When a user logs in to a Service Provider, SURFconext sends a SAML assertion to the Service Provider, containing:
- user identifier (NameID)
additional attributes (optional)
Note |
---|
SURFconext's SAML2 implementation adheres to the SAML2int standard. |
On this section we will show you which attributes This page will list all the SAML2 attributes that SURFconext and their Identity Providers have to offer.
Table of Contents |
---|
User identifiers
The user's identity is transmitted in the form of the NameID element. Every IdP must supply a NameID, but for privacy reasons SURFconext will generate a new one, which is duplicated in the attribute eduPersonTargetedID.
To identify a user the Service Provider must use NameID or eduPersonTargetedID. NameID is guaranteed to be stable for a fixed user (except in the case of transient identifiers). SURFconext will generate a NameID for each new user. It is unique for the user and specific to the SP, so SP's cannot correlate their received NameID's between each other. There are two types of NameIDs:
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
A persistent NameID contains a unique string identifying the user for this SP and persisting over multiple sessions.urn:oasis:names:tc:SAML:2.0:nameid-format:transient
A transient NameID contains a unique string identifying the user for this SP during the session. If the user logs in again, a new transient identifier will be generated.
Attribute schemas
A schema is an abstract representation of an object's characteristics and relationship to other objects.
SURFconext supports two attribute schemas:
urn:oid
schema (SAML2.0 compliant)urn
schema (SAML1.1 compliant)
Both can be used to convey the same information (except for the NameID, which is only available in the urn:oid
schema). By default SURFconext will provide attributes in both schemas as part of the assertion. However it is not recommended to mix the use of the schemas.
Attribute overview
SURFconext supported relaying of the following attributes:
An attribute is a characteristic that describes a user. It is a 'name:value' pair. The attributes included in the SAML assertion correspond to certain attributes a service provider needs to work properly. In general they are needed to:
- Convey user information from the Identity provider or IdP to the service provider
- Create an account for the user at the service provider
- Authorize specific services at the service provider
Now, when a user logs in to a Service Provider, SURFconext sends a SAML assertion to the Service Provider via the browser of the user, that contains a:
- User identifier. Al services receive these and are either a configurable Transient or Persistent NameID.
and Additional attributes. These are optional and differ per Service.
Note |
---|
SURFconext's SAML2 implementation adheres to the SAML2int standard 0.2.1. The header on the link above states that work on saml2int has moved to Kantara Initiative. Until further notice, the SAML2int standard SURFconext adheres to remains at 0.2.1. |
Note | ||
---|---|---|
| ||
For content providers, SURFconext (in consultation with the partnership of the Dutch university libraries and the Koninklijke Bibliotheek (UKB), Hogeschoolbibliotheken (SHB)) applies a separate attribute release policy. The following are allowed:
|
Info |
---|
Before you start digging into the theoretical stuff on this page, you might want to start with our 'best practice' page for an introduction to and how attributes are best used. |
Table of Contents |
---|
User identifiers
The user's identity is transmitted in the form of the NameID element. Every IdP must supply a NameID, but for privacy reasons SURFconext will generate a new one, which is duplicated in the attribute eduPersonTargetedID.
To identify a user the Service Provider must use the NameID or eduPersonTargetedID. The NameID is guaranteed to be stable for a fixed user, except in the case of transient identifiers. SURFconext will generate a NameID for each new user. It is unique for the user and specific to the SP, so SP's cannot correlate their received NameID's between each other. There are two types of NameIDs:
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
A persistent NameID contains a unique string identifying the user for this SP and is persisting over multiple sessions.urn:oasis:names:tc:SAML:2.0:nameid-format:transient
A transient NameID contains a unique string identifying the user for this SP during the session. If the user logs in again, a new transient identifier will be generated.
Warning | ||
---|---|---|
| ||
The NameID and eduPersonTargetedID, which is basically a copy of the NameID, is unlikely to change and very privacy aware but can change when service providers or identity provider make critical changes. This can cause user profiles for services to be lost. The NameID, as used in the SAML assertion to a service provider when loggin' on, is generated using the uid, schacHomeOrganization, the Entity ID of the service provider together with a secret that uses a SHA algorithm. Institutions or services that are in production and change one of these attributes, will cause a new NameID and eduPersonTargetedID to be generated by SURFconext when doing so. This can cause loss of access to profiles at services. We will notify identity providers and service providers when we see a change in one of these attributes to prevent user data being lost. |
Changing attributes
As an Identity Provider it is important to realize that changing attributes in production on SURFconext in any way can have an impact on services users have access to. Attributes that you offer to SURFconext are used to create profiles, and data is often linked to them. Changing an attribute in any way can have unwanted results like users that are no longer able to access their valuable data. An example could be to modify the way you fill the email address (amongst others). For example: changing 'student.123456@university.nl' to 'john.doe@university.nl'. Do you plan to do this or do you start a project where this is the case? Contact us and send an email to support@surfconext.nl.
