This page will list all the SAML2 attributes that SURFconext and their Identity Providers have to offer. An attribute is a characteristic that describes a user. It is a 'name:value' pair. The attributes included in the SAML assertion correspond to certain attributes a service provider needs to work properly. In general they are needed to:

Convey user information from the Identity provider or IdP to the service provider
Create an account for the user at the service provider
Authorize specific services at the service provider

Now, when a user logs in to a Service Provider, SURFconext sends a SAML assertion to the Service Provider via the browser of the user, that contains a:

User identifier. Al services receive these and are either a configurable Transient or Persistent NameID.
and Additional attributes. These are optional and differ per Service.

Note

SURFconext's SAML2 implementation adheres to the SAML2int standard 0.2.1.

The header on the link above states that work on saml2int has moved to Kantara Initiative. Until further notice, the SAML2int standard SURFconext adheres to remains at 0.2.1.

Info
Before you start digging into the theoretical stuff on this page, you might want to start with our 'best practice' page for an introduction to and how attributes are best used.

Table of Contents

User identifiers

The user's identity is transmitted in the form of the NameID element. Every IdP must supply a NameID, but for privacy reasons SURFconext will generate a new one, which is duplicated in the attribute eduPersonTargetedID.

To identify a user the Service Provider must use the NameID or eduPersonTargetedID. The NameID is guaranteed to be stable for a fixed user, except in the case of transient identifiers. SURFconext will generate a NameID for each new user. It is unique for the user and specific to the SP, so SP's cannot correlate their received NameID's between each other. There are two types of NameIDs:

urn:oasis:names:tc:SAML:2.0:nameid-format:persistentA persistent NameID contains a unique string identifying the user for this SP and is persisting over multiple sessions.
urn

When a user logs in to a service provider, SURFconext sends a so-called SAML assertion to the service provider. This SAML assertion contains a number of statements about the user who is logging in to you service, including his identity, and possible a number of additional attributes (see below). More information about SAML can be found on this page.

User identifiers

The user's identity is transmitted in the form of the NameId element of the SAML statement. SPs should use the NameId (rather than email address, or other attributes that might change) to identify users, as it is guaranteed to be stable and never change for a fixed user (except in the case of transient identifiers, see below).

SURFconext can provide NameIds of three different types:

A persistent identifier. A persistent NameId contains a random string that uniquely identifies the user for this SP, and which persists over multiple sessions for the same user..
A transient identifier. A transient NameId contain a random string that uniquely identifies the user for this SP during the session. Once the user's session at SURFconext expires, a new transient identifier will be generated for the user and SP.
A legacy identifier. A legacy NameId contains a human-readable dentifier of the form urn:collab:person:example.com:johndoe. This form of the identifier is deprecated and is not available for newly connected services. The reason for this is that SURFconext aims at minimal disclosure of personal information. If the SP needs information that is contained in the legacy NameId format (for example, the user's home institution), they should use proper attributes (for example, schacHomeOrganisation, see below) as a source for this informaiton.

Persistent and transient identifiers are typically of the form "bd09168cf0c2e675b2def0ade6f50b7d4bb4aaef". However, this form may change in the future, and service providers MUST NOT rely on the fact that the NameId is a 40-character hexadecimal string.

This definition follows the SAML2int standard. The two supported NameId types are

urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
urn:oasis:names:tc:SAML:2.0:nameid-format:transient

which are specified in sections 8.3.7 and 8.3.8 of the SAML2 core specification.

SPs

The following attributes are available for SPs that connect to SURFconext

transientA transient NameID contains a unique string identifying the user for this SP during the session. If the user logs in again, a new transient identifier will be generated.

Warning

title	Remark

The NameID and eduPersonTargetedID, which is basically a copy of the NameID, is unlikely to change and very privacy aware but can change when service providers or identity provider make critical changes. This can cause user profiles for services to be lost. The NameID, as used in the SAML assertion to a service provider when loggin' on, is generated using the uid, schacHomeOrganization, the Entity ID of the service provider together with a secret that uses a SHA algorithm. Institutions or services that are in production and change one of these attributes, will cause a new NameID and eduPersonTargetedID to be generated by SURFconext when doing so. This can cause loss of access to profiles at services. We will notify identity providers and service providers when we see a change in one of these attributes to prevent user data being lost.

Changing attributes

As an Identity Provider it is important to realize that changing attributes in production on SURFconext in any way can have an impact on services users have access to. Attributes that you offer to SURFconext are used to create profiles, and data is often linked to them. Changing an attribute in any way can have unwanted results like users that are no longer able to access their valuable data. An example could be to modify the way you fill the email address (amongst others). For example: changing 'student.123456@university.nl' to 'john.doe@university.nl'. Do you plan to do this or do you start a project where this is the case? Contact us and send an email to support@surfconext.nl.

Useful links

Table with attributes we recommend our institutions to release: https://wiki.surfnet.nl/display/surfconextdev/Vereiste+attributen
Profile Page https://profile.surfconext.nl/ , showing what attributes are released by your IdP to SURFconext
For new IdP's or for IdP's that upgrade their environment: system administrators will at some point be asked to share the metadata of their account for analyses. When asked, visit this page and click the 'Mail to SURFconext' button. We will get back to you when we have judged the submitted metadata.This page will also show you the attributes shared and their values.

Attribute schemas

A schema is an abstract representation of an object's characteristics and relationship to other objects.

SURFconext supports two attribute schemas:

urn:oid schema (SAML2.0 compliant)
urn schema (SAML1.1 compliant)

Both can be used to convey the same information (except for the NameID, which is only available in the urn:oid schema). By default SURFconext will provide attributes in both schemas as part of the assertion. However it is not recommended to mix the use of the schemas.

