Versions Compared

Old Version 39

changes.mady.by.user Bart Geesink

Saved on

compared with

New Version 40

changes.mady.by.user André Klaver

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

An extensive list of SAML attributes together with their details and properties can be found on our support page about attributes.  Those SAML attributes are provided by institutions connected to SURFconext as Identity Provider. You can use any of those attributes in your service (SURFconext translates them to OpenID Connect claims), however you must comply with our data minimisation policy, meaning you are only allowed to receive the bare minimum of attributes strictly needed for you to operate your service.

User identifiers

The user's identity is transmitted in the form of the NameID element by an IdP. Every IdP must supply this, but for privacy reasons SURFconext will generate a new one, which is duplicated in the subject.

To identify a user the relying party can use the subject. This is called the NameID in SAML. This subject is guaranteed to be stable for a fixed user, except in the case of transient identifiers. SURFconext will generate a subject for each new user. It is unique for the user and specific to the relying party, so RP's cannot correlate their received subject's between each other. There are two types:

  • persistent
    A persistent subject contains a unique string identifying the user for this RP and is persisting over multiple sessions.
  • transient
    A transient subject contains a unique string identifying the user for this RP during the session. If the user logs in again, a new transient subject will be generated.

Warning
titleRemark

The subject is unlikely to change and very privacy aware but can change when service providers or identity provider make critical changes. This can cause user profiles for services to be lost. The subject is generated using the uid, schacHomeOrganization, the Client id of the relying party together with a secret that uses a SHA algorithm. Institutions or services that are in production and change one of these attributes, will cause a new subject to be generated by SURFconext when doing so. This can cause loss of access to profiles at services. We will notify identity providers and relying parties when we see a change in one of these claims to prevent user data being lost.

The following table describes the translation from OpenID Connect Claims to SAML attributes.

...