Useful links
- Table with attributes we recommend our institutions to release: https://wiki.surfnet.nl/display/surfconextdev/Vereiste+attributen
- Profile Page https://profile.surfconext.nl/ , showing what attributes are released by your IdP to SURFconext
- For new IdP's or for IdP's that upgrade their environment: system administrators will at some point be asked to share the metadata of their account for analyses. When asked, visit this page and click the 'Mail to SURFconext' button. We will get back to you when we have judged the submitted metadata.This page will also show you the attributes shared and their values.
Attribute schemas
A schema is an abstract representation of an object's characteristics and relationship to other objects.
SURFconext supports two attribute schemas:
urn:oid
schema (SAML2.0 compliant)urn
schema (SAML1.1 compliant)
Both can be used to convey the same information (except for the NameID, which is only available in the urn:oid
schema). By default SURFconext will provide attributes in both schemas as part of the assertion. However it is not recommended to mix the use of the schemas.
Attribute overview
SURFconext supports relaying of the following attributes:
Friendly name | Attribute name | Example |
---|---|---|
SAML NameID element | bd09168cf0c2e675b2def0ade6f50b7d4bb4aae | |
urn:mace:dir:attribute-def:sn | Doe Vermeegen | |
urn:mace:dir:attribute-def:givenName | John Mërgim Lukáš Þrúður | |
urn:mace:dir:attribute-def:cn | John Doe Prof.dr. Mërgim Lukáš Vermeegen 加来 千代, PhD. | |
urn:mace:dir:attribute-def:displayName | Dr. John Doe Prof.dr. Mërgim L. Vermeegen 加来 千代, PhD. | |
urn:mace:dir:attribute-def:mail | m.l.vermeegen@university.example.org maarten.'t.hart@uniharderwijk.nl "very.unusual.@.but valid.nonetheless"@example.com mlv@[IPv6:2001:db8::1234:4321] | |
urn:mace:terena.org:attribute-def:schacHomeOrganization | example.nl something.example.org | |
urn:mace:terena.org:attribute-def:schacHomeOrganizationType | urn:mace:terena.org:schac:homeOrganizationType:int:university urn:mace:terena.org:schac:homeOrganizationType:es:opi | |
Employee/student number | urn:schac:attribute-def:schacPersonalUniqueCode | urn:schac:personalUniqueCode:nl:local:example.edu:employeeid:x12-3456 urn:schac:personalUniqueCode:nl:local:example.nl:studentid:s1234567 |
urn:mace:dir:attribute-def:eduPersonAffiliation | employee, student, faculty, member, affiliate, pre-student | |
Scoped affiliation | urn:mace:dir:attribute-def:eduPersonScopedAffiliation urn:oid:1.3.6.1.4.1.5923.1.1.1.9 | student@uniharderwijk.nl employee@uniharderwijk.nl |
urn:mace:dir:attribute-def:eduPersonEntitlement | to be determined per service (see Standardized values for eduPersonEntitlement) | |
urn:mace:dir:attribute-def:eduPersonPrincipalName | piet.jønsen@example.edu not.a@vålîd.émail.addreß | |
urn:mace:dir:attribute-def:isMemberOf | urn:collab:org:surf.nl urn:collab:org:clarin.org | |
urn:mace:dir:attribute-def:uid | s9603145 flåp@example.edu | |
urn:mace:dir:attribute-def:preferredLanguage | nl nl, en-gb;q=0.8, en;q=0.7 | |
ORCID |
Friendly name
Attribute name
Definition
Data type
Example
(NameID)
urn:mace:dir:attribute-def:eduPersonTargetedID
urn:oid:1.3.6.1.4.1.5923.1.1.1.10
eduPerson (1)
UTF8 string
(unbounded)
bd09168cf0c2e675b2def0ade6f50b7d4bb4aae
UTF8 string
(unbounded)
Vermeegen
孝慈
urn:oid |
UTF8 string
(unbounded)
Mërgim Lukáš
Þrúður
:1.3.6.1.4.1.5923.1.1.1.16 | http://orcid.org/0000-0002-1825-0097 |
Assurance | urn:mace:dir:attribute-def: |
eduPersonAssurance urn:oid: |
1.3.6.1.4 |
UTF8 String
(unbounded)
Prof.dr. Mërgim Lukáš Vermeegen
加来 千代, PhD.