Attribute overview

SURFconext supports relaying of the following attributes:

Friendly name	Attribute name	Example
ID	SAML NameID element urn:mace:dir:attribute-def:eduPersonTargetedID urn:oid:1.3.6.1.4.1.5923.1.1.1.10	bd09168cf0c2e675b2def0ade6f50b7d4bb4aae
Surname	urn:mace:dir:attribute-def:sn urn:oid:2.5.4.4	Doe Vermeegen 孝慈
Given name or first name	urn:mace:dir:attribute-def:givenName urn:oid:2.5.4.42	John Mërgim Lukáš Þrúður
Common name or Full Name	urn:mace:dir:attribute-def:cn urn:oid:2.5.4.3	John Doe Prof.dr. Mërgim Lukáš Vermeegen 加来千代, PhD.
Display name	urn:mace:dir:attribute-def:displayName urn:oid:2.16.840.1.113730.3.1.241	Dr. John Doe Prof.dr. Mërgim L. Vermeegen 加来千代, PhD.
Email address	urn:mace:dir:attribute-def:mail urn:oid:0.9.2342.19200300.100.1.3	m.l.vermeegen@university.example.org maarten.'t.hart@uniharderwijk.nl "very.unusual.@.but valid.nonetheless"@example.com mlv@[IPv6:2001:db8::1234:4321]
Organization	urn:mace:terena.org:attribute-def:schacHomeOrganization urn:oid:1.3.6.1.4.1.25178.1.2.9	example.nl something.example.org
Organization Type	urn:mace:terena.org:attribute-def:schacHomeOrganizationType urn:oid:1.3.6.1.4.1.25178.1.2.10	urn:mace:terena.org:schac:homeOrganizationType:int:university urn:mace:terena.org:schac:homeOrganizationType:es:opi
Employee/student number	urn:schac:attribute-def:schacPersonalUniqueCode urn:oid:1.3.6.1.4.1.25178.1.2.14	urn:schac:personalUniqueCode:nl:local:example.edu:employeeid:x12-3456 urn:schac:personalUniqueCode:nl:local:example.nl:studentid:s1234567
Affiliation	urn:mace:dir:attribute-def:eduPersonAffiliation urn:oid:1.3.6.1.4.1.5923.1.1.1.1	employee, student, faculty, member, affiliate, pre-student
Scoped affiliation	urn:mace:dir:attribute-def:eduPersonScopedAffiliation urn:oid:1.3.6.1.4.1.5923.1.1.1.9	student@uniharderwijk.nl employee@uniharderwijk.nl
Entitlement	urn:mace:dir:attribute-def:eduPersonEntitlement urn:oid:1.3.6.1.4.1.5923.1.1.1.7	to be determined per service (see Standardized values for eduPersonEntitlement)
PrincipalName	urn:mace:dir:attribute-def:eduPersonPrincipalName urn:oid:1.3.6.1.4.1.5923.1.1.1.6	piet.jønsen@example.edu not.a@vålîd.émail.addreß
isMemberOf	urn:mace:dir:attribute-def:isMemberOf urn:oid:1.3.6.1.4.1.5923.1.5.1.1	urn:collab:org:surf.nl urn:collab:org:clarin.org
uid	urn:mace:dir:attribute-def:uid urn:oid:0.9.2342.19200300.100.1.1	s9603145 flåp@example.edu
preferredLanguage	urn:mace:dir:attribute-def:preferredLanguage urn:oid:2.16.840.1.113730.3.1.39	nl nl, en-gb;q=0.8, en;q=0.7
ORCID	urn:mace:dir:attribute-def:eduPersonORCID urn:oid:1.3.6.1.4.1.5923.1.1.1.16	http://orcid.org/0000-0002-1825-0097
ECK ID	urn:mace:surf.nl:attribute-def:eckid	https://ketenid.nl/spv1/eacf3765ad342...cf3a11fe9cab2365f95da3e9965501f7c98e (Attribute made shorter for readability)
SURF CRM ID	urn:mace:surf.nl:attribute-def:surf-crm-id	ad93daef-0911-e511-80d0-005056956c1a
MS AuthnMethodsReferences	http://schemas.microsoft.com/claims/authnmethodsreferences	`urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport` `http://schemas.microsoft.com/claims/multipleauthn`

Note that not all identity providers might make all attributes available.

(1) eduPerson Object Class Specification (201602): https://wiki.refeds.org/pages/viewpage.action?pageId=44957738

Info

title	Depricated Attributes

SURFconext considers the attributes nlEduPersonOrgUnit, nlEduPersonStudyBranch and nlStudielinkNummer deprecated. When you register a new SP at SURFconext, these attributes will not be allowed for use with SURFconext. Existing IdP's and SP can use these attributes until further notice.

Detailed attribute descriptions

Anchor
id
id
ID

See User identifiers.

