This page will list all the SAML2 attributes that SURFconext and their Identity Providers have to offer. An attribute is a characteristic that describes a user. It is a 'name:value' pair. The attributes included in the SAML assertion correspond to certain attributes a service provider needs to work properly. In general they are needed to:
- Convey user information from the Identity provider or IdP to the service provider
- Create an account for the user at the service provider
- Authorize specific services at the service provider
Now, when a user logs in to a Service Provider, SURFconext sends a SAML assertion to the Service Provider via the browser of the user, that contains a:
- User identifier. Al services receive these and are either a configurable Transient or Persistent NameID.
and Additional attributes. These are optional and differ per Service.
Note |
---|
SURFconext's SAML2 implementation adheres to the SAML2int standard 0.2.1. The header on the link above states that work on saml2int has moved to Kantara Initiative. Until further notice, the SAML2int standard SURFconext adheres to remains at 0.2.1. |
Info |
---|
Before you start digging into the theoretical stuff on this page, you might want to start with our 'best practice' page for an introduction to and how attributes are best used. |
Table of Contents |
---|
User identifiers
The user's identity is transmitted in the form of the NameID element. Every IdP must supply a NameID, but for privacy reasons SURFconext will generate a new one, which is duplicated in the attribute eduPersonTargetedID.
To identify a user the Service Provider must use the NameID or eduPersonTargetedID. The NameID is guaranteed to be stable for a fixed user, except in the case of transient identifiers. SURFconext will generate a NameID for each new user. It is unique for the user and specific to the SP, so SP's cannot correlate their received NameID's between each other. There are two types of NameIDs:
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
A persistent NameID contains a unique string identifying the user for this SP and is persisting over multiple sessions.urn:oasis:names:tc:SAML:2.0:nameid-format:transient
A transient NameID contains a unique string identifying the user for this SP during the session. If the user logs in again, a new transient identifier will be generated.
Warning | ||
---|---|---|
| ||
The NameID and eduPersonTargetedID, which is basically a copy of the NameID, is unlikely to change and very privacy aware but can change when service providers or identity provider make critical changes. This can cause user profiles for services to be lost. The NameID, as used in the SAML assertion to a service provider when loggin' on, is generated using the uid, schacHomeOrganization, the Entity ID of the service provider together with a secret that uses a SHA algorithm. Institutions or services that are in production and change one of these attributes, will cause a new NameID and eduPersonTargetedID to be generated by SURFconext when doing so. This can cause loss of access to profiles at services. We will notify identity providers and service providers when we see a change in one of these attributes to prevent user data being lost. |
Changing attributes
As an Identity Provider it is important to realize that changing attributes in production on SURFconext in any way can have an impact on services users have access to. Attributes that you offer to SURFconext are used to create profiles, and data is often linked to them. Changing an attribute in any way can have unwanted results like users that are no longer able to access their valuable data. An example could be to modify the way you fill the email address (amongst others). For example: changing 'student.123456@university.nl' to 'john.doe@university.nl'. Do you plan to do this or do you start a project where this is the case? Contact us and send an email to support@surfconext.nl.
Useful links
- Table with attributes we recommend our institutions to release: https://wiki.surfnet.nl/display/surfconextdev/Vereiste+attributen
- Profile Page https://profile.surfconext.nl/ , showing what attributes are released by your IdP to SURFconext
- For new IdP's or for IdP's that upgrade their environment: system administrators will at some point be asked to share the metadata of their account for analyses. When asked, visit this page and click the 'Mail to SURFconext' button. We will get back to you when we have judged the submitted metadata.This page will also show you the attributes shared and their values.
Attribute schemas
A schema is an abstract representation of an object's characteristics and relationship to other objects.
SURFconext supports two attribute schemas:
urn:oid
schema (SAML2.0 compliant)urn
schema (SAML1.1 compliant)
Both can be used to convey the same information (except for the NameID, which is only available in the urn:oid
schema). By default SURFconext will provide attributes in both schemas as part of the assertion. However it is not recommended to mix the use of the schemas.
Attribute overview
SURFconext supports relaying of the following attributes:
Friendly name | Attribute name | Example |
---|---|---|
SAML NameID element |
Info |
---|
See for the attribute best practice: Attribute best practice |
When a user logs in to a Service Provider, SURFconext sends a SAML assertion to the Service Provider, containing:
- user identifier (transient/persistent NameID)
additional attributes (optional)
Note |
---|
SURFconext's SAML2 implementation adheres to the SAML2int standard 0.2.1. |
In this section we will show you which attributes SURFconext and their Identity Providers have to offer.