.1.5923.1.1.1.11 | https://refeds.org/assurance/ID/unique |
ECK ID |
urn:mace: |
surf.nl:attribute-def: |
eckid |
UTF8 String
(unbounded)
Prof.dr. Mërgim L. Vermeegen
加来 千代, PhD.
https://ketenid.nl/spv1/eacf3765ad342...cf3a11fe9cab2365f95da3e9965501f7c98e (Attribute made shorter for readability) | |
SURF CRM ID | urn:mace:surf.nl |
:attribute-def: |
urn:oid:0.9.2342.19200300.100.1.3
RFC-5322 address
(max 256 chars)
m.l.vermeegen@university.example.org
maarten.'t.hart@uniharderwijk.nl
"very.unusual.@.but valid.nonetheless"@example.com
mlv@[IPv6:2001:db8::1234:4321]
urn:mace:terena.org:attribute-def:schacHomeOrganization
urn:oid:1.3.6.1.4.1.25178.1.2.9
RFC-1035 domain string
example.nl
something.example.org
urn:mace:terena.org:attribute-def:schacHomeOrganizationType
urn:oid:1.3.6.1.4.1.25178.1.2.10
RFC-2141 URN
see Schac standard
urn:mace:terena.org:schac:homeOrganizationType:int:university
urn:mace:terena.org:schac:homeOrganizationType:es:opi
urn:schac:attribute-def:schacPersonalUniqueCode
urn:oid:1.3.6.1.4.1.25178.1.2.14
RFC-2141 URN
see SURFnet registry
urn:schac:personalUniqueCode:nl:local:example.nl:studentid:s1234567
surf-crm-id | ad93daef-0911-e511-80d0-005056956c1a | |
MS AuthnMethodsReferences | http://schemas.microsoft.com/claims/authnmethodsreferences | urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport http://schemas.microsoft.com/claims/multipleauthn |
urn:mace:dir:attribute-def:ou urn:oid:2.5.4.11 | ICT Services | |
eduid | urn:mace:eduid.nl:1.1 | 658b6b41-7c13-431d-b3b4-663e9077c24c f4c9afe4-b9e1-42bb-92b8-047ac8711e29 |
Note that not all identity providers might make all attributes available.
(1) eduPerson Object Class Specification (201602): https://wiki.refeds.org/pages/viewpage.action?pageId=44957738
Info | ||
---|---|---|
| ||
SURFconext considers the attributes nlEduPersonOrgUnit, nlEduPersonStudyBranch and nlStudielinkNummer deprecated. When you register a new SP at SURFconext, these attributes will not be allowed for use with SURFconext. Existing IdP's and SP can use these attributes until further notice. |
Detailed attribute descriptions
Anchor | ||||
---|---|---|---|---|
|
See User identifiers.
Anchor | ||||
---|---|---|---|---|
|
urn:mace |
urn:mace:dir:attribute-def:sn | |
urn: |
oid | urn:oid: |
2. |
5. |
eduPerson (1)
Enum type (UTF8 String)
employee, student, faculty, member, affiliate, pre-student
(staff is deprecated; library-walk-in, alum are not allowed)
4.4 | |
Multiplicity | single-valued |
Data type | UTF8 string (unbounded) |
Description | The surname of a person (including any words such as “van”, “de”, “von” etc.) used for Personalization; this can be a combination of existing attributes. |
Examples | Vermeegen 孝慈 |
Notes |
Anchor | ||||
---|---|---|---|---|
|
urn:mace |
urn:mace:dir:attribute-def:givenName | |
urn: |
oid | urn:oid: |
user@domain
student@physics.uniharderwijk.nl
employee@facilities.uniharderwijk.nl
urn:mace:dir:attribute-def:eduPersonEntitlement
urn:oid:1.3.6.1.4.1.5923.1.1.1.7
eduPerson (1)
RFC-2141 URN
Multi-valued
to be determined per service (see Standardized values for eduPersonEntitlement)
2.5.4.42 | |
Multiplicity | single-valued |
Data type | UTF8 string (unbounded) |
Description | Given name, also known as a first name, forename or Christian name / “name known by”; combinations of title, initials, and “name known by” are possible. |
Examples | Jan Klaassen |
Notes |
Anchor | ||||
---|---|---|---|---|
|
urn:mace |
urn:mace:dir:attribute-def:cn | |
urn: |
oid | urn:oid: |
2. |
5. |
UTF8 String
user@domain
piet.jønsen@example.edu
not.a@vålîd.émail.addreß
urn:mace:dir:attribute-def:isMemberOf
urn:oid:1.3.6.1.4.1.5923.1.5.1.1
RFC-2141 URN
Multi-valued
urn:collab:org:surf.nl
urn:collab:org:clarin.org
4.3 | |
Multiplicity | multi-valued |
Data type | UTF8 string (unbounded) |
Description | Full name. |
Examples | Prof.dr. Mërgim Lukáš Vermeegen 加来 千代, PhD. |
Notes | For example, a typical name of a person in an English-speaking country comprises a personal title (e.g. Mr., Ms., Rd, Professor, Sir, Lord), a first name, middle name(s), last name, generation qualifier (if any, e.g. Jr.) and decorations and awards (if any, e.g. CBE). |