Anchor
sn
sn
Surname

urn:mace	urn:mace:dir:attribute-def:sn
urn:oid	urn:oid:2.5.4.4
Multiplicity	single-valued
Data type	UTF8 string (unbounded)
Description	The surname of a person (including any words such as “van”, “de”, “von” etc.) used for Personalization; this can be a combination of existing attributes.
Examples	Vermeegen 孝慈
Notes

Anchor
givenName
givenName
Given name

urn:mace	urn:mace:dir:attribute-def:givenName
urn:oid	urn:oid:2.5.4.42
Multiplicity	single-valued
Data type	UTF8 string (unbounded)
Description	Given name, also known as a first name, forename or Christian name / “name known by”; combinations of title, initials, and “name known by” are possible.
Examples	Jan Klaassen Mërgim K. Lukáš Þrúður
Notes

Anchor
cn
cn
Common name

urn:mace	urn:mace:dir:attribute-def:cn
urn:oid	urn:oid:2.5.4.3
Multiplicity	multi-valued
Data type	UTF8 string (unbounded)
Description	Full name.
Examples	Prof.dr. Mërgim Lukáš Vermeegen 加来千代, PhD.
Notes	For example, a typical name of a person in an English-speaking country comprises a personal title (e.g. Mr., Ms., Rd, Professor, Sir, Lord), a first name, middle name(s), last name, generation qualifier (if any, e.g. Jr.) and decorations and awards (if any, e.g. CBE).

Anchor
displayName
displayName
Display name

urn:mace	urn:mace:dir:attribute-def:displayName
urn:oid	urn:oid:2.16.840.1.113730.3.1.241
Multiplicity	single-valued
Data type	UTF8 string (unbounded)
Description	Name as displayed in applications
Examples	Prof.dr. Mërgim Lukáš Vermeegen 加来千代, PhD.
Notes	This attribute can typically be changed by the end-users themselves, and is therefore not very suitable for identification.

Anchor
mail
mail
Email address

urn:mace	urn:mace:dir:attribute-def:mail
urn:oid	urn:oid:0.9.2342.19200300.100.1.3
Multiplicity	multi-valued
Data type	RFC-5322 address (max 256 chars)
Description	e-mail address; syntax in accordance with RFC 5322
Examples	m.l.vermeegen@university.example.org "very.unusual.@.unusual.com"@example.com mlv@[IPv6:2001:db8::1234:4321]; the
Notes	Multiple email addresses are allowed. However, there's no clear strategy for SP's on how to interpret multiple addresses (use both? pick one? ask user to pick one?); the SP should devise a strategy that makes sense within the context of the application. As an IdP, in the interest of interoperability, it's advisable to avoid sending multiple addresses where possible. An email address is not necessarily the email address of this person at the institution. Do not use this attribute to uniquely identify a user. Use the NameId instead. A user's email address may change over time, or an IdP may allow a user to change this value themselves. This makes that attribute unsuitable for authentication and authorization purposes.

Anchor
uid
uid
uid

urn:mace

Friendly name

Attribute name

Definition

Data type

Example

Remarks

ID

(NameId)
urn:oid:1.3.6.1.4.1.5923.1.1.1.10

eduPerson

Random string

bd09168cf0c2e675b2def0ade6f50b7d4bb4aaef

Surname

urn:mace:dir:attribute-def:sn
urn:oid:2.5.4.4

X.520

Unicode string

Given name

urn:mace:dir:attribute-def:givenName
urn:oid:2.5.4.42

X.520

Common name

urn:mace:dir:attribute-def:cn
urn:oid:2.5.4.3

X.520

Display name

urn:mace:dir:attribute-def:displayName
urn:oid:1.3.6.1.4.1.1466.115.121.1.15

RFC2798

Email address

urn:mace:dir:attribute-def:

mail

uid
urn:oid	urn:oid:0.9.2342.19200300.100.1.

3

1

RFC4524

Organization

urn:mace:terena.org:attribute-def:schacHomeOrganization
urn:oid:1.3.6.1.4.1.1466.115.121.1.15

Schac

Organization Type

urn:mace:terena.org:attribute-def:schacHomeOrganizationType
urn:oid:1.3.6.1.4.1.1466.115.121.1.15

Schac

Affiliation

urn:mace:dir:attribute-def:eduPersonAffiliation
urn:oid:1.3.6.1.4.1.5923.1.1.1.1

eduPerson

Multiplicity	single-valued (multi-valued in the specification, but within SURFconext only 1 value is allowed)
Data type	UTF8 String (max 256 chars); use of spaces and `@`-characters is discouraged.
Description	The unique code for a person that is used as the login name within the institution.
Examples	s9603145 piet flåp@example.edu (See note below)
Notes	The uid is not a unique identifier for SURFconext users. Uid values are at most unique for each IdP. Ideally the uid is not only a login name/code but also an identifier that is guaranteed as being unique within the institution over the course of time. At the moment, there is no such guarantee. Use the NameId for unique identifiers in SURFconext rather than uid. Use the eduPersonPrincipalName attribute if a human-readable unique identifier is required A uid may contain any unicode character. E.g., "`org:surfnet.nl:joe von stühl`" is a valid uid. SURFconext translates @-characters in the uid to underscores before constructing the NameID. flåp@example.edu translates to flåp_example.edu.

Anchor
schacHomeOrganization
schacHomeOrganization
Home organization

urn:mace	urn:mace:terena.org:attribute-def:schacHomeOrganization
urn:oid

Entitlement

urn:mace:dir:attribute-def:eduPersonEntitlement

urn:oid:1.3.6.1.4.1.

4

25178.1.

5923.1.1.1.7

eduPerson

PrincipalName

2.9
Multiplicity	single-valued
Data type	RFC-1035 domain string. The domain MUST be a secondary-level domain that is under control by the institution. Preferably, the institution's main domain name should be used.
Description	The user's organization using the organization's domain name; syntax in accordance with RFC 1035.
Examples	uniharderwijk.nl example.nl
Notes	In the past, SURFconext used to send the home organization in the attribute

urn:mace:dir:attribute-def:eduPersonPrincipalName

urn:oid:1.3.6.1.4.1.

5923

1466.115.

1

121.1.