Table of Contents |
---|
User identifiers
The user's identity is transmitted in the form of the NameID element. Every IdP must supply a NameID, but for privacy reasons SURFconext will generate a new one, which is duplicated in the attribute eduPersonTargetedID.
To identify a user the Service Provider must use the NameID or eduPersonTargetedID. The NameID is guaranteed to be stable for a fixed user, except in the case of transient identifiers. SURFconext will generate a NameID for each new user. It is unique for the user and specific to the SP, so SP's cannot correlate their received NameID's between each other. There are two types of NameIDs:
...
Warning | ||
---|---|---|
| ||
The NameID and eduPersonTargetedID, which is basically a copy of the NameID, is unlikely to change and very privacy aware but can change when service providers or identity provider make critical changes . This can cause user profiles for services to be lost. The NameID, as used in the SAML assertion to a service provider when loggin' on, is generated using the uid, schacHomeOrganization, the Entity ID of the service provider together with a secret that uses a SHA algorithm. Institutions or services that are in production and change one of these attributes, will cause a new NameID and eduPersonTargetedID to be generated by SURFconext when doing so. This can cause loss of access to profiles at services. We will notify identity providers and service providers when we see a change in one of these attributes to prevent user data being lost. |
Useful links
If you have an account at an institution you can get information about attributes shared with SURFconext by visiting our profile page. This page gives you insight in which personal data, provided by your institution via SURFconext, has been forwarded to which service and what they look like. For new IdP's or for IdP's that upgrade their environment, system administrators will at some point be asked to share the metadata of their account for analyses. When asked, visit this page and click the 'Mail to SURFconext' button. We will get back to you when we have judged the submitted metadata.This page will also show you the attributes shared and their values.
- Profile Page https://profile.surfconext.nl/
- Mail response from Identity Provider to SURFconext or review your attributes: https://engine.surfconext.nl/authentication/sp/debug
Attribute schemas
A schema is an abstract representation of an object's characteristics and relationship to other objects.
SURFconext supports two attribute schemas:
urn:oid
schema (SAML2.0 compliant)urn
schema (SAML1.1 compliant)
Both can be used to convey the same information (except for the NameID, which is only available in the urn:oid
schema). By default SURFconext will provide attributes in both schemas as part of the assertion. However it is not recommended to mix the use of the schemas.
Attribute overview
SURFconext supported relaying of the following attributes:
Friendly name | Attribute name | Definition | Data type | Example | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
(NameID) | eduPerson (1) | UTF8 string | bd09168cf0c2e675b2def0ade6f50b7d4bb4aae | |||||||||||
urn:mace:dir:attribute-def:sn | X.520 | UTF8 string | Vermeegen | |||||||||||
urn:mace:dir:attribute-def:givenName | X.520 | UTF8 string | Mërgim Lukáš | |||||||||||
urn:mace:dir:attribute-def:cn | X.520 | UTF8 String | Prof.dr. Mërgim Lukáš Vermeegen | |||||||||||
Display name | RFC2798bd09168cf0c2e675b2def0ade6f50b7d4bb4aae | UTF8 String | Prof.dr. Mërgim L. Vermeegen | |||||||||||
urn:mace:dir:attribute-def:sn | Doe Vermeegen | |||||||||||||
urn:mace:dir:attribute-def:mailgivenName | RFC-5322 address | m.l.vermeegen@university.example.org | 4.42 | John Mërgim Lukáš Þrúður | ||||||||||
urn:mace:dir:attribute-def:cn | John Doe Prof.dr. Mërgim Lukáš Vermeegen 加来 千代, PhD. | |||||||||||||
urn:mace:terena.org:attribute-def:schacHomeOrganization displayName | RFC-1035 domain string | example.nl | 241 | Dr. John Doe Prof.dr. Mërgim L. Vermeegen 加来 千代, PhD. | ||||||||||
urn:mace:terena.orgdir:attribute-def:schacHomeOrganizationType mail | m.25178l.1vermeegen@university.2example.10 | org maarten.'t.hart@uniharderwijk.nl "very.unusual.@.but valid.nonetheless"@example.com mlv@[IPv6:2001:db8::1234:4321] | ||||||||||||
