Versions Compared

Old Version 192

changes.mady.by.user Bas Zoetekouw

Saved on

compared with

New Version 205

changes.mady.by.user Thijs Kinkhorst

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • User identifier. Al services reveice receive these and are either a configurable Transient or Persistent NameID.

  • and Additional attributes. These are optional and differ per Service.

...

Note

SURFconext's SAML2 implementation adheres to the SAML2int standard 0.2.1.

The header on the link above states that work on saml2int has moved to Kantara Initiative. True as this isUntil further notice, the SAML2int standard SURFconext adheres to is until further notice remains at 0.2.1.

Info

Before you start digging into the theoretical stuff on this page, you might want to start with our 'best practice' page for an introduction to and how attributes are best used.

...

Warning
titleRemark

The NameID and eduPersonTargetedID, which is basically a copy of the NameID, is unlikely to change and very privacy aware but can change when service providers or identity provider make critical changes. This can cause user profiles for services to be lost. The NameID, as used in the SAML assertion to a service provider when loggin' on, is generated using the uid, schacHomeOrganization, the Entity ID of the service provider together with a secret that uses a SHA algorithm. Institutions or services that are in production and change one of these attributes, will cause a new NameID and eduPersonTargetedID to be generated by SURFconext when doing so. This can cause loss of access to profiles at services. We will notify identity providers and service providers when we see a change in one of these attributes to prevent user data being lost.

Useful links

If you have an account at an institution you can get information about attributes shared with SURFconext by visiting our profile page. This page gives you insight in which personal data, provided by your institution via SURFconext, has been forwarded to which service and what they look like. For new IdP's or for IdP's that upgrade their environment, system administrators will at some point be asked to share the metadata of their account for analyses. When asked, visit this page and click the 'Mail to SURFconext' button. We will get back to you when we have judged the submitted metadata.This page will also show you the attributes shared and their values.

Attribute schemas

A schema is an abstract representation of an object's characteristics and relationship to other objects.

SURFconext supports two attribute schemas:

  • urn:oid schema (SAML2.0 compliant) 
  • urn schema (SAML1.1 compliant) 

Both can be used to convey the same information (except for the NameID, which is only available in the urn:oid schema). By default SURFconext will provide attributes in both schemas as part of the assertion. However it is not recommended to mix the use of the schemas.

Attribute overview

SURFconext supported relaying of the following attributes:

Changing attributes

As an Identity Provider it is important to realize that changing attributes in production on SURFconext in any way can have an impact on services users have access to. Attributes that you offer to SURFconext are used to create profiles, and data is often linked to them. Changing an attribute in any way can have unwanted results like users that are no longer able to access their valuable data. An example could be to modify the way you fill the email address (amongst others). For example: changing 'student.123456@university.nl' to 'john.doe@university.nl'. Do you plan to do this or do you start a project where this is the case? Contact us and send an email to support@surfconext.nl.

Useful links

  • Table with attributes we recommend our institutions to release: https://wiki.surfnet.nl/display/surfconextdev/Vereiste+attributen
  • Profile Page https://profile.surfconext.nl/ , showing what attributes are released by your IdP to SURFconext
  • For new IdP's or for IdP's that upgrade their environment: system administrators will at some point be asked to share the metadata of their account for analyses. When asked, visit this page and click the 'Mail to SURFconext' button. We will get back to you when we have judged the submitted metadata.This page will also show you the attributes shared and their values.

Attribute schemas

A schema is an abstract representation of an object's characteristics and relationship to other objects.

SURFconext supports two attribute schemas:

  • urn:oid schema (SAML2.0 compliant) 
  • urn schema (SAML1.1 compliant) 

Both can be used to convey the same information (except for the NameID, which is only available in the urn:oid schema). By default SURFconext will provide attributes in both schemas as part of the assertion. However it is not recommended to mix the use of the schemas.