Anchor | ||||
---|---|---|---|---|
|
urn:mace |
urn:mace:dir:attribute-def:displayName |
urn: |
oid | urn:oid: |
UTF8 String
(max 256 chars)
s9603145
flåp@example.edu
2.16.840.1.113730.3.1.241 | |
Multiplicity | single-valued |
Data type | UTF8 string (unbounded) |
Description | Name as displayed in applications |
Examples | Prof.dr. Mërgim Lukáš Vermeegen 加来 千代, PhD. |
Notes |
|
Anchor | ||||
---|---|---|---|---|
urn:mace | urn:mace:dir:attribute-def: |
urn:oid | urn:oid: |
0. |
9. |
2342. |
19200300. |
100. |
1. |
3 |
Multiplicity |
List of BCP47 language tags
nl
nl, en-gb;q=0.8, en;q=0.7
URL registered
with ORCID.org
Note that not all identity providers might make all attributes available.
(1) eduPerson Object Class Specification (201602): http://software.internet2.edu/eduperson/internet2-mace-dir-eduperson-201602.html
Detailed attribute descriptions
...
See User identifiers.
multi-valued | |
Data type | RFC-5322 address (max 256 chars) |
Description | e-mail address; syntax in accordance with RFC 5322 |
Examples | m.l.vermeegen@university.example.org "very.unusual.@.unusual.com"@example.com mlv@[IPv6:2001:db8::1234:4321]; the |
Notes |
|
Anchor | ||||
---|---|---|---|---|
|
...
urn:mace | urn:mace:dir:attribute-def: |
uid | |
urn:oid | urn:oid: |
0.9.2342.19200300.100.1.1 | |
Multiplicity | single-valued (multi-valued in the specification, but within SURFconext only 1 value is allowed) |
Data type | UTF8 |
String ( |
max 256 chars); use of spaces and @ -characters is discouraged. | |
Description | The |
孝慈
Notes
...
urn:mace
...
urn:mace:dir:attribute-def:givenName
...
urn:oid
...
urn:oid:2.5.4.42
...
Multiplicity
...
single-valued
...
Description
...
Given name / “name known by”; combinations of title, initials, and “name known by” are possible.
...
Jan Klaassen
Mërgim K. Lukáš
Þrúður
...
Notes
...
unique code for a person that is used as the login name within the institution. | |
Examples | s9603145 |
Notes |
|
Anchor | ||||
---|---|---|---|---|
|
...
urn:mace | urn:mace: |
terena.org:attribute-def: |
schacHomeOrganization | |
urn:oid | urn:oid: |
Multiplicity
multi-valued
(unbounded)
Description
Full name.
加来 千代, PhD.
Notes
For example, a typical name of a person in an English-speaking country comprises a personal title (e.g. Mr., Ms., Rd, Professor, Sir, Lord), a first name, middle name(s), last name, generation qualifier (if any, e.g. Jr.) and decorations and awards (if any, e.g. CBE).
Display name
...
urn:mace
...
urn:mace:dir:attribute-def:displayName
...
urn:oid
...
urn:oid:2.16.840.1.113730.3.1.241
...
Multiplicity
...
single-valued
...
Description
...
Name as displayed in applications
...
Notes
...
- This attribute can typically be changed by the end-users themselves, and is therefore not very suitable for identification.
1.3.6.1.4.1.25178.1.2.9 | |
Multiplicity | single-valued |
Data type | RFC-1035 domain string. The domain MUST be a secondary-level domain that is under control by the institution. Preferably, the institution's main domain name should be used. |
Description | The user's organization using the organization's domain name; syntax in accordance with RFC 1035. |
Examples | uniharderwijk.nl |
Notes |
|
Anchor | ||||
---|---|---|---|---|
|
...
urn:mace | urn:mace: |
terena.org:attribute-def: |
schacHomeOrganizationType | |
urn:oid | urn:oid: |
1.3.6.1.4.1.25178.1.2.10 |
Multiplicity |
single- |
value | |
Data type | RFC- |
2141 URN (see Schac standard) |
Description |
e-mail address; syntax in accordance with RFC 5322
"very.unusual.@.unusual.com"@example.com
mlv@[IPv6:2001:db8::1234:4321]; the
Notes
- Multiple email addresses are allowed. However, there's no clear strategy for SPs on how to interpret multiple addresses (use both? pick one? ask user to pick one?); the SP should devise a strategy that makes sense within the context of the application. As an IdP, in the interest of interoperability, it's advisable to avoid sending multiple addresses where possible.
