...
Note |
---|
SURFconext's SAML2 implementation adheres to the SAML2int standard 0.2.1. The header on the supplied link above states that work on saml2int has moved to Kantara Initiative. True as this is, the SAML2int standard SURFconext adheres to is still until further notice 0.2.1. |
Info |
---|
Before you start digging into the theoretical stuff on this page, you might want to start with our 'best practice' page for an introduction to and how attributes are best used. |
...
Warning | ||
---|---|---|
| ||
The NameID and eduPersonTargetedID, which is basically a copy of the NameID, is unlikely to change and very privacy aware but can change when service providers or identity provider make critical changes . This can cause user profiles for services to be lost. The NameID, as used in the SAML assertion to a service provider when loggin' on, is generated using the uid, schacHomeOrganization, the Entity ID of the service provider together with a secret that uses a SHA algorithm. Institutions or services that are in production and change one of these attributes, will cause a new NameID and eduPersonTargetedID to be generated by SURFconext when doing so. This can cause loss of access to profiles at services. We will notify identity providers and service providers when we see a change in one of these attributes to prevent user data being lost. |
Useful links
...
- Table with attributes we recommend our institutions to release: https://wiki.surfnet.nl/display/surfconextdev/Vereiste+attributen
- Profile Page https://profile.surfconext.nl/ , showing what attributes are released by your IdP to SURFconext
- For new IdP's or for IdP's that upgrade their environment
...
- : system administrators will at some point be asked to share the metadata of their account for analyses. When asked, visit this page and click the 'Mail to SURFconext' button. We will get back to you when we have judged the submitted metadata.This page will also show you the attributes shared and their values
...
- Profile Page https://profile.surfconext.nl/
- Mail response from Identity Provider to SURFconext or review your attributes: https://engine.surfconext.nl/authentication/sp/debug
Attribute schemas
A schema is an abstract representation of an object's characteristics and relationship to other objects.
...
Friendly name | Attribute name | Definition | Data type | Example |
---|---|---|---|---|
(NameID) | eduPerson (1) | UTF8 string | bd09168cf0c2e675b2def0ade6f50b7d4bb4aae | |
urn:mace:dir:attribute-def:sn | X.520 | UTF8 string | Doe Vermeegen | |
urn:mace:dir:attribute-def:givenName | X.520 | UTF8 string | John Mërgim Lukáš Þrúður | |
urn:mace:dir:attribute-def:cn | X.520 | UTF8 String | John Doe Prof.dr. Mërgim Lukáš Vermeegen 加来 千代, PhD. | |
urn:mace:dir:attribute-def:displayName | UTF8 String | Dr. John Doe Prof.dr. Mërgim L. Vermeegen 加来 千代, PhD. | ||
urn:mace:dir:attribute-def:mail | RFC-5322 address | m.l.vermeegen@university.example.org maarten.'t.hart@uniharderwijk.nl "very.unusual.@.but valid.nonetheless"@example.com mlv@[IPv6:2001:db8::1234:4321] | ||
urn:mace:terena.org:attribute-def:schacHomeOrganization | RFC-1035 domain string | example.nl something.example.org | ||
urn:mace:terena.org:attribute-def:schacHomeOrganizationType | RFC-2141 URN | urn:mace:terena.org:schac:homeOrganizationType:int:university urn:mace:terena.org:schac:homeOrganizationType:es:opi | ||
Employee/student number | urn:schac:attribute-def:schacPersonalUniqueCode | Schac | RFC-2141 URN | urn:schac:personalUniqueCode:nl:local:example.edu:employeeid:x12-3456 urn:schac:personalUniqueCode:nl:local:example.nl:studentid:s1234567 |
urn:mace:dir:attribute-def:eduPersonAffiliation | eduPerson (1) | Enum type (UTF8 String) | employee, student, faculty, member, affiliate, pre-student (staff is deprecated; library-walk-in, alum are not allowed) | |
Scoped affiliation | urn:mace:dir:attribute-def:eduPersonScopedAffiliation urn:oid:1.3.6.1.4.1.5923.1.1.1.9 | eduPerson (1) | UTF8 String user@domain | student@uniharderwijk.nl employee@uniharderwijk.nl |
urn:mace:dir:attribute-def:eduPersonEntitlement | eduPerson (1) | RFC-2141 URN | to be determined per service (see Standardized values for eduPersonEntitlement) | |
urn:mace:dir:attribute-def:eduPersonPrincipalName | eduPerson (1) | UTF8 String | piet.jønsen@example.edu not.a@vålîd.émail.addreß | |
urn:mace:dir:attribute-def:isMemberOf | eduMember | RFC-2141 URN | urn:collab:org:surf.nl urn:collab:org:clarin.org | |
urn:mace:dir:attribute-def:uid | UTF8 String | s9603145 flåp@example.edu | ||
urn:mace:dir:attribute-def:preferredLanguage | List of BCP47 language tags | nl nl, en-gb;q=0.8, en;q=0.7 | ||
ORCID | urn:mace:dir:attribute-def:eduPersonORCID urn:oid:1.3.6.1.4.1.5923.1.1.1.16 | eduPerson (1) | URL registered with ORCID.org | http://orcid.org/0000-0002-1825-0097 |
ECK ID | urn:mace:surf.nl:attribute-def:eckid | SURF / Edu-K | URL conform Edu-K specification | https://ketenid.nl/spv1/eacf3765ad342...cf3a11fe9cab2365f95da3e9965501f7c98e (Attribute made shorter for readability) |
Note that not all identity providers might make all attributes available.