Attribute overview

SURFconext supports relaying of the following attributes:

Friendly name

Attribute name

Example

ID

SAML NameID element

Friendly name

Attribute name

Definition

Data type

Example

ID

(NameID)
urn:mace:dir:attribute-def:eduPersonTargetedID
urn:oid:1.3.6.1.4.1.5923.1.1.1.10

eduPerson (1)

UTF8 string
(unbounded)

bd09168cf0c2e675b2def0ade6f50b7d4bb4aae

Surname
urn:mace:dir:attribute-def:sneduPersonTargetedID
urn:oid:2.51.3.6.1.4.41.5923.1.1.1.10

bd09168cf0c2e675b2def0ade6f50b7d4bb4aae

Surname

urn:mace:dir:attribute-def:sn
urn:oid:2.5.4.4

X.520

UTF8 string
(unbounded)

Doe

Vermeegen
孝慈

Given name or first name

urn:mace:dir:attribute-def:givenName
urn:oid:2.5.4.42

X.520

UTF8 string
(unbounded)

John

Mërgim Lukáš

Þrúður

Common name or Full Name

urn:mace:dir:attribute-def:cn
urn:oid:2.5.4.3

X.520

UTF8 String
(unbounded)

John Doe

Prof.dr. Mërgim Lukáš Vermeegen

加来 千代, PhD.

Display name

urn:mace:dir:attribute-def:displayName
urn:oid:2.16.840.1.113730.3.1.241

RFC2798

UTF8 String
(unbounded)

Dr. John Doe

Prof.dr. Mërgim L. Vermeegen

加来 千代, PhD.

Email address

urn:mace:dir:attribute-def:mail
urn:oid:0.9.2342.19200300.100.1.3

RFC4524

RFC-5322 address
(max 256 chars)

m.l.m.l.vermeegen@university.example.org

maarten.'t.hart@uniharderwijk.nl 

"very.unusual.@.but valid.nonetheless"@example.com

mlv@[IPv6:2001:db8::1234:4321]

Organization

urn:mace:terena.org:attribute-def:schacHomeOrganization
urn:oid:1.3.6.1.4.1.25178.1.2.9

Schac

RFC-1035 domain string

example.nl

something.example.org  

Organization Type

urn:mace:terena.org:attribute-def:schacHomeOrganizationType
urn:oid:1.3.6.1.4.1.25178.1.2.10

Schac

RFC-2141 URN
see Schac standard  

urn:mace:terena.org:schac:homeOrganizationType:int:university

urn:mace:terena.org:schac:homeOrganizationType:es:opi

Employee/student number

urn:schac:attribute-def:schacPersonalUniqueCode
urn:oid:1.3.6.1.4.1.25178.1.2.14

Schac

RFC-2141 URN
see SURFnet registry 

urn:schac:personalUniqueCode:nl:local:example.edu:employeeid:x12-3456

urn:schac:personalUniqueCode:nl:local:example.nl:studentid:s1234567

Affiliation

urn:mace:dir:attribute-def:eduPersonAffiliation
urn:oid:1.3.6.1.4.1.5923.1.1.1.1eduPerson (1)Enum type (UTF8 String)

employee, student, faculty, member, affiliate, pre-student(staff is deprecated; library-walk-in, alum are not allowed)

Scoped affiliationurn:mace:dir:attribute-def:eduPersonScopedAffiliation
urn:oid:1.3.6.1.4.1.5923.1.1.1.9		eduPerson (1)UTF8 String
user@domain

student@uniharderwijk.student@uniharderwijk.nl

employee@uniharderwijk.nl

Entitlement

urn:mace:dir:attribute-def:eduPersonEntitlement
urn:oid:1.3.6.1.4.1.5923.1.1.1.7

eduPerson (1)

RFC-2141 URN Multi-valued

to be determined per service (see Standardized values for eduPersonEntitlement)

PrincipalName

urn:mace:dir:attribute-def:eduPersonPrincipalName
urn:oid:1.3.6.1.4.1.5923.1.1.1.6

eduPerson (1)

UTF8 String user@scope

piet.jønsen@example.edu

not.a@vålîd.émail.addreß

isMemberOf

urn:mace:dir:attribute-def:isMemberOf
urn:oid:1.3.6.1.4.1.5923.1.5.1.1

eduMember

RFC-2141 URN
Multi-valued

urn:collab:org:surf.nl

urn:collab:org:clarin.org

uid

urn:mace:dir:attribute-def:uid
urn:oid:0.9.2342.19200300.100.1.1

RFC4519

UTF8 String
(max 256 chars)

s9603145

flåp@example.edu

preferredLanguage

urn:mace:dir:attribute-def:preferredLanguage
urn:oid:2.16.840.1.113730.3.1.39

RFC2798
BCP47

List of BCP47 language tags

nl

nl, en-gb;q=0.8, en;q=0.7

ORCID

urn:mace:dir:attribute-def:eduPersonORCID

urn:oid:1.3.6.1.4.1.5923.1.1.1.16

eduPerson (1)