1.6

eduPerson

isMemberOf

urn:mace:dir:attribute-def:isMemberOf

15, which was incorrect. Since 2013, the correct oid urn:oid:1.3.6.1.4.1.

5923

25178.1.

5.1.1

eduMember

uid

urn:mace:dir:attribute-def:uid
urn:oid:1.3.6.1.4.1.1466.115.121.1.15

RFC4519

preferredLanguage

urn:mace:dir:attribute-def:preferredLanguage
urn:oid:2.16.840.1.113730.3.1.39 (not sure?)

RFC2798

More information

http://www.incommon.org/federation/attributesummary.html
saml2int.org

Attributes

The following attributes can be included in the response from SURFconext to the service provider. They contain information about the authenticated user. This will make it possible for the service to for instance show the "displayName" of the user in the interface or determine the affiliation of the user for authorization. For instance a student has a different view than a teacher.

2.9 is in use. For reasons of compatibility, the old (wrong) key is still sent. It will be removed in 2020.
Matching values against this attribute should be case-insensitive, i.e. the values "uniharderwijk.nl" and "UniHarderwijk.nl" should be considered equal. For Interoperability reasons however we require lower-case values as specified above in SURFconext.
It is desirable to have the same value for all your users.
SURFconext will store the allowed value for your institution in our configuration so we can check that no illegal values are being sent.

Anchor
schacHomeOrganizationType
schacHomeOrganizationType
Organization type

urn:mace	urn:mace:terena.org:attribute-def:schacHomeOrganizationType
urn:oid	urn:oid:1.3.6.1.4.1.25178.1.2.10
Multiplicity	single-value
Data type	RFC-2141 URN (see Schac standard)
Description	designation of the type of organization as defined on http://www.terena.org/registry/terena.org/schac/homeOrganizationType
Examples	urn:mace:terena.org:schac:homeOrganizationType:int:university urn:mace:terena.org:schac:homeOrganizationType:es:opi
Notes	Attribute values are registered by Terena on http://www.terena.org/registry/terena.org/schac/homeOrganizationType In practice, this attribute is not/hardly used by IdP's or SP's Please contact support@surfconext.nl if you would like to use this attribute

Anchor
schacPersonalUniqueCode
schacPersonalUniqueCode
Employee-student number

urn:mace	urn:schac:attribute-def:schacPersonalUniqueCode
urn:oid	urn:oid:1.3.6.1.4.1.25178.1.2.14
Multiplicity	multi-value
Data type	RFC-2141 URN (see SURFnet registry)
Description	The user's student, employee, and/or member id as used in the university's internal systems
Examples	urn:schac:personalUniqueCode:nl:local:example.edu:employeeid:x12-3456 urn:schac:personalUniqueCode:nl:local:example.nl:studentid:s1234567
Notes	Attribute values are registered by SURFnet as shown on this page. Please contact the SURFnet support team if you would like to use this attribute as an SP, or if you would like to provide it as an IdP. This attribute's main use is for matching user accounts to the university's internal systems

Anchor
eduPersonAffiliation
eduPersonAffiliation
Affiliation

urn:mace

Attribute

Attribute (OID)

Example

Remarks

urn:mace:dir:attribute-def:displayName

urn:oid:2.16.840.1.113730.3.1.241

John Doe

Usually this is equal to cn.

urn:mace:dir:attribute-def:mail

urn:oid:0.9.2342.19200300.100.1.3

john@example.org

This attribute can contain multiple email addresses.

urn:mace:dir:attribute-def:sn

urn:oid:2.5.4.4

Doe

urn:mace:dir:attribute-def:cn

urn:oid:2.5.4.3

John Doe

urn:mace:dir:attribute-def:givenName

urn:oid:2.5.4.42

John

urn:mace:dir:attribute-def:eduPersonPrincipalName

urn:oid:1.3.6.1.4.1.5923.1.1.1.6

john_doe@example.org

This is not necessarily a valid email address!

urn:mace:terena.org:attribute-def:schacHomeOrganization

urn:oid:1.3.6.1.4.1.1466.115.121.1.15

example.org

urn:mace:dir:attribute-def:

uid

eduPersonAffiliation
urn:oid	urn:oid:

0.9.2342.19200300.100

1.3.6.1.4.1.5923.1.1.1.1

john_doe

You should not use this for (unique) user identification purposes in your service!

urn:mace:dir:attribute-def:eduPersonAffiliation

urn:oid:1.3.6.1.4.1.5923.1.1.1.1

student

Supported values: employee, student and affiliate.

urn:mace:dir:attribute-def:isMemberOf

urn:oid:1.3.6.1.4.1.5923.1.5.1.1

urn:collab:org:surf.nl

Contact us before you want to use this attribute!

Note
In order to uniquely identify a user the persistent Name ID value can be used. This value can be extracted from the Name ID and is also available in the attribute `urn:mace:dir:attribute-def:eduPersonTargetedID` (`urn:oid:1.3.6.1.4.1.5923.1.1.1.10`) if the SAML software does not support extracting Name ID values.

Note
Currently we convert `schacHomeOrganization` to the wrong OID. The correct value is `urn:oid:1.3.6.1.4.1.25178.1.2.9`. This will be fixed soonish.

Note
UID is the unique identifier of the user at the home institution, it is not unique for all users in SURFconext! Use eduPersonTargetedID (preferred) or eduPersonPrincipalName if you need to uniquely identify users.

A service provider SHOULD only at most request the following attributes, requesting these and any other attributes MUST BE accompanied by an explanation of why they are needed:

...