RFC-2141 URN | urn:mace:terena.org:schac:homeOrganizationType:int:university | urn:mace:terena.org:schac:homeOrganizationType:es:opi | Employee/student number | urn:schac:attribute-def: | schacPersonalUniqueCodeschacHomeOrganization | 149 | Schac | RFC-2141 URN | urn:schac:personalUniqueCode:nl:local:example.edu:employeeid:x12-3456 urn:schac:personalUniqueCode:nl:local:example.nl:studentid:s1234567 | example.nl something.example.org | ||||
urn:mace:terena.org: | urn:mace:dir:attribute-def:eduPersonAffiliationschacHomeOrganizationType | eduPerson (1) | Enum type (UTF8 String) | employee, student, faculty, member, affiliate, pre-student | 2.10 | urn:mace:terena.org:schac:homeOrganizationType:int:university urn:mace:terena.org:schac:homeOrganizationType:es:opi | ||||||||
Employee/student number | Scoped affiliation | urn:mace:dir:attribute-def:eduPersonScopedAffiliation urn:schac:attribute-def:schacPersonalUniqueCode
25178.1. 12. 1.9 | eduPerson (1) | UTF8 String user@domain | 14 | urn:schac:personalUniqueCode:nl:local:example.edu:employeeid:x12-3456 urn:schac:personalUniqueCode:nl:local:example.nl:studentid:s1234567 | ||||||||
student@uniharderwijk.nl | urn:mace:dir:attribute-def:eduPersonEntitlementeduPersonAffiliation | RFC-2141 URN | to be determined per service (see Standardized values for eduPersonEntitlement) | employee, student, faculty, member, affiliate, pre-student | ||||||||||
Scoped affiliation | urn:mace:dir:attribute-def:eduPersonScopedAffiliation | urn:mace:dir:attribute-def:eduPersonPrincipalName | urn:oid:1.3.6.1.4.1.5923.1.1.1. | 6eduPerson (1) | UTF8 String | piet.jønsen@example.edu | 9 | student@uniharderwijk.nl employee@uniharderwijk.nl | ||||||
urn:mace:dir:attribute-def:isMemberOfeduPersonEntitlement | eduMember | RFC-2141 URN | urn:collab:org:surf.nl | 7 | to be determined per service (see Standardized values for eduPersonEntitlement) | |||||||||
urn:mace:dir:attribute-def:uid eduPersonPrincipalName | UTF8 String | s9603145 | .6 | piet.jønsen@example.edu not.a@vålîd.émail.addreß | ||||||||||
urn:mace:dir:attribute-def:preferredLanguageisMemberOf | List of BCP47 language tags | nl | 1 | urn:collab:org:surf.nl urn:collab:org:clarin.org | ||||||||||
ORCID | urn:mace:dir:attribute-def: | eduPersonORCIDuid | 10. | 39. | 62342. | 119200300. | 4100.1. | 5923.1 | .1.1.16eduPerson (1) | URL registered with ORCID.org | http://orcid.org/0000-0002-1825-0097 | s9603145 flåp@example.edu | ||
ECK ID | surf.nl | eckid | SURF / Edu-K | URL conform Edu-K specification | https://ketenid.nl/spv1/eacf3765ad342feb5f65c2bf8194b4ccc3d68cec3c01d3c260636747a2b06d092fcc3a8d655bbdc4 ae7d815ed005cf3a11fe9cab2365f95da3e9965501f7c98e |
Note that not all identity providers might make all attributes available.
(1) eduPerson Object Class Specification (201602): http://software.internet2.edu/eduperson/internet2-mace-dir-eduperson-201602.html
Warning | ||
---|---|---|
| ||
There is a minimum amount of attributes to supply when you connect your IdP to SURFconext. Not supplying the attributes urn:mace:dir:attribute-def:uid and urn:mace:terena.org:attribute-def:schacHomeOrganization will cause a fatal error because those are needed to generate the NameID. Your IdP cannot be connected to SURFconext without these. Not supplying the attributes urn:mace:dir:attribute-def:displayName and urn:mace:dir:attribute-def:mail will cause a warning. A lot of services depend on these. The above mentioned are the bare minimum and will probably result in services not being able to connect to your institution. As a rule of thumb, supply the attributes as depicted on this page or those depicted in the configuration manuals on the page (Dutch) 'Handleidingen en Richtlijnen'. |
preferredLanguage | nl nl, en-gb;q=0.8, en;q=0.7 | |
ORCID | urn:mace:dir:attribute-def:eduPersonORCID urn:oid:1.3.6.1.4.1.5923.1.1.1.16 | http://orcid.org/0000-0002-1825-0097 |
ECK ID | urn:mace:surf.nl:attribute-def:eckid | https://ketenid.nl/spv1/eacf3765ad342...cf3a11fe9cab2365f95da3e9965501f7c98e (Attribute made shorter for readability) |
SURF CRM ID | urn:mace:surf.nl:attribute-def:surf-crm-id | ad93daef-0911-e511-80d0-005056956c1a |
MS AuthnMethodsReferences | http://schemas.microsoft.com/claims/authnmethodsreferences | urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport http://schemas.microsoft.com/claims/multipleauthn |
Note that not all identity providers might make all attributes available.
