Versions Compared

Old Version 191

changes.mady.by.user André Klaver

Saved on

compared with

New Version 197

changes.mady.by.user Raoul Teeuwen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Warning
titleRemark

The NameID and eduPersonTargetedID, which is basically a copy of the NameID, is unlikely to change and very privacy aware but can change when service providers or identity provider make critical changes . This can cause user profiles for services to be lost. The NameID, as used in the SAML assertion to a service provider when loggin' on, is generated using the uid, schacHomeOrganization, the Entity ID of the service provider together with a secret that uses a SHA algorithm. Institutions or services that are in production and change one of these attributes, will cause a new NameID and eduPersonTargetedID to be generated by SURFconext when doing so. This can cause loss of access to profiles at services. We will notify identity providers and service providers when we see a change in one of these attributes to prevent user data being lost.

Useful links

...

...

  • : system administrators will at some point be asked to share the metadata of their account for analyses. When asked, visit this page and click the 'Mail to SURFconext' button. We will get back to you when we have judged the submitted metadata.This page will also show you the attributes shared and their values

...

  • Profile Page https://profile.surfconext.nl/
  • Mail response from Identity Provider to SURFconext or review your attributes: https://engine.surfconext.nl/authentication/sp/debug

Attribute schemas

A schema is an abstract representation of an object's characteristics and relationship to other objects.

...

Friendly name

Attribute name

Definition

Data type

Example

ID

(NameID)
urn:mace:dir:attribute-def:eduPersonTargetedID
urn:oid:1.3.6.1.4.1.5923.1.1.1.10

eduPerson (1)

UTF8 string
(unbounded)

bd09168cf0c2e675b2def0ade6f50b7d4bb4aae

Surname

urn:mace:dir:attribute-def:sn
urn:oid:2.5.4.4

X.520

UTF8 string
(unbounded)

Doe

Vermeegen
孝慈

Given name or first name

urn:mace:dir:attribute-def:givenName
urn:oid:2.5.4.42

X.520

UTF8 string
(unbounded)

John

Mërgim Lukáš

Þrúður

Common name or Full Name

urn:mace:dir:attribute-def:cn
urn:oid:2.5.4.3

X.520

UTF8 String
(unbounded)

John Doe

Prof.dr. Mërgim Lukáš Vermeegen

加来 千代, PhD.

Display name

urn:mace:dir:attribute-def:displayName
urn:oid:2.16.840.1.113730.3.1.241

RFC2798

UTF8 String
(unbounded)

Dr. John Doe

Prof.dr. Mërgim L. Vermeegen

加来 千代, PhD.

Email address

urn:mace:dir:attribute-def:mail
urn:oid:0.9.2342.19200300.100.1.3

RFC4524

RFC-5322 address
(max 256 chars)

m.l.vermeegen@university.example.org

maarten.'t.hart@uniharderwijk.nl 

"very.unusual.@.but valid.nonetheless"@example.com

mlv@[IPv6:2001:db8::1234:4321]

Organization

urn:mace:terena.org:attribute-def:schacHomeOrganization
urn:oid:1.3.6.1.4.1.25178.1.2.9

Schac

RFC-1035 domain string

example.nl

something.example.org  

Organization Type

urn:mace:terena.org:attribute-def:schacHomeOrganizationType
urn:oid:1.3.6.1.4.1.25178.1.2.10

Schac

RFC-2141 URN
see Schac standard  

urn:mace:terena.org:schac:homeOrganizationType:int:university

urn:mace:terena.org:schac:homeOrganizationType:es:opi

Employee/student number

urn:schac:attribute-def:schacPersonalUniqueCode
urn:oid:1.3.6.1.4.1.25178.1.2.14

Schac

RFC-2141 URN
see SURFnet registry 

urn:schac:personalUniqueCode:nl:local:example.edu:employeeid:x12-3456

urn:schac:personalUniqueCode:nl:local:example.nl:studentid:s1234567

Affiliation

urn:mace:dir:attribute-def:eduPersonAffiliation
urn:oid:1.3.6.1.4.1.5923.1.1.1.1

eduPerson (1)

Enum type (UTF8 String)

employee, student, faculty, member, affiliate, pre-student

(staff is deprecated; library-walk-in, alum are not allowed)

Scoped affiliationurn:mace:dir:attribute-def:eduPersonScopedAffiliation
urn:oid:1.3.6.1.4.1.5923.1.1.1.9		eduPerson (1)UTF8 String
user@domain

student@uniharderwijk.nl

employee@uniharderwijk.nl

Entitlement

urn:mace:dir:attribute-def:eduPersonEntitlement
urn:oid:1.3.6.1.4.1.5923.1.1.1.7

eduPerson (1)