- An email address is not necessarily the email address of this person at the institution.
- Do not use this attribute to uniquely identify a user. Use the NameId instead.
- A user's email address may change over time, or an IdP may allow a user to change this value themselves. This makes that attribute unsuitable for authentication and authorization purposes.
...
designation of the type of organization as defined on http://www.terena.org/registry/terena.org/schac/homeOrganizationType | |
Examples | urn:mace:terena.org:schac:homeOrganizationType:int:university urn:mace:terena.org:schac:homeOrganizationType:es:opi |
Notes |
|
Anchor | ||||
---|---|---|---|---|
|
urn:mace | urn:schac:attribute-def:schacPersonalUniqueCode |
urn:mace
urn:oid | urn:oid: |
1. |
3. |
6. |
1. |
4.1.25178.1.2.14 |
Multiplicity |
multi- |
value |
Data type |
@
-characters is discouraged.Description
The unique code for a person that is used as the login name within the institution.
s9603145
piet
flåp@example.edu
Notes
- The uid is not a unique identifier for SURFconext users. Uid values are at most unique for each IdP.
- Ideally the uid is not only a login name/code but also an identifier that is guaranteed as being unique within the institution over the course of time. At the moment, there is no such guarantee.
- Use the NameId for unique identifiers in SURFconext rather than uid.
- Use the eduPersonPrincipalName attribute if a human-readable unique identifier is required
- A uid may contain any unicode character. E.g., "
org:surfnet.nl:joe von stühl
" is a valid uid. - SURFconext translates @-characters in the uid to underscores before constructing the NameID.
...
urn:mace
...
urn:mace:terena.org:attribute-def:schacHomeOrganization
...
urn:oid
...
urn:oid:1.3.6.1.4.1.25178.1.2.9
...
Multiplicity
...
single-valued
...
Description
...
The user's organisation using the organisation’s domain name; syntax in accordance with RFC 1035.
...
uniharderwijk.nl
example.nl
...
Notes
...
- In the past, SURFconext used to send the home organisation in the attribute urn:oid:1.3.6.1.4.1.1466.115.121.1.15, which was incorrect. Since 2013, the correct oid urn:oid:1.3.6.1.4.1.25178.1.2.9 is in use. For reasons of compatibility, the old (wrong) key is also still sent. It should not be used in new implementations.
- Matching values against this attribute should be case-insensitive, i.e. the values "uniharderwijk.nl" and "UniHarderwijk.nl" should be considered equal.
- It is desirable to have the same value for all your users.
- SURFconext will store the allowed value for your institution in our configuration so we can check that no illegal values are being sent.
RFC-2141 URN (see SURFnet registry) | |
Description | The user's student, employee, and/or member id as used in the university's internal systems |
Examples | urn:schac:personalUniqueCode:nl:local:example.edu:employeeid:x12-3456 urn:schac:personalUniqueCode:nl:local:example.nl:studentid:s1234567 |
Notes |
|
Anchor | ||||
---|---|---|---|---|
|
urn:mace | urn:mace:dir:attribute-def:eduPersonAffiliation |
urn:oid | urn:oid:1.3.6.1.4.1.5923.1.1.1.1 |
Multiplicity | multi-valued |
Data type | UTF8 String (only the values enumerated below are allowed) |
Description | Indicates the relationship between the user and his home organization (institution). The following values are permitted within SURFconext:
Use the above mentioned definitions to determine which affiliation a user gets. If the definitions are not sufficient, please use common sense. |
Examples | see above |
Notes |
|
Anchor | ||||
---|---|---|---|---|
|
...
urn:mace | urn:mace: |
dir:attribute-def: |
eduPersonScopedAffiliation | |
urn:oid | urn:oid:1.3.6.1.4.1.5923. |
1.1. |
1. |
9 |
Multiplicity |
multi- |
valued |
Data type |
Description
designation of the type of organisation as defined on http://www.terena.org/registry/terena.org/schac/homeOrganizationType
urn:mace:terena.org:schac:homeOrganizationType:es:opi
Notes
- Attribute values are registered by Terena on http://www.terena.org/registry/terena.org/schac/homeOrganizationType
- In practice, this attribute is not/hardly used by IdPs or SPs
- Please contact support@surfconext.nl if you would like to use this attribute
...