Multiplicity	multi-valued
Data type	UTF8 String (only the values enumerated below are allowed)
Description	Indicates the relationship between the user and his home organization (institution). The following values are permitted within SURFconext: `student` — A person enrolled at an institution, an external student or course participant. `employee` — A person with a position at or labor agreement with an institution. ~~`staff`~~ — ~~All academic staff and teachers.~~ (deprecated; do not use in new deployments) `faculty` — A person whose primary role is teaching or research. (Commonly called WP at Dutch universities. Please note, PhD students are also perfectly allowed to carry this value.) `member` — Anyone that holds at least one of the above affiliations is also a member. `pre-student` — A person who has registered to start studying, but is not yet a full student. See this page (Dutch only) for more information about pre-students and the terms and conditions under which such users are allowed access. Pre-students will never be allowed access to service providers without prior consent from the service provider. `affiliate` — A person who is authorized by the Institution, pursuant to the lenience model concluded by the Institution, to use the Service. Use the above mentioned definitions to determine which affiliation a user gets. If the definitions are not sufficient, please use common sense.
Examples	see above
Notes	Any user who has the affiliation `student`, `employee`, or `faculty`, should also have the value `member`. Identity Providers might internally use additional values for the affiliation attribute, such as `alum`. Per SURFconext policy, the IdP may not allow such users to access SURFconext. Other values mentioned in the eduPerson specification include `library-walk-in`. This value is not currently used within SURFconext. According to the eduPerson specification, the values of this attribute are case insensitive; for Interoperability reasons however, we require lower-case values as specified above in SURFconext. The document REFEDS eduPerson(Scoped)Affiliation usage comparison is useful to determine the usefulness of values in an international context.

Anchor
eduPersonScopedAffiliation
eduPersonScopedAffiliation
Scoped Affiliation

urn:mace

...

urn:mace:dir:attribute-def:

...

eduPersonScopedAffiliation
urn:oid	urn:

...

The attributes are available in both human readable format and OID format. See also this eduGAIN recommendation.

Ultimately it is up to the identity provider and service provider to agree on a set of attributes to be released by the IdP, SURFconext only mediates. However, it is strongly recommend to stick to the above attributes as they are standardized and ensure greater interoperability.

The table below lists the attributes that have been defined for use within SURFfederatie. This list was created in consultation with the connected institutions, specifically within the 3TU partnership. With a view to the expected future international collaboration, this table is largely based on the EduPerson and SCHAC tables. A number of attributes that are specific to SURFfederatie and the Netherlands have been added.

Info
Note that the attributes described on this page are the standardised attributes that an identity provider may provide to the SURFnet federation gateway. If you are a service provider connecting to SURFconext, please refer to the attribute description on ?Authentication using SAML page.

Attributes overview

A more detailed description of each attribute can be found in the next section.

Attribute Name (abbreviated)	Description	Example value(s)
uid	user id/login name	joebloggs	4236712
sn	surname	Bloggs	Smith
givenName	given name	Joe	Prof. H.A.B.
cn	full name	Joseph Bloggs
displayName	display name	Joey
mail	e-mail address	j.bloggs@rug.nl	H.A.B.Smith@tudelft.nl smith_78@hotmail.com
eduPersonAffiliation	affiliation type	student	employee
eduPersonEntitlement	entitlement	?depends on service provider
eduPersonPrincipalName	unique name	joebloggs@rug.nl
preferredLanguage	preferred language	nl	en
schacHomeOrganization	domain name	tudelft.nl
schacHomeOrganizationType	type of organisation	urn:mace:terena.org:schac: homeOrganizationType:eu: higherEducationInstitution
nlEduPersonHomeOrganization (deprecated)	name of institution	Delft University of Technology	Utrecht University of Applied Sciences
nlEduPersonStudyBranch	ROHO code	52734
nlEduPersonOrgUnit	department name	Faculty of Humanities	Library
nlStudielinkNummer	studielink number	xxxxxxxxxx
nlDigitalAuthorIdentifier	DAI number	070014345

Detailed attribute descriptions

The names of the attributes in the above table are the commonly used abbreviations. In the description below the attributes are listed using their full name. The SURFfederatie gateway will always provide the attributes by their full name. The attributes are defined in three different namespaces: urn:mace:dir:attribute-def, urn:mace:terena.org:schac and urn:mace:surffederatie.nl:attribute-def.

Attributes defined in urn:mace:dir:attribute-def

...

oid:1.3.6.1.4.1.5923.1.1.1.9
Multiplicity	multi-valued
Data type	UTF8 String of the form affiliation@domain (see below)
Description	Indicates the relationship between the user and the domain of his home organization. The affiliation part must be one of the allowed values of the eduPersonAffiliation attribute (see definition right above). The value is the role of the user and the domain name of the organisation. eduPersonScopedAffiliation can hence be defined as: <eduPersonAffiliation> "@" <schacHomeOrganization>. Just like eduPersonScopedAffiliation, this is a multi valued attribute. The domain part must be the schacHomeOrganization of the user (or a subdomain thereof).
Examples	`student@uniharderwijk.nl` `faculty@uniharderwijk.nl`
Notes	This attribute is primarily a different way to convey the same information as is contained in eduPersonAffiliation and schacHomeOrganization. It's recommended to release this attribute next to eduPersonAffiliation and schacHomeOrganization, because some SP's ask for this attribute instead of the two separate ones. If desired, this attribute can be used to describe the role of the user within a specific faculty, field, study or department that the user is part of. Because the attribute is multi-valued, a user can be a student at one and an employee at another department.