SURF CRM ID | urn:mace:surf.nl:attribute-def:surf-crm-id | SURF | GUID of the instiution as used in SURF CRM | ad93daef-0911-e511-80d0-005056956c1a |
Note that not all identity providers might make all attributes available.
(1) eduPerson (1) eduPerson Object Class Specification (201602): httphttps://softwarewiki.internet2refeds.eduorg/eduperson/internet2-mace-dir-eduperson-201602.html
...
title | Minimum requirements for IdP's connecting to SURFconext |
---|
pages/viewpage.action?pageId=44957738
Info | ||
---|---|---|
| ||
SURFconext considers the attributes nlEduPersonOrgUnit, nlEduPersonStudyBranch and nlStudielinkNummer deprecated. When you register a new IdP or SP at SURFconext, these attributes will not be allowed for use with SURFconext. Existing IdP's and SP can use these attributes until further notice. |
Detailed attribute descriptions
Anchor | ||||
---|---|---|---|---|
|
See User identifiers.
Anchor | ||||
---|---|---|---|---|
|
...
urn:mace |
urn:mace:dir:attribute-def: |
...
sn |
urn: |
...
oid | urn: |
...
oid:2.5.4.4 | |
Multiplicity | single-valued |
Data type | UTF8 string (unbounded) |
Description | The surname of a person (including any words such as “van”, “de”, “von” etc.) used for Personalization; this can be a combination of existing attributes. |
Examples | Vermeegen 孝慈 |
Notes |
Anchor | ||||
---|---|---|---|---|
|
urn:mace | urn:mace:dir:attribute-def:givenName |
Info | ||
---|---|---|
| ||
SURFconext considers the attributes nlEduPersonOrgUnit, nlEduPersonStudyBranch and nlStudielinkNummer deprecated. When you register a new IdP or SP at SURFconext, these attributes will not be allowed for use with SURFconext. Existing IdP's and SP can use these attributes until further notice. |
Detailed attribute descriptions
...
See User identifiers.
...
urn:mace | urn:mace:dir:attribute-def:sn | ||
urn:oid | urn:oid:2.5.4.442 | ||
Multiplicity | single-valued | ||
Data type | UTF8 string (unbounded) | ||
Description | The surname of a person (including any words such as “van”, “de”, “von” etc.) used for Personalization; this can be a combination of existing attributes. | Given name, also known as a first name, forename or Christian name / “name known by”; combinations of title, initials, and “name known by” are possible. | |
Examples | Jan Klaassen | Examples | Vermeegen 孝慈 |
Notes |
Anchor |
---|
...
|
...
|
...
Common name
urn:mace | urn:mace:dir:attribute-def: |
cn | |
urn:oid | urn:oid:2.5.4. |
3 |
Multiplicity |
multi-valued | |
Data type | UTF8 |
string (unbounded) |
Description |
Given name, also known as a first name, forename or Christian name / “name known by”; combinations of title, initials, and “name known by” are possible.
Jan Klaassen
Mërgim K. Lukáš
Þrúður
Notes
...
Full name. | |
Examples | Prof.dr. Mërgim Lukáš Vermeegen 加来 千代, PhD. |
Notes | For example, a typical name of a person in an English-speaking country comprises a personal |
urn:mace | urn:mace:dir:attribute-def:cn |
urn:oid | urn:oid:2.5.4.3 |
Multiplicity | multi-valued |
Data type | UTF8 string (unbounded) |
Description | Full name. |
Examples | Prof.dr. Mërgim Lukáš Vermeegen 加来 千代, PhD. |
Notes | For example, a typical name of a person in an English-speaking country comprises a personal title (e.g. Mr., Ms., Rd, Professor, Sir, Lord), a first name, middle name(s), last name, generation qualifier (if any, e.g. Jr.) and decorations and awards (if any, e.g. CBE). |
...
urn:mace | urn:mace:dir:attribute-def:eduPersonPrincipalName |
urn:oid | urn:oid:1.3.6.1.4.1.5923.1.1.1.6 |
Multiplicity | single-valued |
Data type | UTF8 String of the form user@scope |
Description | Unique identifier for a user. |
Examples | piet.jønsen@example.e not.a@vålîd.émail.addreß |
Notes |
|
...
urn:mace | urn:mace:surf.nl:attribute-def:eckid |
urn:oid | - |
Multiplicity | single-valued |
Data type | URL as specified by Edu-K, all-lowercase |
Description | Educatieve Content Keten Identifier (ECK ID) is a pseudonymous identifier for access to content for primary, secondary and vocational education. |
Examples |
|
Notes | This attribute may only be used for “the access to and use of digital learning resources or the digital administration of tests and exams”. For more information see https://www.eck-id.nl (Dutch). Also, if you query this claim information from an external data stores, such as an Enterprise Active Directory, Lightweight Directory Access Protocol (LDAP) directories or a Microsoft SQL Server, you can also define custom attribute stores to query the ECK ID claim from external data stores. Read this Microsoft blog to get to know more. |
Anchor | ||||
---|---|---|---|---|
|
urn:mace | urn:mace:surf.nl:attribute-def:surf-crm-id |
urn:oid | urn:oid:1.3.6.1.4.1.1076.20.100.10.50.2 |
Multiplicity | single-valued |
Data type | Microsoft GUID |
Description | GUID of the organization to which the IdP belongs, as used in the SURF CRM. |
Examples | ad93daef-0911-e511-80d0-005056956c1a |
Notes | SURF specific and only to be used by SURF SPs that have to interface with the SURF CRM. Only to be used after consultation with SURFnet. |