UTF8 String of the form affiliation@domain (see below) | |
Description | Indicates the relationship between the user and the domain of his home organization. The affiliation part must be one of the allowed values of the eduPersonAffiliation attribute (see definition right above). The value is the role of the user and the domain name of the organisation. eduPersonScopedAffiliation can hence be defined as: <eduPersonAffiliation> "@" <schacHomeOrganization>. Just like eduPersonScopedAffiliation, this is a multi valued attribute. The domain part must be the schacHomeOrganization of the user (or a subdomain thereof). |
Examples | student@uniharderwijk.nl faculty@uniharderwijk.nl |
Notes |
|
Anchor | ||||
---|---|---|---|---|
|
urn:mace | urn: |
mace:dir:attribute-def: |
eduPersonEntitlement | |
urn:oid | urn:oid:1.3.6.1.4.1.5923. |
1.1. |
1. |
7 | |
Multiplicity | multi-value |
Data type | RFC-2141 URN |
Description |
entitlement; custom URI (URL or URN) that indicates an entitlement to something. | |
Examples |
|
urn:schac:personalUniqueCode:nl:local:example.nl:studentid:s1234567
Notes
- Attribute values are registered by SURFnet on https://wiki.surfnet.nl/x/xoTdAg
- Please contact the SURFnet support team if you would like to use this attribute as an SP, or if you would like to provide it as an IdP.
- This attribute's main use is for matching user accounts to the university's internal systems
...
| |
Notes |
|
Anchor | ||||
---|---|---|---|---|
|
...
urn:mace | urn:mace:dir:attribute-def: |
eduPersonPrincipalName | |
urn:oid | urn:oid:1.3.6 |
Multiplicity
multi-valued
Description
Indicates the relationship between the user and his home organisation (institution). The following values are permitted within SURFconext:
student
— A person enrolled at an institution, an external student or course participant.employee
— A person with a position at or labour agreement with an institution.staff
faculty
— Workers whose primary role is teaching or research. (Commonly called WP at Dutch universities.)member
— Anyone that holds at least one of the above affiliations is also a member.pre-student
— A person who has registered to start studying, but is not yet a full student. See this page (Dutch only) for more information about pre-students and the terms and conditions under which such users are allowed access. Pre-students will never be allowed access to service providers without prior consent from the service provider.affiliate
— A person who is authorised by the Institution, pursuant to the licence model concluded by the Institution, to use the Service.Use the above mentioned definitions to determine which affiliation a user gets. If the definitions are not sufficient, please use common sense.
Notes
- Any user who has the affiliation
student
,employee
, orfaculty
, should also have the valuemember
. - Identity Providers might internally use additional values for the affiliation attribute, such as
alum
. Per SURFconext policy, the IdP may not allow such users to access SURFconext.
Other values mentioned in the eduPerson specification includelibrary-walk-in
. This value is not currently used within SURFconext. - According to the eduPerson specification, the values of this attribute are case insensitive; for interoperability reasons however, we require lower-case values as specified above in SURFconext.
- The document REFEDS eduPerson(Scoped)Affiliaton usage comparison is useful to determine the usefulness of values in an international context.
...
.1.4.1.5923.1.1.1.6 | |
Multiplicity | single-valued |
Data type | UTF8 String of the form user@scope |
Description | Unique identifier for a user. |
Examples | piet.jønsen@example.e not.a@vålîd.émail.addreß |
Notes |
|
Anchor | ||||
---|---|---|---|---|
|
...
urn:mace | urn:mace:dir:attribute-def: |
isMemberOf | |
urn:oid | urn:oid:1.3.6.1.4.1.5923.1.5.1.1 |
Multiplicity | multi-valued |
Data type |
RFC-2141 URN |
Description |
Lists the |
collaborative organizations the user |
<affiliation>@<sub.domain.nl>
. In this way, the relationship between a user and his institution can be specified in a fine-grained way. For example, it allows for specification that a user is a student in the Physics department, or a secretary works in a specific department within a faculty.The affiliation
-part must be one of the values allowed for the eduPersonAffiliation attribute (see above).
The domain-part of this attribute must be subdomain of the user's schacHomeOrganization. This subdomain does not necessarily need to exist in DNS. For example, if the user's university uses the schacHomeOrganization uniharderwijk.nl
, valid values for the domain part of the eduPersonScopedAffiliation would be science.uniharderwijk.nl
, physics.science.uniharderwijk.nl
, etc.
student@physics.uniharderwijk.nl
employee@catering.facilities.uniharderwijk.nl
faculty@bio.uniharderwijk.nl
Notes
- This attribute can be used to express the faculty, field of study, department, etc. to which a user is affiliated.