RFC-2141 URN
Multi-valued

to be determined per service (see Standardized values for eduPersonEntitlement)

PrincipalName

urn:mace:dir:attribute-def:eduPersonPrincipalName
urn:oid:1.3.6.1.4.1.5923.1.1.1.6

eduPerson (1)

UTF8 String
user@scope

piet.jønsen@example.edu

not.a@vålîd.émail.addreß

isMemberOf

urn:mace:dir:attribute-def:isMemberOf
urn:oid:1.3.6.1.4.1.5923.1.5.1.1

eduMember

RFC-2141 URN
Multi-valued

urn:collab:org:surf.nl

urn:collab:org:clarin.org

uid

urn:mace:dir:attribute-def:uid
urn:oid:0.9.2342.19200300.100.1.1

RFC4519

UTF8 String
(max 256 chars)

s9603145

flåp@example.edu

preferredLanguage

urn:mace:dir:attribute-def:preferredLanguage
urn:oid:2.16.840.1.113730.3.1.39

RFC2798
BCP47

List of BCP47 language tags

nl

nl, en-gb;q=0.8, en;q=0.7

ORCID

urn:mace:dir:attribute-def:eduPersonORCID

urn:oid:1.3.6.1.4.1.5923.1.1.1.16

eduPerson (1)

URL registered

with ORCID.org

http://orcid.org/0000-0002-1825-0097
ECK ID

urn:mace:surf.nl:attribute-def:eckid

SURF / Edu-KURL conform Edu-K specificationhttps://ketenid.nl/spv1/eacf3765ad342...cf3a11fe9cab2365f95da3e9965501f7c98e (Attribute made shorter for readability)

Note that not all identity providers might make all attributes available.

SURF CRM IDurn:mace:surf.nl:attribute-def:surf-crm-idSURFGUID of the instiution as used in SURF CRMad93daef-0911-e511-80d0-005056956c1a

Note that not all identity providers might make all attributes available.

(1) eduPerson (1) eduPerson Object Class Specification (201602): httphttps://softwarewiki.internet2refeds.eduorg/eduperson/internet2-mace-dir-eduperson-201602.html

...

titleMinimum requirements for IdP's connecting to SURFconext

pages/viewpage.action?pageId=44957738

Info
titleDepricated Attributes

SURFconext considers the attributes nlEduPersonOrgUnit, nlEduPersonStudyBranch and nlStudielinkNummer deprecated. When you register a new IdP or SP at SURFconext, these attributes will not be allowed for use with SURFconext. Existing IdP's and SP can use these attributes until further notice.

Detailed attribute descriptions

Anchor
id
id
ID

See User identifiers.

Anchor
sn
sn
Surname

...

urn:mace

urn:mace:dir:attribute-def:

...

sn

urn:

...

oid

urn:

...

Info
titleDepricated Attributes

SURFconext considers the attributes nlEduPersonOrgUnit, nlEduPersonStudyBranch and nlStudielinkNummer deprecated. When you register a new IdP or SP at SURFconext, these attributes will not be allowed for use with SURFconext. Existing IdP's and SP can use these attributes until further notice.

Detailed attribute descriptions

...

See User identifiers.

...

urn:mace

urn:mace:dir:attribute-def:sn

urn:oid

urn:oid:2.5.oid:2.5.4.4

Multiplicity

single-valued

Data typeUTF8 string (unbounded)

Description

The surname of a person (including any words such as “van”, “de”, “von” etc.) used for Personalization; this can be a combination of existing attributes.

ExamplesVermeegen 
孝慈

Notes


...

urn:mace

urn:mace:dir:attribute-def:eduPersonPrincipalName

urn:oid

urn:oid:1.3.6.1.4.1.5923.1.1.1.6

Multiplicity

single-valued

Data typeUTF8 String of the form user@scope

Description

Unique identifier for a user.  

Examplespiet.jønsen@example.e
not.a@vålîd.émail.addreß

Notes

  • This is a scoped identifier for a person. It should be represented as user@scope, where user is a name-based identifier for a person. The scope part of the attribute must be part of an administrative domain of the identity system where the identifier was created and assigned. An IdP can have multiple scopes, e.g. piet@student.piet@studenthartingcollegehartingcollege.nl or piet@hartingcollege.nl. These Piet's are different persons and are scoped under the administrative domain of e.g. hartingcollege.nl were the scope was defined.
  • It is common that schacHomeOrganization is used for the scope, if no other scopes are defined.
  • Although this value resembles an email address, it MUST NOT be used as an email address. In many cases mail cannot be delivered to this "address".
  • Even though this value uniquely identifies a user, it is not guaranteed that it is persistent over sessions (even though it usually is).
  • It is preferred to not use this to uniquely identify users.  Use the NameId instead.
  • SURFconext will store the allowed domain part for your institution in our configuration so we can check that no illegal values are being sent.

