the institution's main domain name should be used. |
Description | The user's organization using the organization's domain name; syntax in accordance with RFC 1035. |
Examples | uniharderwijk.nl |
Notes |
|
...
urn:mace | urn:mace:terena.org:attribute-def:schacHomeOrganizationType |
urn:oid | urn:oid:1.3.6.1.4.1.25178.1.2.10 |
Multiplicity | single-value |
Data type | RFC-2141 URN (see Schac standard) |
Description | designation of the type of organization as defined on httphttps://wwwwiki.terenarefeds.org/registry/terena.org/schac/homeOrganizationTypedisplay/STAN/SCHAC+Releases?preview=/44957731/128909315/SCHAC%2B1.6.0-final.pdf |
Examples | urn:mace:terena.org:schac:homeOrganizationType:int:university urn:mace:terena.org:schac:homeOrganizationType:es:opi |
Notes |
|
...
urn:mace | urn:schac:attribute-def:schacPersonalUniqueCode |
urn:oid | urn:oid:1.3.6.1.4.1.25178.1.2.14 |
Multiplicity | multi-value |
Data type | RFC-2141 URN (see SURFnet SURF uri registry) |
Description | The user's student, employee, and/or member id as used in the university's internal systems. Also used for the Erasmus Student Identifier for international student exchange. |
Examples | urn:schac:personalUniqueCode:nl:local:example.edu:employeeid:x12-3456 |
Notes |
|
Anchor | ||||
---|---|---|---|---|
|
urn:mace | urn:mace:dir:attribute-def:eduPersonAffiliation |
urn:oid | urn:oid:1.3.6.1.4.1.5923.1.1.1.1 |
Multiplicity | multi-valued |
Data type | UTF8 String (only the values enumerated below are allowed) |
Description | Indicates the relationship between the user and his home organization (institution). The following values are permitted within SURFconext:
Use Note: only the above mentioned values are allowed within SURFconext. Use the definitions mentioned to determine which affiliation a user gets. If the definitions are not sufficientyou have doubts whether a user (fully) fits the definition, please use common sense. |
Examples | see above |
Notes |
|
...
urn:mace | urn:mace:dir:attribute-def:eduPersonScopedAffiliation |
urn:oid | urn:oid:1.3.6.1.4.1.14665923.1151.1211.1.159 |
Multiplicity | multi-valued |
Data type | UTF8 String of the form affiliation@domain (see below) |
Description | Indicates the relationship between the user and the domain of his home organization. The affiliation part must be one of the allowed values of the eduPersonAffiliation attribute (see definition right above). The value is the role of the user and the domain name of the organisation. eduPersonScopedAffiliation can hence be defined as: <eduPersonAffiliation> "@" <schacHomeOrganization>. Just like eduPersonScopedAffiliation, this is a multi valued attribute. The domain part must be the schacHomeOrganization of the user (or a subdomain thereof). |
Examples | student@uniharderwijk.nl faculty@uniharderwijk.nl |
Notes |
|
...
urn:mace | urn:mace:dir:attribute-def:eduPersonEntitlement |
urn:oid | urn:oid:1.3.6.1.4.1.5923.1.1.1.7 |
Multiplicity | multi-value |
Data type | RFC-2141 URN |
Description | entitlement; custom URI (URL or URN) that indicates an entitlement to something. |
Examples |
|
Notes |
|
...
urn:mace | urn:mace:dir:attribute-def:isMemberOf |
urn:oid | urn:oid:1.3.6.1.4.1.5923.1.5.1.1 |
Multiplicity | multi-valued |
Data type | RFC-2141 URN |
Description | Lists the collaborative organizations the user is a member of. |
Examples | urn:collab:org:surf.nl |
Notes |
|
...
urn:mace | urn:mace:dir:attribute-def:eduPersonTargetedID |
urn:oid | urn:oid:1.3.6.1.4.1.5923.1.1.1.10 |
Multiplicity | single-valued |
Data type | UTF8 string (unbounded) |
Description | The attribute eduPersonTargetedID is a copy of the persistent Subject -> NameID, which is generated by SURFconext itself. When an Identity Provider provides the eduPersonTargetedID itself, it is always overwritten by SURFconext. |
Examplesbd09168cf0c2e675b2def0ade6f50b7d4bb4aae | <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">bd09168cf0c2e675b2def0ade6f50b7d4bb4aae</saml:NameID> |
Notes | This attribute is created because the Subject -> NameID itself is not part of the SAML v2.0 response attribute list and therefore only is available for an application if the local SAML implementation explicitly supports this. Within SURFconext the Subject -> NameID is explicitly copied into the |
...
urn:mace | urn:mace:dir:attribute-def:eduPersonOrcid |
urn:oid | urn:oid:1.3.6.1.4.1.5923.1.1.1.16 |
Multiplicity | multi-valued (see remark below) |
Data type | URL, registered with ORCID.org |
Description | The ORCID is a persistent digital identifier that distinguishes the account holder from every other researcher. Through integration in research workflows such as manuscript and grant submission, the ORCID identifier supports automated linkages between the account holder and his/her professional activities ensuring that the account holder's work is recognized. Values MUST be valid ORCID identifiers in the ORCID preferred URL representation, i.e. http://orcid.org/0000-0002-1825-0097 |
Examples | |
Notes | For more information see https://www.surf.nl/en/news/2016/02/global-author-identifier-service-orcid-now-available-through-surfconext-and-edugain.html Although the attribute is in theory multi-valued, in practice it probably makes sense that it has no more than one value. |
...