URL registered

with ORCID.org

http://orcid.org/0000-0002-1825-0097
ECK ID

urn:mace:surf.nl:attribute-def:eckid

SURF / Edu-KURL conform Edu-K specificationhttpshttps://ketenid.nl/spv1/eacf3765ad342...cf3a11fe9cab2365f95da3e9965501f7c98e
(Attribute made shorter for readability)

Note that not all identity providers might make all attributes available.

SURF CRM IDurn:mace:surf.nl:attribute-def:surf-crm-idad93daef-0911-e511-80d0-005056956c1a
MS AuthnMethodsReferenceshttp://schemas.microsoft.com/claims/authnmethodsreferencesurn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
http://schemas.microsoft.com/claims/multipleauthn

Note that not all identity providers might make all attributes available.

(1) eduPerson Object Class Specification (201602): https://wiki.refeds.org/pages/(1) eduPerson Object Class Specification (201602): https://wiki.refeds.org/pages/viewpage.action?pageId=44957738

There is a minimum amount of attributes to supply when you connect your IdP to SURFconext. Not supplying the attributes urn:mace:dir:attribute-def:uid and urn:mace:terena.org:attribute-def:schacHomeOrganization will cause a fatal error because those are needed to generate the NameID. Your IdP cannot be connected to SURFconext without these. Not supplying the attributes
Warninginfo
titleMinimum requirements for IdP's connecting to SURFconext
Depricated Attributes

SURFconext considers the attributes nlEduPersonOrgUnit, nlEduPersonStudyBranch and nlStudielinkNummer deprecated. When you register a new SP at SURFconext, these attributes will not be allowed for use with SURFconext. Existing IdP's and SP can use these attributes until further notice.

Detailed attribute descriptions

Anchor
id
id
ID

See User identifiers.

Anchor
sn
sn
Surname

urn:mace

urn:mace:dir:attribute-def:

...

sn

urn:

...

oid

urn:

...

oid:2.5.4.4

Multiplicity

single-valued

Data typeUTF8 string (unbounded)

Description

The surname of a person (including any words such as “van”, “de”, “von” etc.) used for Personalization; this can be a combination of existing attributes.

ExamplesVermeegen 
孝慈

Notes


Anchor
givenName
givenName
Given name

urn:mace

urn:mace:dir:attribute-def:givenName

urn:oid

urn:oid:2.5.4.42

Multiplicity

single-valued

Data typeUTF8 string (unbounded)

Description

Given name, also known as a first name, forename or Christian name / “name known by”; combinations of title, initials, and “name known by” are possible.

Examples

Jan Klaassen
Mërgim K. Lukáš 
Þrúður

Notes


Anchor
cn
cn
Common name

Info
titleDepricated Attributes

SURFconext considers the attributes nlEduPersonOrgUnit, nlEduPersonStudyBranch and nlStudielinkNummer deprecated. When you register a new IdP or SP at SURFconext, these attributes will not be allowed for use with SURFconext. Existing IdP's and SP can use these attributes until further notice.

Detailed attribute descriptions

...

See User identifiers.

...

urn:mace

urn:mace:dir:attribute-def:

sn

cn

urn:oid

urn:oid:2.5.4.

4

3

Multiplicity

single

multi-valued

Data typeUTF8
string
string 
(unbounded)

Description

The surname of a person (including any words such as “van”, “de”, “von” etc.) used for Personalization; this can be a combination of existing attributes.

ExamplesVermeegen 
孝慈

Notes

...

Full name.

ExamplesProf.dr. Mërgim Lukáš Vermeegen 
加来 千代, PhD.

Notes

For example, a typical name of a person in an English-speaking country comprises a personal title (e.g. Mr., Ms., Rd, Professor, Sir, Lord), a first name, middle name(s), last name, generation qualifier (if any, e.g. Jr.) and decorations and awards (if any, e.g. CBE).