...

urn:mace

urn:mace:dir:attribute-def:eduPersonOrcid

urn:oid

urn:oid:1.3.6.1.4.1.5923.1.1.1.16

Multiplicity

multi-valued (see remark below)

Data type

URL, registered with ORCID.org

Description 

The ORCID is a persistent digital identifier that distinguishes the account holder from every other researcher. Through integration in research workflows such as manuscript and grant submission, the ORCID identifier supports automated linkages between the account holder and his/her professional activities ensuring that the account holder's work is recognized. Values MUST be valid ORCID identifiers in the ORCID preferred URL representation, i.e. http://orcid.org/0000-0002-1825-0097

Examples

http://orcid.org/0000-0002-1825-0097

http://orcid.org/0000-0001-9351-8252

Notes 

For more information see https://www.surf.nl/en/news/2016/02/global-author-identifier-service-orcid-now-available-through-surfconext-and-edugain.html

Although the attribute is in theory multi-valued, in practice it probably makes sense that it has no more than one value.

...

attribute is in theory multi-valued, in practice it probably makes sense that it has no more than one value.

Anchor
eckid
eckid
ECK ID

urn:mace

urn:mace:surf.nl:attribute-def:eckid

urn:oid

-

Multiplicity

single-valued

Data type

URL as specified by Edu-K, all-lowercase

Description 

Educatieve Content Keten Identifier (ECK ID) is a pseudonymous identifier for access to content for primary, secondary and vocational education.

Examples
  • https://ketenid.nl/spv1/eacf3765ad342feb5f65c2bf8194b4ccc3d68cec3c01d3c260636747a2b06d092fcc3a8d655bbdc4ae7d815ed005cf3a11f e9cab2365f95da3e9965501f7c98e
  • https://ketenid.nl/201703/1a5c9c7203901866532c2d72ce056e1d29cacc70836fe2bc3a517f3f9a53eed3d77ef370ad6dcf80b3f34ced1c547c7d2e679e8e47002355f938213b3656b206

Notes 

This attribute may only be used for “the access to and use of digital learning resources or the digital administration of tests and exams”.

For more information see https://www.eck-id.nl (Dutch). Also, if you query this claim information from an external data stores, such as an Enterprise Active Directory, Lightweight Directory Access Protocol (LDAP) directories or a Microsoft SQL Server, you can also define custom attribute stores to query the ECK ID claim from external data stores. Read this Microsoft blog to get to know more.

Anchor
surfcrmid
surfcrmid
SURF CRM ID

urn:mace

urn:mace:surf.nl:attribute-def:surf-crm-id

urn:oid

urn:oid:1.3.6.1.4.1.1076.20.100.10.50.2

Multiplicity

single-valued

Data type

Microsoft GUID

Description 

GUID of the organization to which the IdP belongs, as used in the SURF CRM.

Examples

ad93daef-0911-e511-80d0-005056956c1a

Notes

SURF specific and only to be used by SURF SPs that have to interface with the SURF CRM.

Only to be used after consultation with SURFnet

urn:mace

urn:mace:surf.nl:attribute-def:eckid

urn:oid

-

Multiplicity

single-valued

Data type

URL as specified by Edu-K, all-lowercase

Description 

Educatieve Content Keten Identifier (ECK ID) is a pseudonymous identifier for access to content for primary, secondary and vocational education.

Examples
  • https://ketenid.nl/spv1/eacf3765ad342feb5f65c2bf8194b4ccc3d68cec3c01d3c260636747a2b06d092fcc3a8d655bbdc4ae7d815ed005cf3a11f e9cab2365f95da3e9965501f7c98e
  • https://ketenid.nl/201703/1a5c9c7203901866532c2d72ce056e1d29cacc70836fe2bc3a517f3f9a53eed3d77ef370ad6dcf80b3f34ced1c547c7d2e679e8e47002355f938213b3656b206

Notes 

This attribute may only be used for “the access to and use of digital learning resources or the digital administration of tests and exams”.

For more information see https://www.eck-id.nl (Dutch). Also, if you query this claim information from an external data stores, such as an Enterprise Active Directory, Lightweight Directory Access Protocol (LDAP) directories or a Microsoft SQL Server, you can also define custom attribute stores to query the ECK ID claim from external data stores. Read this Microsoft blog to get to know more

.