(1) eduPerson Object Class Specification (201602): https://wiki.refeds.org/pages/viewpage.action?pageId=44957738
Info | ||
---|---|---|
| ||
SURFconext considers the attributes | ||
Info | ||
| ||
SURFconext considers the attributes nlEduPersonOrgUnit, nlEduPersonStudyBranch and nlStudielinkNummer deprecated. When you register a new IdP or SP at SURFconext, these attributes will not be allowed for use with SURFconext. Existing IdP's and SP can use these attributes until further notice. |
...
urn:mace | urn:mace:terena.org:attribute-def:schacHomeOrganization |
urn:oid | urn:oid:1.3.6.1.4.1.25178.1.2.9 |
Multiplicity | single-valued |
Data type | RFC-1035 domain string. The domain MUST be a secondary-level domain that is under control by the institution. Preferably, the institution's main domain name should be used. |
Description | The user's organization using the organization's domain name; syntax in accordance with RFC 1035. |
Examples | uniharderwijk.nl |
Notes |
|
...
urn:mace | urn:mace:dir:attribute-def:eduPersonAffiliation |
urn:oid | urn:oid:1.3.6.1.4.1.5923.1.1.1.1 |
Multiplicity | multi-valued |
Data type | UTF8 String (only the values enumerated below are allowed) |
Description | Indicates the relationship between the user and his home organization (institution). The following values are permitted within SURFconext:
Use the above mentioned definitions to determine which affiliation a user gets. If the definitions are not sufficient, please use common sense. |
Examples | see above |
Notes |
|
...
Use the above mentioned definitions to determine which affiliation a user gets. If the definitions are not sufficient, please use common sense. | |
Examples | see above |
Notes |
|
Anchor | ||||
---|---|---|---|---|
|
urn:mace | urn:mace:dir:attribute-def:eduPersonScopedAffiliation |
urn:oid | urn:oid:1.3.6.1.4.1.5923.1.1.1.9 |
Multiplicity | multi-valued |
Data type | UTF8 String of the form affiliation@domain (see below) |
Description | Indicates the relationship between the user and the domain of his home organization. The affiliation part must be one of the allowed values of the eduPersonAffiliation attribute (see definition right above). The value is the role of the user and the domain name of the organisation. eduPersonScopedAffiliation can hence be defined as: <eduPersonAffiliation> "@" <schacHomeOrganization>. Just like eduPersonScopedAffiliation, this is a multi valued attribute. The domain part must be the schacHomeOrganization of the user (or a subdomain thereof). |
Examples | student@uniharderwijk.nl faculty@uniharderwijk.nl |
Notes |
|
Anchor | ||||
---|---|---|---|---|
|
urn:mace | urn:mace:dir:attribute-def:eduPersonEntitlement |
urn:oid | urn:oid:1.3.6.1.4.1.5923.1.1.1.7 |
Multiplicity | multi-value |
Data type | RFC-2141 URN |
Description | entitlement; custom URI (URL or URN) that indicates an entitlement to something. |
Examples |
|
Notes |
|
Anchor | ||||
---|---|---|---|---|
|
urn:mace | urn:mace:dir:attribute-def: | eduPersonScopedAffiliationeduPersonPrincipalName |
urn:oid | urn:oid:1.3.6.1.4 .1.1466.115.121.1.15 | |
Multiplicity | multi-valued | |
Data type | UTF8 String of the form affiliation@domain (see below) | |
Description | Indicates the relationship between the user and the domain of his home organization. The affiliation part must be one of the allowed values of the eduPersonAffiliation attribute (see definition right above). The value is the role of the user and the domain name of the organisation. eduPersonScopedAffiliation can hence be defined as: <eduPersonAffiliation> "@" <schacHomeOrganization>. Just like eduPersonScopedAffiliation, this is a multi valued attribute. The domain part must be the schacHomeOrganization of the user (or a subdomain thereof). | |
Examples | student@uniharderwijk.nl faculty@uniharderwijk.nl | |
Notes |
|
...