Anchor
eduPersonEntitlement
eduPersonEntitlement
Entitlements

urn:mace	urn:mace:dir:attribute-def:eduPersonEntitlement
urn:oid	urn:oid:1.3.6.1.4.1.5923.1.1.1.7
Multiplicity	multi-value
Data type	RFC-2141 URN
Description	entitlement; custom URI (URL or URN) that indicates an entitlement to something.
Examples	`urn:mace:terena.org:tcs:personal-admin`urn:x-surfnet:surfdomeinen.nl:role:dnsadmin
Notes	This attribute can be used to communicate entitlements, roles, etc, from identity providers to services, which can be used, for example, for authorization. The values of this attribute are scoped to the identity provider that is authoritative for the attribute. Formatting rules apply: See also the SURFconext entitlement name-spacing policy.

Anchor
eduPersonPrincipalName
eduPersonPrincipalName
Principal name

urn:mace	urn:mace:dir:attribute-def:eduPersonPrincipalName
urn:oid	urn:oid:1.3.6.1.4.1.5923.1.1.1.6
Multiplicity	single-valued
Data type	UTF8 String of the form `user@scope`
Description	Unique identifier for a user.
Examples	piet.jønsen@example.e not.a@vålîd.émail.addreß
Notes	This is a scoped identifier for a person. It should be represented as user@scope, where user is a name-based identifier for a person. The scope part of the attribute must be part of an administrative domain of the identity system where the identifier was created and assigned. An IdP can have multiple scopes, e.g. piet@student.hartingcollege.nl or piet@hartingcollege .nl. These Piet's are different persons and are scoped under the administrative domain of e.g. hartingcollege.nl were the scope was defined. It is common that schacHomeOrganization is used for the scope, if no other scopes are defined. Although this value resembles an email address, it MUST NOT be used as an email address. In many cases mail cannot be delivered to this "address". Even though this value uniquely identifies a user, it is not guaranteed that it is persistent over sessions (even though it usually is). It is preferred to not use this to uniquely identify users. Use the NameId instead. SURFconext will store the allowed domain part for your institution in our configuration so we can check that no illegal values are being sent.

Anchor
isMemberOf
isMemberOf
isMemberOf

urn:mace

urn:mace:dir:attribute-def:

...

isMemberOf

Multiplicity	single-value
Description	The unique code for a person that is used as the login name within the institution.
Notes	Ideally the uid is not only a login name/code but also an identifier that is guaranteed as being unique within the institution over the course of time. At the moment, there is no such guarantee. Use the eduPersonPrincipalName attribute if uniqueness over multiple institutions is required. A uid may contain any unicode character. E.g. "org:surfnet.nl:joe" is a valid uid.

urn:mace:dir:attribute-def:sn

urn:oid	urn:oid:1.3.6.1.4.1.5923.1.5.1.1
Multiplicity	multi-valued
Data type	RFC-2141 URN
Description	Lists the collaborative organizations the user is a member of.
Examples	`urn:collab:org:surf.nl`
Notes	Attribute values are URIs (URN or URL) The only currently supported value is `urn:collab:org:surf.nl`, which indicated that the user's home institution is a member of SURFnet In the future, this can be used to determine membership of non-institutional collaborative organizations. This attribute is generated by SURFconext and is available to SP's; it should not be set by IdP's.

Anchor
preferredLanguage
preferredLanguage
Preferred Language

urn:mace

Multiplicity

single-value

Description

The surname of a person (including any words such as "van", "de", "von" etc.) used for personalisation; this can be a combination of existing attributes.

Notes

urn:mace:dir:attribute-def

...

:preferredLanguage
urn:oid	urn:oid:2.16.840.1.113730.3.1.39
Multiplicity	single-

value

Description

Given name / "name known by"; combinations of title, initials, and "name known by" are possible.

Notes

urn:mace:dir:attribute-def:cn

...

Multiplicity

...

single-value

...

Description

...

Full given name.

...

Notes

urn:mace:dir:attribute-def:displayName

Multiplicity	single-value
Description	Display name as displayed in applications
Notes

urn:mace:dir:attribute-def:mail

Multiplicity	multi-value
Description	e-mail address; syntax in accordance with RFC 1274 and RFC 822.
Notes	This is a multi-value attribute. An email address is not necessarily the email address of this person at the institution, it can also be a @google.com, @hotmail.com or @vanitydomain.org address. The mail may change over time for a user, also an IdP may allow a user to set this value. This makes that attribute unsuitable for authentication and authorization purposes.

urn:mace:dir:attribute-def:eduPersonAffiliation

valued
Data type	RFC2798 BCP47
Description	a two-letter abbreviation for the preferred language according to the ISO 639 language abbreviation code table; no subcodes.
Examples	nl en
Notes	Used to indicate an individual's preferred written or spoken language. This is useful for international correspondence or human-computer interaction. Values for this attribute type MUST conform to the definition of the Accept-Language header field defined in RFC 2068 with the exception that the value "`:`" should be omitted.