Anchor
displayName
displayName
Display

...

urn:mace

...

urn:mace:dir:attribute-def:givenName

...

urn:oid

...

urn:oid:2.5.4.42

...

Multiplicity

...

single-valued

...

Description

...

Given name, also known as a first name, forename or Christian name / “name known by”; combinations of title, initials, and “name known by” are possible.

...

Jan Klaassen
Mërgim K. Lukáš 
Þrúður

...

Notes

...

name

urn:mace

urn:mace:dir:attribute-def:

cn

displayName

urn:oid

urn:oid:2.16.840.

5

1.

4

113730.3.1.241

Multiplicity

multi

single-valued

Data typeUTF8 string 

(unbounded)

Description

Full name.

Name as displayed in applications

ExamplesProf.dr. Mërgim Lukáš Vermeegen 
加来 千代, PhD.

Notes

For example, a typical name of a person in an English-speaking country comprises a personal title (e.g. Mr., Ms., Rd, Professor, Sir, Lord), a first name, middle name(s), last name, generation qualifier (if any, e.g. Jr.) and decorations and awards (if any, e.g. CBE).

...

  •  This attribute can typically be changed by the end-users themselves, and is therefore not very suitable for identification.

Anchor
mail
mail
Email address

urn:mace

urn:mace:dir:attribute-def:

displayName

mail

urn:oid

urn:oid:

2

0.

16

9.

840

2342.

1

19200300.

113730.3

100.1.

241

3

Multiplicity

single

multi-valued

Data type
UTF8 string (unbounded
RFC-5322 address (max 256 chars)

Description

Name as displayed in applications

e-mail address; syntax in accordance with RFC 5322

Examples
Prof.dr. Mërgim Lukáš Vermeegen 
加来 千代, PhD.

Notes

  •  This attribute can typically be changed by the end-users themselves, and is therefore not very suitable for identification.

...

urn:mace

...

urn:mace:dir:attribute-def:mail

...

urn:oid

...

urn:oid:0.9.2342.19200300.100.1.3

...

Multiplicity

...

multi-valued

...

Description

...

e-mail address; syntax in accordance with RFC 5322

...

Notes

...

  • Multiple email addresses are allowed. However, there's no clear strategy for SP's on how to interpret multiple addresses (use both? pick one? ask user to pick one?); the SP should devise a strategy that makes sense within the context of the application. As an IdP, in the interest of interoperability, it's advisable to avoid sending multiple addresses where possible.
  • An email address is not necessarily the email address of this person at the institution.
  • Do not use this attribute to uniquely identify a user.  Use the NameId  instead.
  • A user's email address may change over time, or an IdP may allow a user to change this value themselves. This makes that attribute unsuitable for authentication and authorization purposes.
m.l.vermeegen@university.example.org 
"very.unusual.@.unusual.com"@example.com 
mlv@[IPv6:2001:db8::1234:4321]; the

Notes

  • Multiple email addresses are allowed. However, there's no clear strategy for SP's on how to interpret multiple addresses (use both? pick one? ask user to pick one?); the SP should devise a strategy that makes sense within the context of the application. As an IdP, in the interest of interoperability, it's advisable to avoid sending multiple addresses where possible.
  • An email address is not necessarily the email address of this person at the institution.
  • Do not use this attribute to uniquely identify a user.  Use the NameId  instead.
  • A user's email address may change over time, or an IdP may allow a user to change this value themselves. This makes that attribute unsuitable for authentication and authorization purposes.

Anchor
uid
uid
uid

urn:mace

urn:mace:dir:attribute-def:uid

urn:oid

urn:oid:0.9.2342.19200300.100.1.1

Multiplicity

single-valued (multi-valued in the specification, but within SURFconext only 1 value is allowed)
Data typeUTF8 String (max 256 chars); use of spaces and @-characters is discouraged.

Description

The unique code for a person that is used as the login name within the institution.