urn:mace
...
urn:mace:dir:attribute-def:eduPersonEntitlement
...
urn:oid
...
urn:oid:1.3.6.1.4.1.5923.1.1.1.7
...
Multiplicity
...
multi-value
...
Description
...
entitlement; custom URI (URL or URN) that indicates an entitlement to something.
...
urn:mace:terena.org:tcs:personal-admin
urn:x-surfnet:surfdomeinen.nl:role:dnsadmin
...
Notes
...
- This attribute can be used to communicate entitlements, roles, etc, from identity providers to services, which can be used, for example, for authorization.
- The values of this attribute are scoped to the identity provider that is authoritative for the attribute.
- Formatting rules apply: See also the SURFconext entitlement name-spacing policy.
.1.5923.1.1.1.6 | |
Multiplicity | single-valued |
Data type | UTF8 String of the form user@scope |
Description | Unique identifier for a user. |
Examples | piet.jønsen@example.e not.a@vålîd.émail.addreß |
Notes |
|
Anchor | ||||
---|---|---|---|---|
|
...
urn:mace | urn:mace:dir:attribute-def:eduPersonPrincipalNameisMemberOf |
urn:oid | urn:oid:1.3.6.1.4.1.5923.1.5.1.1.6 |
Multiplicity | singlemulti-valued |
Data typeUTF8 String of the form user@scope | RFC-2141 URN |
DescriptionUnique | identifier for a user. Lists the collaborative organizations the user is a member of. |
Examples | piet.jønsen@example.e not.a@vålîd.émail.addreß |
Notes |
|
...
urn:collab:org:surf.nl | |
Notes |
|
Anchor | ||||
---|---|---|---|---|
|
urn:mace | urn:mace:dir:attribute-def:preferredLanguage |
urn:oid | urn:oid:2.16.840.1.113730.3.1.39 |
Multiplicity | single-valued |
Data type | RFC2798 BCP47 |
Description | a two-letter abbreviation for the preferred language according to the ISO 639 language abbreviation code table; no subcodes. |
Examples | nl |
Notes | Used to indicate an individual's preferred written or spoken language. This is useful for international correspondence or human-computer interaction. Values for this attribute type MUST conform to the definition of the Accept-Language header field defined in RFC 2068 with the exception that the value " |
Anchor | ||||
---|---|---|---|---|
|
...
urn:mace | urn:mace:dir:attribute-def:isMemberOfeduPersonTargetedID |
urn:oid | urn:oid:1.3.6.1.4.1.5923.1.51.1.110 |
Multiplicity | multisingle-valued |
Data type | RFC-2141 URN |
Description | Lists the collaborative organizations the user is a member of. |
Examples | urn:collab:org:surf.nl |
Notes |
|
...
UTF8 string (unbounded) | |
Description | The attribute eduPersonTargetedID is a copy of the persistent Subject -> NameID, which is generated by SURFconext itself. When an Identity Provider provides the eduPersonTargetedID itself, it is always overwritten by SURFconext. |
Examples | bd09168cf0c2e675b2def0ade6f50b7d4bb4aae |
Notes | This attribute is created because the Subject -> NameID itself is not part of the SAML v2.0 response and therefore only is available for an application if the local SAML implementation explicitly supports this. Within SURFconext the Subject -> NameID is explicitly copied into the |
Anchor | ||||
---|---|---|---|---|
|
urn:mace | urn:mace:dir:attribute-def: |
eduPersonOrcid | |
urn:oid | urn:oid: |
1.3.6.1.4.1.5923. |
1. |
1.1. |
16 |
Multiplicity |
multi-valued (see remark below) |
Data type |
Description
a two-letter abbreviation for the preferred language according to the ISO 639 language abbreviation code table; no subcodes.
nl
en
Notes
Used to indicate an individual's preferred written or spoken language. This is useful for international correspondence or human-computer interaction. Values for this attribute type MUST conform to the definition of the Accept-Language header field defined in RFC 2068 with the exception that the value ":
" should be omitted.