Anchor
eduPersonTargetedID
eduPersonTargetedID
EduPersonTargetedID

urn:mace	urn:mace:dir:attribute-def:eduPersonTargetedID
urn:oid	urn:oid:1.3.6.1.4.1.5923.1.1.1.10
Multiplicity	single-valued
Data type	UTF8 string (unbounded)
Description	The attribute eduPersonTargetedID is a copy of the persistent Subject -> NameID, which is generated by SURFconext itself. When an Identity Provider provides the eduPersonTargetedID itself, it is always overwritten by SURFconext.
Examples	bd09168cf0c2e675b2def0ade6f50b7d4bb4aae
Notes	This attribute is created because the Subject -> NameID itself is not part of the SAML v2.0 response and therefore only is available for an application if the local SAML implementation explicitly supports this. Within SURFconext the Subject -> NameID is explicitly copied into the `eduPersonTargetedID` attribute, in order for the identifier to be used like any other attribute, but only when NameID is configured to be persistent (as the eduPerson definition of eduPersonTargetedID requires it to be persistent)

Anchor
eduPersonORCID
eduPersonORCID
eduPersonORCID

urn:mace

Multiplicity

multi-value

Description

indicates the relationship between the user and his/her own organisation; possible values:

student - student
employee - all employees
staff - academic staff
alum - alumnus
affiliate - third party; no direct work relationship with the institution (either paid or unpaid)

Notes

Note that you must not allow alum or affiliate users to access SURFfederatie. Providing this attribute is not sufficient to deny these users access to SURFfederatie as many service providers do not receive this attribute. Please contact federatie-beheer@surfnet.nl if you have questions about this.

urn:mace:dir:attribute-def:

...

eduPersonOrcid

Multiplicity	multi-value
Description	entitlement; URI (URL or URN) that indicates an entitlement to something; is determined by a contract between the service provider and the institution.
Notes

urn:mace:dir:attribute-def:eduPersonPrincipalName

Multiplicity	single-value
Description	Unique "net ID" beyond the scope of the particular institution, in the form "<user>@<scope>".E.g. "s012001234@student.example.com".
Notes	Although this value resembles an email address, it should not be used as such. In many cases mail cannot be delivered to this "address". This value should never be reassigned to another user. I.e. after a user leaves an institution, it should not be assigned to another (future) user.

urn:mace:dir:attribute-def:preferredLanguage

Multiplicity	single-value
Description	a two-letter abbreviation for the preferred language according to the ISO 639 language abbreviation code table; no subcodes.
Notes

Attributes defined in urn:mace:terena.org:attribute-def

International standardised attributes according to the Terena SCHAC schema have been defined within the namespace urn:mace:terena.org:schac: http://www.terena.org/activities/tf-emc2/schacreleases.html. The version of the SCHAC table used is 1.3.0 (12 December 2006).

urn:mace:terena.org:attribute-def:schacHomeOrganization

Multiplicity	single-value
Description	designation for the person's organisation using the organisation's domain name; syntax in accordance with RFC 1035.
Notes

urn:mace:terena.org:attribute-def:schacHomeOrganizationType

Multiplicity	single-value
Description	designation of the type of organisation to which a person belongs, using the values registered by Terena on: http://www.terena.org/registry/terena.org/schac/homeOrganizationType
Notes

Attributes defined in urn:mace:surffederatie.nl:attribute-def

Nationally standardised attributes within SURFfederatie have been defined within the namespace urn:mace:surffederatie.nl:attribute-def. The name of all these attributes starts with the prefix "nl"

urn:mace:surffederatie.nl:attribute-def:nlEduPersonHomeOrganization

Multiplicity	single-value
Description
Notes	This attribute is deprecated. It has been replaced by the urn:mace:terena.org:attribute-def:schacHomeOrganization attribute

urn:mace:surffederatie.nl:attribute-def:nlEduPersonOrgUnit

Multiplicity	multi-value
Description	Name of the department
Notes

urn:mace:surffederatie.nl:attribute-def:nlEduPersonStudyBranch

Multiplicity	multi-value
Description	Study programme; numerical string containing the CROHO code. Empty if the programme is not a regular one.
Notes

urn:mace:surffederatie.nl:attribute-def:nlStudielinkNummer

Multiplicity	single-value
Description	A student's Studielink number as registered at www.studielink.nl
Notes

urn:mace:surffederatie.nl:attribute-def:nlDigitalAuthorIdentifier

urn:oid	urn:oid:1.3.6.1.4.1.5923.1.1.1.16
Multiplicity	multi-valued (see remark below)
Data type	URL, registered with ORCID.org
Description	The ORCID is a persistent digital identifier that distinguishes the account holder from every other researcher. Through integration in research workflows such as manuscript and grant submission, the ORCID identifier supports automated linkages between the account holder and his/her professional activities ensuring that the account holder's work is recognized. Values MUST be valid ORCID identifiers in the ORCID preferred URL representation, i.e. http://orcid.org/0000-0002-1825-0097
Examples	`http://orcid.org/0000-0002-1825-0097` `http://orcid.org/0000-0001-9351-8252`
Notes	Although the attribute is in theory multi-valued, in practice it probably makes sense that it has no more than one value.

Anchor
eckid
eckid
ECK ID

urn:mace	urn:mace:surf.nl:attribute-def:eckid
urn:oid	-
Multiplicity	single-valued
Data type	URL as specified by Edu-K, all-lowercase
Description	Educatieve Content Keten Identifier (ECK ID) is a pseudonymous identifier for access to content for primary, secondary and vocational education.
Examples	https://ketenid.nl/spv1/eacf3765ad342feb5f65c2bf8194b4ccc3d68cec3c01d3c260636747a2b06d092fcc3a8d655bbdc4ae7d815ed005cf3a11f e9cab2365f95da3e9965501f7c98e https://ketenid.nl/201703/1a5c9c7203901866532c2d72ce056e1d29cacc70836fe2bc3a517f3f9a53eed3d77ef370ad6dcf80b3f34ced1c547c7d2e679e8e47002355f938213b3656b206
Notes	This attribute may only be used for “the access to and use of digital learning resources or the digital administration of tests and exams”. For more information see https://www.eck-id.nl (Dutch). Also, if you query this claim information from an external data stores, such as an Enterprise Active Directory, Lightweight Directory Access Protocol (LDAP) directories or a Microsoft SQL Server, you can also define custom attribute stores to query the ECK ID claim from external data stores. Read this Microsoft blog to get to know more.