Examples

s9603145 
piet 
flåp@example.edu (See note below)

Notes

  • The uid is not a unique identifier for SURFconext users.  Uid values are at most unique for each IdP.
  • Ideally the uid is not only a login name/code but also an identifier that is guaranteed as being unique within the institution over the course of time. At the moment, there is no such guarantee.
  • Use the NameId for unique identifiers in SURFconext rather than uid.
  • Use the eduPersonPrincipalName attribute if a human-readable unique identifier is required
  • A uid may contain any unicode character. E.g., "org:surfnet.nl:joe von stühl" is a valid uid.
  • SURFconext translates @-characters in the uid to underscores before constructing the NameID. flåp@example.edu translates to flåp_example.edu.

Anchor
schacHomeOrganization
schacHomeOrganization
Home organization

...

urn:mace

urn:mace:

dir

terena.org:attribute-def:

uid

schacHomeOrganization

urn:oid

urn:oid:

0

1.

9

3.

2342

6.

19200300

1.

100

4.1.25178.1.2.9

Multiplicity

single

-valued (multi

-valued

in the specification, but within SURFconext only 1 value is allowed)

Data type
UTF8 String (max 256 chars); use of spaces and @-characters is discouraged.

Description

The unique code for a person that is used as the login name within the institution.

Examples

s9603145 
piet 
flåp@example.edu (See note below)

Notes

  • The uid is not a unique identifier for SURFconext users.  Uid values are at most unique for each IdP.
  • Ideally the uid is not only a login name/code but also an identifier that is guaranteed as being unique within the institution over the course of time. At the moment, there is no such guarantee.
  • Use the NameId for unique identifiers in SURFconext rather than uid.
  • Use the eduPersonPrincipalName attribute if a human-readable unique identifier is required
  • A uid may contain any unicode character. E.g., "org:surfnet.nl:joe von stühl" is a valid uid.
  • SURFconext translates @-characters in the uid to underscores before constructing the NameID. flåp@example.edu translates to flåp_example.edu.

...

 In the past, SURFconext used to send the home organization in the attribute urn:oid:1.3.6.1.4.1.1466.115.121.1.15, which was incorrect.  Since 2013, the correct oid
RFC-1035 domain string. The domain MUST be a secondary-level domain that is under control by the institution. Preferably, the institution's main domain name should be used.

Description

The user's organization using the organization's domain name; syntax in accordance with RFC 1035.

Examples

uniharderwijk.nl
example.nl 

Notes

  •  In the past, SURFconext used to send the home organization in the attribute urn:oid:1.3.6.1.4.1.1466.115.121.1.15, which was incorrect.  Since 2013, the correct oid urn:oid:1.3.

urn:mace

urn:mace:terena.org:attribute-def:schacHomeOrganization

urn:oid

urn:oid:1.3.
  • 6.1.4.1.25178.1.2.9

Multiplicity

single-valued

Data typeRFC-1035 domain string. The domain MUST be a secondary-level domain that is under control by the institution. Preferably, the institution's main domain name should be used.

Description

The user's organization using the organization's domain name; syntax in accordance with RFC 1035.

Examples

uniharderwijk.nl
example.nl 

Notes

  • is in use.  For reasons of compatibility, the old (wrong) key is still sent.  It will be removed in 2020.
  • Matching values against this attribute should be case-insensitive, i.e. the values "uniharderwijk.nl" and "UniHarderwijk.nl" should be considered equal. For Interoperability reasons however we require lower-case values as specified above in SURFconext.
  • It is desirable to have the same value for all your users.
  • SURFconext will store the allowed value for your institution in our configuration so we can check that no illegal values are being sent.

Anchor
schacHomeOrganizationType
schacHomeOrganizationType
Organization type

urn:mace

urn:mace:terena.org:attribute-def:schacHomeOrganizationType

urn:oid

urn:oid:1.3.6.1.4.1.25178.1.2.

9 is in use.  For reasons of compatibility, the old (wrong) key is still sent.  It should not be used in new implementations.
  • Matching values against this attribute should be case-insensitive, i.e. the values "uniharderwijk.nl" and "UniHarderwijk.nl" should be considered equal. For Interoperability reasons however we require lower-case values as specified above in SURFconext.
  • It is desirable to have the same value for all your users.
  • SURFconext will store the allowed value for your institution in our configuration so we can check that no illegal values are being sent.