...
URL, registered with ORCID.org | |
Description | The ORCID is a persistent digital identifier that distinguishes the account holder from every other researcher. Through integration in research workflows such as manuscript and grant submission, the ORCID identifier supports automated linkages between the account holder and his/her professional activities ensuring that the account holder's work is recognized. Values MUST be valid ORCID identifiers in the ORCID preferred URL representation, i.e. http://orcid.org/0000-0002-1825-0097 |
Examples | |
Notes | Although the attribute is in theory multi-valued, in practice it probably makes sense that it has no more than one value. |
Anchor | ||||
---|---|---|---|---|
|
...
urn:mace | urn:mace: |
surf.nl:attribute-def: |
eckid |
urn:oid |
- | |
Multiplicity | single-valued |
Data type |
Description
The attribute eduPersonTargetedID is a copy of the persistent Subject -> NameID, which is generated by SURFconext itself. When an Identity Provider provides the eduPersonTargetedID itself, it is always overwritten by SURFconext.
Notes
This attribute is created because the Subject -> NameID itself is not part of the SAML v2.0 response and therefore only is available for an application if the local SAML implementation explicitly supports this. Within SURFconext the Subject -> NameID is explicitly copied into the eduPersonTargetedID
attribute, in order for the identifier to be used like any other attribute, but only when NameID is configured to be persistent (as the eduPerson definition of eduPersonTargetedID requires it to be persistent)
...
URL as specified by Edu-K, all-lowercase | |
Description | Educatieve Content Keten Identifier (ECK ID) is a pseudonymous identifier for access to content for primary, secondary and vocational education. |
Examples |
|
Notes | This attribute may only be used for “the access to and use of digital learning resources or the digital administration of tests and exams”. For more information see https://www.eck-id.nl (Dutch). Also, if you query this claim information from an external data stores, such as an Enterprise Active Directory, Lightweight Directory Access Protocol (LDAP) directories or a Microsoft SQL Server, you can also define custom attribute stores to query the ECK ID claim from external data stores. Read this Microsoft blog to get to know more. |
Anchor | ||||
---|---|---|---|---|
|
...
urn:mace | urn:mace: dirsurf.nl:attribute-def: eduPersonOrcidsurf-crm-id |
urn:oid | urn:oid:1.3.6.1.4.1.1076.592320.1100.110.150.162 |
Multiplicity | multisingle-valued (see remark below) |
Data type | URL, registered with ORCID.orgMicrosoft GUID |
Description | The ORCID is a persistent digital identifier that distinguishes the account holder from every other researcher. Through integration in research workflows such as manuscript and grant submission, the ORCID identifier supports automated linkages between the account holder and his/her professional activities ensuring that the account holder's work is recognized. Values MUST be valid ORCID identifiers in the ORCID preferred URL representation, i.e. http://orcid.org/0000-0002-1825-0097 |
Examples | |
Notes | For more information see https://www.surf.nl/en/news/2016/02/global-author-identifier-service-orcid-now-available-through-surfconext-and-edugain.html Although the attribute is in theory multi-valued, in practice it probably makes sense that it has no more than one value. |
...
GUID of the organization to which the IdP belongs, as used in the SURF CRM. | |
Examples | ad93daef-0911-e511-80d0-005056956c1a |
Notes | SURF specific and only to be used by SURF SPs that have to interface with the SURF CRM. Only to be used after consultation with SURFnet. |
Anchor | ||||
---|---|---|---|---|
|
Name | http://schemas.microsoft.com/claims/authnmethodsreferences |
Multiplicity | multi-valued |
Data type | URI |
Description | The AuthnContext-referenties involved in authenticating the current user on their home IdP. |
Examples |
|
Opmerkingen |
|
...
urn:mace
urn:mace:surf.nl:attribute-def:eckid
urn:oid
-
Multiplicity
single-valued
URL as specified by Edu-K, all-lowercase
Description
Educatieve Content Keten Identifier (ECK ID) is a pseudonymous identifier for access to content for primary, secondary and vocational education.
https://ketenid.nl/spv1/eacf3765ad342feb5f65c2bf8194b4ccc3d68cec3c01d3c26063 6747a 2b06d092fcc3a8d655bbdc4 ae7d815ed005cf3a11fe9cab 2365f95da3e9965501f7c98e
Notes