Anchor
surfcrmid
surfcrmid
SURF CRM ID

urn:mace	urn:mace:surf.nl:attribute-def:surf-crm-id
urn:oid	urn:oid:1.3.6.1.4.1.1076.20.100.10.50.2
Multiplicity	single-valued
Data type	Microsoft GUID
Description	GUID of the organization to which the IdP belongs, as used in the SURF CRM.
Examples	ad93daef-0911-e511-80d0-005056956c1a
Notes	SURF specific and only to be used by SURF SPs that have to interface with the SURF CRM. Only to be used after consultation with SURFnet.

Anchor
authnmethodsreferences
authnmethodsreferences
MS AuthnMethodsReferences

Name	http://schemas.microsoft.com/claims/authnmethodsreferences
Multiplicity	multi-valued
Data type	URI
Description	The AuthnContext-referenties involved in authenticating the current user on their home IdP.
Examples	`urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport` `http://schemas.microsoft.com/claims/multipleauthn`
Opmerkingen	Exclusively for use between IdPs and SURFconext; not available to SPs. Used when the institution has a Microsoft ADFS IdP, to communicate the used MFA method to SURFconext. Not needed or useful when this functionality is not used by the institution in question. No other uses. For comparable but more generic SAML 2.0-functionality, see the AuthnContextClassRef sent in each assertion.

Multiplicity

single-value

Description

Digital Author Identifier (DAI) as described here

Notes

Page tree

Page History

Versions Compared

Old Version 13

New Version 206

Key

User identifiers

User identifiers

SPs

Changing attributes

Useful links

Attribute schemas

Attribute overview

Detailed attribute descriptions

AnchorididID

AnchorsnsnSurname

AnchorgivenNamegivenNameGiven name

AnchorcncnCommon name

AnchordisplayNamedisplayNameDisplay name

AnchormailmailEmail address

Anchoruiduiduid

AnchorschacHomeOrganizationschacHomeOrganizationHome organization

More information

Attributes

AnchorschacHomeOrganizationTypeschacHomeOrganizationTypeOrganization type

AnchorschacPersonalUniqueCodeschacPersonalUniqueCodeEmployee-student number

AnchoreduPersonAffiliationeduPersonAffiliationAffiliation

AnchoreduPersonScopedAffiliationeduPersonScopedAffiliationScoped Affiliation

Attributes overview

Detailed attribute descriptions

Attributes defined in urn:mace:dir:attribute-def

AnchoreduPersonEntitlementeduPersonEntitlementEntitlements

AnchoreduPersonPrincipalNameeduPersonPrincipalNamePrincipal name

AnchorisMemberOfisMemberOfisMemberOf

urn:mace:dir:attribute-def:sn

AnchorpreferredLanguagepreferredLanguagePreferred Language

urn:mace:dir:attribute-def:cn

urn:mace:dir:attribute-def:displayName

urn:mace:dir:attribute-def:mail

urn:mace:dir:attribute-def:eduPersonAffiliation

AnchoreduPersonTargetedIDeduPersonTargetedIDEduPersonTargetedID

AnchoreduPersonORCIDeduPersonORCIDeduPersonORCID

urn:mace:dir:attribute-def:eduPersonPrincipalName

urn:mace:dir:attribute-def:preferredLanguage

Attributes defined in urn:mace:terena.org:attribute-def

urn:mace:terena.org:attribute-def:schacHomeOrganization

urn:mace:terena.org:attribute-def:schacHomeOrganizationType

Attributes defined in urn:mace:surffederatie.nl:attribute-def

urn:mace:surffederatie.nl:attribute-def:nlEduPersonHomeOrganization

urn:mace:surffederatie.nl:attribute-def:nlEduPersonOrgUnit

urn:mace:surffederatie.nl:attribute-def:nlEduPersonStudyBranch

urn:mace:surffederatie.nl:attribute-def:nlStudielinkNummer

urn:mace:surffederatie.nl:attribute-def:nlDigitalAuthorIdentifier

AnchoreckideckidECK ID

AnchorsurfcrmidsurfcrmidSURF CRM ID

Anchorauthnmethodsreferencesauthnmethodsreferences MS AuthnMethodsReferences

Anchor
id
id
ID

Anchor
sn
sn
Surname

Anchor
givenName
givenName
Given name

Anchor
cn
cn
Common name

Anchor
displayName
displayName
Display name

Anchor
mail
mail
Email address

Anchor
uid
uid
uid

Anchor
schacHomeOrganization
schacHomeOrganization
Home organization

Anchor
schacHomeOrganizationType
schacHomeOrganizationType
Organization type

Anchor
schacPersonalUniqueCode
schacPersonalUniqueCode
Employee-student number

Anchor
eduPersonAffiliation
eduPersonAffiliation
Affiliation

Anchor
eduPersonScopedAffiliation
eduPersonScopedAffiliation
Scoped Affiliation

Anchor
eduPersonEntitlement
eduPersonEntitlement
Entitlements

Anchor
eduPersonPrincipalName
eduPersonPrincipalName
Principal name

Anchor
isMemberOf
isMemberOf
isMemberOf

Anchor
preferredLanguage
preferredLanguage
Preferred Language

Anchor
eduPersonTargetedID
eduPersonTargetedID
EduPersonTargetedID

Anchor
eduPersonORCID
eduPersonORCID
eduPersonORCID

Anchor
eckid
eckid
ECK ID

Anchor
surfcrmid
surfcrmid
SURF CRM ID

Anchor
authnmethodsreferences
authnmethodsreferences
MS AuthnMethodsReferences