- As this attribute is multivalued, it is easily possible to express that a user is a student in a certain field, and at the same time is employed by a different department of the university
- There is no common register or policy of which subdomains are valid or express a certain concept. For example,
employee@cs.uniharderwijk.nl
might indicate the user is a staff member of the computer science department of the University of Harderwijk, whileemployee@cs.surfnet.nl
might indicate an employee of the community support department of SURFnet. Therefore, if you are an SP and would like to use this attribute, you always need to confer with the university if you need to interpret these values.
...
is a member of. | |
Examples | urn:collab:org:surf.nl |
Notes |
|
Anchor | ||||
---|---|---|---|---|
|
urn:mace | urn:mace:dir:attribute-def:preferredLanguage |
urn:oid | urn:oid:2.16.840.1.113730.3.1.39 |
Multiplicity | single-valued |
Data type | RFC2798 BCP47 |
Description | a two-letter abbreviation for the preferred language according to the ISO 639 language abbreviation code table; no subcodes. |
Examples | nl |
Notes | Used to indicate an individual's preferred written or spoken language. This is useful for international correspondence or human-computer interaction. Values for this attribute type MUST conform to the definition of the Accept-Language header field defined in RFC 2068 with the exception that the value " |
Anchor | ||||
---|---|---|---|---|
|
urn:mace | urn:mace:dir:attribute-def:eduPersonTargetedID |
urn:oid | urn:oid:1.3.6.1.4.1.5923.1.1.1.10 |
Multiplicity | single-valued |
Data type | UTF8 string (unbounded) |
Description | The attribute eduPersonTargetedID is a copy of the persistent Subject -> NameID, which is generated by SURFconext itself. When an Identity Provider provides the eduPersonTargetedID itself, it is always overwritten by SURFconext. |
Examples | bd09168cf0c2e675b2def0ade6f50b7d4bb4aae |
Notes | This attribute is created because the Subject -> NameID itself is not part of the SAML v2.0 response and therefore only is available for an application if the local SAML implementation explicitly supports this. Within SURFconext the Subject -> NameID is explicitly copied into the |
Anchor | ||||
---|---|---|---|---|
|
...
urn:mace | urn:mace:dir:attribute-def:eduPersonEntitlement |
urn:oid | urn:oid:1.3.6.1.4.1.5923.1.1.1.7 |
Multiplicity | multi-value |
Data type | RFC-2141 URN |
Description | entitlement; custom URI (URL or URN) that indicates an entitlement to something. |
Examples |
|
Notes |
|
...
:eduPersonOrcid | |
urn:oid | urn:oid:1.3.6.1.4.1.5923.1.1.1.16 |
Multiplicity | multi-valued (see remark below) |
Data type | URL, registered with ORCID.org |
Description | The ORCID is a persistent digital identifier that distinguishes the account holder from every other researcher. Through integration in research workflows such as manuscript and grant submission, the ORCID identifier supports automated linkages between the account holder and his/her professional activities ensuring that the account holder's work is recognized. Values MUST be valid ORCID identifiers in the ORCID preferred URL representation, i.e. http://orcid.org/0000-0002-1825-0097 |
Examples | |
Notes | Although the attribute is in theory multi-valued, in practice it probably makes sense that it has no more than one value. |
Anchor | ||||
---|---|---|---|---|
|
...
urn:mace | urn:mace:dir:attribute-def:eduPersonPrincipalNameeduPersonAssurance |
urn:oid | urn:oid:1.3.6.1.4.1.5923.1.1.1.6 |
Multiplicity | single-valued |
Data type | UTF8 String of the form user@domain . The domain MUST be equal to or a be a subdomain of the schacHomeOrganization. |
Description | Unique identifier for a user. |
Examples | piet.jønsen@example.edu not.a@vålîd.émail.addreß |
Notes |
|
...