    • ...

    urn:mace:attribute-def:schacHomeOrganizationType

    10

    Multiplicity

    single-value

    Data typeRFC-2141 URN (see Schac standard)

    Description

    designation of the type of organization as defined on http://www.terena.org/registry/terena.org/schac/homeOrganizationType

    Examplesurn:mace:terena.org:schac:homeOrganizationType:int:university 
    urn:mace:terena.org

    urn:oid

    urn:oid:1.3.6.1.4.1.25178.1.2.10

    Multiplicity

    single-value

    Data typeRFC-2141 URN (see Schac standard)

    Description

    designation of the type of organization as defined on http://www.terena.org/registry/terena.org/schac/homeOrganizationType

    Examplesurn:mace:terena.org:schac:homeOrganizationType:int:university 
    urn:mace:terena.org:schac:homeOrganizationType:es:opi

    Notes

    ...

    :schac:homeOrganizationType:es:opi

    Notes

    Anchor
    schacPersonalUniqueCode
    schacPersonalUniqueCode
    Employee-student number

    urn:mace

    		urn:schac:attribute-def:schacPersonalUniqueCode

    urn:oid

    urn:oid:1.3.6.1.4.1.25178.1.2.14

    Multiplicity

    multi

    urn:mace

    		urn:schac:attribute-def:schacPersonalUniqueCode

    urn:oid

    urn:oid:1.3.6.1.4.1.25178.1.2.14

    Multiplicity

    multi-value

    Data typeRFC-2141 URN (see SURFnet registry)

    Description

    The user's student, employee, and/or member id as used in the university's internal systems

    Examplesurn:schac:personalUniqueCode:nl:local:example.edu:employeeid:x12-3456
    urn:schac:personalUniqueCode:nl:local:example.nl:studentid:s1234567

    Notes

    • Attribute values are registered by SURFnet as shown on this page.
    • Please contact the SURFnet support team if you would like to use this attribute as an SP, or if you would like to provide it as an IdP.
    • This attribute's main use is for matching user accounts to the university's internal systems

    ...

    urn:mace

    urn:mace:dir:attribute-def:eduPersonPrincipalName

    urn:oid

    urn:oid:1.3.6.1.4.1.5923.1.1.1.6

    Multiplicity

    single-valued

    Data typeUTF8 String of the form user@scope

    Description

    Unique identifier for a user.  

    Examplespiet.jønsen@example.e
    not.a@vålîd.émail.addreß

    Notes

    • This is a scoped identifier for a person. It should be represented as user@scope, where user is a name-based identifier for a person. The scope part of the attribute must be part of an administrative domain of the identity system where the identifier was created and assigned. An IdP can have multiple scopes, e.g. piet@student.piet@studenthartingcollegehartingcollege.nl or piet@hartingcollege.nl. These Piet's are different persons and are scoped under the administrative domain of e.g. hartingcollege.nl were the scope was defined.
    • It is common that schacHomeOrganization is used for the scope, if no other scopes are defined.
    • Although this value resembles an email address, it MUST NOT be used as an email address. In many cases mail cannot be delivered to this "address".
    • Even though this value uniquely identifies a user, it is not guaranteed that it is persistent over sessions (even though it usually is).
    • It is preferred to not use this to uniquely identify users.  Use the NameId instead.
    • SURFconext will store the allowed domain part for your institution in our configuration so we can check that no illegal values are being sent.

    ...

    urn:mace

    urn:mace:dir:attribute-def:eduPersonOrcid

    urn:oid

    urn:oid:1.3.6.1.4.1.5923.1.1.1.16

    Multiplicity

    multi-valued (see remark below)

    Data type

    URL, registered with ORCID.org

    Description 

    The ORCID is a persistent digital identifier that distinguishes the account holder from every other researcher. Through integration in research workflows such as manuscript and grant submission, the ORCID identifier supports automated linkages between the account holder and his/her professional activities ensuring that the account holder's work is recognized. Values MUST be valid ORCID identifiers in the ORCID preferred URL representation, i.e. http://orcid.org/0000-0002-1825-0097

    Examples

    http://orcid.org/0000-0002-1825-0097

    http://orcid.org/0000-0001-9351-8252

    Notes 

    For more information see https://www.surf.nl/en/news/2016/02/global-author-identifier-service-orcid-now-available-through-surfconext-and-edugain.html

    Although the attribute Although the attribute is in theory multi-valued, in practice it probably makes sense that it has no more than one valuevalue.