Although the attribute is in theory multi-valued, in practice it probably makes sense that it has no more than one value. |
Anchor | ||||
---|---|---|---|---|
|
urn:mace | urn:mace: |
dir:attribute-def: |
eduPersonAssurance |
urn:oid |
-
Multiplicity
urn:oid:1.3.6.1.4.1.5923.1.1.1.16 | |
Multiplicity | multi-valued |
Data type | URL |
Description
Description | Set of URIs that assert compliance with specific standards for identity assurance. |
Examples | https:// |
refeds. |
org/assurance/ |
ID/ |
unique https:// |
refeds. |
org/ |
Notes
This attribute may only be used for “the access to and use of digital learning resources or the digital administration of tests and exams”.
For more information see https://www.eck-id.nl (Dutch). Also, if you query this claim information from an external data stores, such as an Enterprise Active Directory, Lightweight Directory Access Protocol (LDAP) directories or a Microsoft SQL Server, you can also define custom attribute stores to query the ECK ID claim from external data stores. Read this Microsoft blog to get to know more.
...
urn:mace
...
urn:mace:surf.nl:attribute-def:surf-crm-id
...
urn:oid
...
urn:oid:1.3.6.1.4.1.1076.20.100.10.50.2
...
Multiplicity
...
single-valued
...
Microsoft GUID
...
Description
...
GUID of the organization to which the IdP belongs, as used in the SURF CRM.
...
ad93daef-0911-e511-80d0-005056956c1a
...
Notes
...
SURF specific and only to be used by SURF SPs that have to interface with the SURF CRM.
Only to be used after consultation with SURFnet.
assurance/IAP/medium | |
Notes | Assertion by the home institution about specific aspects of identity proofing or authentication strength, according to the standards as outlined in REFEDS Assurance Framework. For institutions, more information is available at Vrijgeven van eduPersonAssurance. |
Anchor | ||||
---|---|---|---|---|
|
urn:mace | urn:mace:surf.nl:attribute-def:eckid |
urn:oid | - |
Multiplicity | single-valued |
Data type | URL as specified by Edu-K, all-lowercase |
Description | Educatieve Content Keten Identifier (ECK ID) is a pseudonymous identifier for access to content for primary, secondary and vocational education. |
Examples |
|
Notes | This attribute may only be used for “the access to and use of digital learning resources or the digital administration of tests and exams”. For more information see https://www.eck-id.nl (Dutch). Also, if you query this claim information from an external data stores, such as an Enterprise Active Directory, Lightweight Directory Access Protocol (LDAP) directories or a Microsoft SQL Server, you can also define custom attribute stores to query the ECK ID claim from external data stores. Read this Microsoft blog to get to know more. |
Anchor | ||||
---|---|---|---|---|
|
urn:mace | urn:mace:surf.nl:attribute-def:surf-crm-id |
urn:oid | urn:oid:1.3.6.1.4.1.1076.20.100.10.50.2 |
Multiplicity | single-valued |
Data type | Microsoft GUID |
Description | GUID of the organization to which the IdP belongs, as used in the SURF CRM. |
Examples | ad93daef-0911-e511-80d0-005056956c1a |
Notes |
|
Anchor | ||||
---|---|---|---|---|
|
Name | http: |
...
Name | http://schemas.microsoft.com/claims/authnmethodsreferences | ||
Multiplicity | multi-valued | ||
Data type | URI | ||
Description | The AuthnContext-referenties involved in authenticating the current user on their home IdP. | ||
Examples | //schemas.microsoft.com/claims/ | multipleauthnauthnmethodsreferences | |
Multiplicity | multi-valued | ||
Data type | URI | ||
Description | The AuthnContext-referenties involved in authenticating the current user on their home IdP. | ||
Examples |
| ||
Opmerkingen |
| Opmerkingen |
|
Anchor | ||||
---|---|---|---|---|
|
urn:mace | urn:mace:dir:attribute-def:ou |
urn:oid | urn:oid:2.5.4.11 |
Multiplicity | multi-valued |
Data type | UTF-8 string |
Description | Indicates the department, team, or faculty with which the user is associated within the issuing institution. This attribute is multi-valued, so multiple departments, teams or faculties can be listed |
Examples |
|
Notes |
|
Anchor | ||||
---|---|---|---|---|
|
urn:mace | urn:mace:eduid.nl:1.1 |
Multiplicity | single-valued |
Data type | UTF-8 string |
Beschrijving | Targeted unique eduID-identifier for a user |
Voorbeelden | 658b6b41-7c13-431d-b3b4-663e9077c24c |
Opmerkingen |
|