urn:mace | urn:mace:dir:attribute-def:isMemberOf |
urn:oid | urn:oid:1.3.6.1.4.1.5923.1.5.1.1 |
Multiplicity | multi-valued |
Data type | RFC-2141 URN |
Description | Lists the collaborative organisations the user is a member of. |
Examples | urn:collab:org:surf.nl |
Notes |
|
.1.16 | |
Multiplicity | multi-valued |
Data type | URL |
Description | Set of URIs that assert compliance with specific standards for identity assurance. |
Examples | https://refeds.org/assurance/ID/unique https://refeds.org/assurance/IAP/medium |
Notes | Assertion by the home institution about specific aspects of identity proofing or authentication strength. Although in principe any URI is allowed, SURFconext recommends to populate this according to the standards as outlined in REFEDS Assurance Framework. The institution needs to match their identity management practices to this standard to know what values it may assert. This provides ways to communicate properties about e.g. identity proofing or identifier lifetimes, for interpretation by SPs. SURFconext itself does not do anything specific with released values. |
Anchor | ||||
---|---|---|---|---|
|
urn:mace | urn:mace:surf.nl:attribute-def:eckid |
urn:oid | - |
Multiplicity | single-valued |
Data type | URL as specified by Edu-K, all-lowercase |
Description | Educatieve Content Keten Identifier (ECK ID) is a pseudonymous identifier for access to content for primary, secondary and vocational education. |
Examples |
|
Notes | This attribute may only be used for “the access to and use of digital learning resources or the digital administration of tests and exams”. For more information see https://www.eck-id.nl (Dutch). Also, if you query this claim information from an external data stores, such as an Enterprise Active Directory, Lightweight Directory Access Protocol (LDAP) directories or a Microsoft SQL Server, you can also define custom attribute stores to query the ECK ID claim from external data stores. Read this Microsoft blog to get to know more. |
Anchor | ||||
---|---|---|---|---|
|
...
urn:mace | urn:mace: dirsurf.nl:attribute-def: preferredLanguagesurf-crm-id |
urn:oid | urn:oid:2.16.840.1.113730.3.1.391.3.6.1.4.1.1076.20.100.10.50.2 |
Multiplicity | single-valued |
Data type | RFC2798 BCP47 Microsoft GUID |
Description | a two-letter abbreviation for the preferred language according to the ISO 639 language abbreviation code table; no subcodes. |
Examples | nl |
Notes | Used to indicate an individual's preferred written or spoken language. This is useful for international correspondence or human-computer interaction. Values for this attribute type MUST conform to the definition of the Accept-Language header field defined in RFC 2068 with one exception: ?the value " |
...
urn:mace:dir:attribute-def:eduPersonTargetedID | |
urn:oid:1.3.6.1.4.1.5923.1.1.1.10 | |
Multiplicity | single-valued |
Data type | UTF8 string (unbounded) |
Description | The attribute eduPersonTargetedID is a copy of the Subject -> NameID which is generated by SURFconext itself. When an Identity Provider provides the eduPersonTargetedID itself, it is always overwritten by SURFconext. |
Examples | bd09168cf0c2e675b2def0ade6f50b7d4bb4aae |
Notes | This attribute is created because the Subject -> NameID itself is not part of the SAML v2.0 response and therefore only is available for application if the local SAML implementation explicitly support this. Within SURFconext the Subject -> NameID is explicitly copied into the |
Description | GUID of the organization to which the IdP belongs, as used in the SURF CRM. |
Examples | ad93daef-0911-e511-80d0-005056956c1a |
Notes | SURF specific and only to be used by SURF SPs that have to interface with the SURF CRM. Only to be used after consultation with SURFnet. |
Anchor | ||||
---|---|---|---|---|
|
Name | http://schemas.microsoft.com/claims/authnmethodsreferences |
Multiplicity | multi-valued |
Data type | URI |
Description | The AuthnContext-referenties involved in authenticating the current user on their home IdP. |
Examples |
|
Opmerkingen |
|
Anchor | ||||
---|---|---|---|---|
|
...
urn:mace | urn:mace:dir:attribute-def: |
ou | |
urn:oid | urn:oid: |
2.5.4. |
11 | |
Multiplicity | multi-valued |
Data type |
URL, registered with ORCID.org
Description
The ORCID is a persistent digital identifier that distinguishes the account holder from every other researcher. Through integration in research workflows such as manuscript and grant submission, the ORCID identifier supports automated linkages between the account holder and his/her professional activities ensuring that the account holder's work is recognized. Values MUST be valid ORCID identifiers in the ORCID-preferred URL representation, i.e. http://orcid.org/0000-0002-1825-0097
Notes
For more information see https://www.surf.nl/en/news/2016/02/global-author-identifier-service-orcid-now-available-through-surfconext-and-edugain.html
Although the attribute is in theory multi-valued, in practice it probably makes sense that it has no more than one value.
UTF-8 string | |
Description | Indicates the department, team, or faculty with which the user is associated within the issuing institution. This attribute is multi-valued, so multiple departments, teams or faculties can be listed |
Examples |
|
Notes |
|
Anchor | ||||
---|---|---|---|---|
|
urn:mace | urn:mace:eduid.nl:1.1 |
Multiplicity | single-valued |
Data type | UTF-8 string |
Beschrijving | Targeted unique eduID-identifier for a user |
Voorbeelden | 658b6b41-7c13-431d-b3b4-663e9077c24c |
Opmerkingen |
|
...