    Anchor
    eckid
    eckid
    ECK ID

    urn:mace

    urn:mace:surf.nl:attribute-def:eckid

    urn:oid

    -

    Multiplicity

    single-valued

    Data type

    URL as specified by Edu-K, all-lowercase

    Description 

    Educatieve Content Keten Identifier (ECK ID) is a pseudonymous identifier for access to content for primary, secondary and vocational education.

    Examples
    • https://ketenid.nl/spv1/eacf3765ad342feb5f65c2bf8194b4ccc3d68cec3c01d3c260636747a2b06d092fcc3a8d655bbdc4ae7d815ed005cf3a11f e9cab2365f95da3e9965501f7c98e
    • https://ketenid.nl/201703/1a5c9c7203901866532c2d72ce056e1d29cacc70836fe2bc3a517f3f9a53eed3d77ef370ad6dcf80b3f34ced1c547c7d2e679e8e47002355f938213b3656b206

    Notes 

    This attribute may only be used for “the access to and use of digital learning resources or the digital administration of tests and exams”.

    For more information see https://www.eck-id.nl (Dutch). Also, if you query this claim information from an external data stores, such as an Enterprise Active Directory, Lightweight Directory Access Protocol (LDAP) directories or a Microsoft SQL Server, you can also define custom attribute stores to query the ECK ID claim from external data stores. Read this Microsoft blog to get to know more.

    Anchor

    ...

    surfcrmid

    ...

    surfcrmid

    ...

    SURF CRM ID

    urn:mace

    urn:mace:surf.nl:attribute-def

    :eckid

    :surf-crm-id

    urn:oid

    urn:oid:1.3.6.1.4.1.1076.20.100.10.50.2

    Multiplicity

    single-valued

    Data type

    Microsoft GUID

    Description 

    GUID of the organization to which the IdP belongs, as used in the SURF CRM.

    Examples

    -

    Multiplicity

    single-valued

    Data type

    URL as specified by Edu-K, all-lowercase

    Description 

    Educatieve Content Keten Identifier (ECK ID) is a pseudonymous identifier for access to content for primary, secondary and vocational education.

    Examples
    • https://ketenid.nl/spv1/eacf3765ad342feb5f65c2bf8194b4ccc3d68cec3c01d3c260636747a2b06d092fcc3a8d655bbdc4ae7d815ed005cf3a11f e9cab2365f95da3e9965501f7c98e
    • https://ketenid.nl/201703/1a5c9c7203901866532c2d72ce056e1d29cacc70836fe2bc3a517f3f9a53eed3d77ef370ad6dcf80b3f34ced1c547c7d2e679e8e47002355f938213b3656b206

    ad93daef-0911-e511-80d0-005056956c1a

    Notes

    SURF specific and only to be used by SURF SPs that have to interface with the SURF CRM.

    Only to be used after consultation with SURFnet.

    Anchor
    authnmethodsreferences
    authnmethodsreferences
    MS AuthnMethodsReferences

    Name

    http://schemas.microsoft.com/claims/authnmethodsreferences

    Multiplicity

    multi-valued

    Data type

    URI

    Description

    The AuthnContext-referenties involved in authenticating the current user on their home IdP.

    Examples

    urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
    http://schemas.microsoft.com/claims/multipleauthn

    Opmerkingen 

    • Exclusively for use between IdPs and SURFconext; not available to SPs.
    • Used when the institution has a Microsoft ADFS IdP, to communicate the used MFA method to SURFconext. Not needed or useful when this functionality is not used by the institution in question.
    • No other uses. For comparable but more generic SAML 2.0-functionality, see the AuthnContextClassRef sent in each assertion

    Notes 

    This attribute may only be used for “the access to and use of digital learning resources or the digital administration of tests and exams”.

    For more information see https://www.eck-id.nl (Dutch). Also, if you query this claim information from an external data stores, such as an Enterprise Active Directory, Lightweight Directory Access Protocol (LDAP) directories or a Microsoft SQL Server, you can also define custom attribute stores to query the ECK ID claim from external data stores. Read this Microsoft blog to get to know more
    • .