Versions Compared

Old Version 228

changes.mady.by.user Teun Fransen

Saved on

compared with

New Version Current

changes.mady.by.user André Klaver

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This page will list all the SAML2 attributes that SURFconext and their Identity Providers identity providers have to offer. An attribute is a characteristic that describes a user. It is a 'name:value' pair. The attributes included in the SAML assertion correspond to certain attributes a service provider needs to work properly. In general they are needed to:

  • Convey user information from the Identity identity provider or (IdP) to the service provider (SP)
  • Create an account for the user at the service provider
  • Authorize specific services at the service provider

Now, when a user logs in to a Service Providerservice provider, SURFconext sends a SAML assertion to the Service Provider service provider via the browser of the user, that contains a:

  • User identifier. Al All services receive these and are either a configurable Transient or Persistent NameIDtransient or persistent NameID (chosen via SP Dashboard).

  • and Additional attributes. These are optional and differ per Service per service.


Note

SURFconext's SAML2 implementation adheres to the SAML2int standard 0.2.1.

The header on the link above states that work on saml2int has moved to Kantara Initiative. Until further notice, the SAML2int standard SURFconext adheres to remains at 0.2.1.

Note
titleContent provider?

For content providers, SURFconext (in consultation with the partnership of the Dutch university libraries and the Koninklijke Bibliotheek (UKB), Hogeschoolbibliotheken (SHB)) applies a separate attribute release policy. The following are allowed:

  • Persistent or Transient transient NameID
  • schacHomeOrganization
  • eduPersonAffiliation

Read our blog for more information (Dutch)

...

Friendly name

Attribute name

Example

ID

SAML NameID element
urn:mace:dir:attribute-def:eduPersonTargetedID
urn:oid:1.3.6.1.4.1.5923.1.1.1.10

bd09168cf0c2e675b2def0ade6f50b7d4bb4aae

Surname

urn:mace:dir:attribute-def:sn
urn:oid:2.5.4.4

Doe

Vermeegen
孝慈

Given name or first name

urn:mace:dir:attribute-def:givenName
urn:oid:2.5.4.42

John

Mërgim Lukáš

Þrúður

Common name or Full Name

urn:mace:dir:attribute-def:cn
urn:oid:2.5.4.3

John Doe

Prof.dr. Mërgim Lukáš Vermeegen

加来 千代, PhD.

Display name

urn:mace:dir:attribute-def:displayName
urn:oid:2.16.840.1.113730.3.1.241

Dr. John Doe

Prof.dr. Mërgim L. Vermeegen

加来 千代, PhD.

Email address

urn:mace:dir:attribute-def:mail
urn:oid:0.9.2342.19200300.100.1.3

m.l.vermeegen@university.example.org

maarten.'t.hart@uniharderwijk.nl 

"very.unusual.@.but valid.nonetheless"@example.com

mlv@[IPv6:2001:db8::1234:4321]

Organization

urn:mace:terena.org:attribute-def:schacHomeOrganization
urn:oid:1.3.6.1.4.1.25178.1.2.9

example.nl

something.example.org  

Organization Type

urn:mace:terena.org:attribute-def:schacHomeOrganizationType
urn:oid:1.3.6.1.4.1.25178.1.2.10

urn:mace:terena.org:schac:homeOrganizationType:int:university

urn:mace:terena.org:schac:homeOrganizationType:es:opi

Employee/student number

urn:schac:attribute-def:schacPersonalUniqueCode
urn:oid:1.3.6.1.4.1.25178.1.2.14

urn:schac:personalUniqueCode:nl:local:example.edu:employeeid:x12-3456

urn:schac:personalUniqueCode:nl:local:example.nl:studentid:s1234567

Affiliation

urn:mace:dir:attribute-def:eduPersonAffiliation
urn:oid:1.3.6.1.4.1.5923.1.1.1.1

employee, student, faculty, member, affiliate, pre-student

Scoped affiliationurn:mace:dir:attribute-def:eduPersonScopedAffiliation
urn:oid:1.3.6.1.4.1.5923.1.1.1.9

student@uniharderwijk.nl

employee@uniharderwijk.nl

Entitlement

urn:mace:dir:attribute-def:eduPersonEntitlement
urn:oid:1.3.6.1.4.1.5923.1.1.1.7

to be determined per service (see Standardized values for eduPersonEntitlement)

PrincipalName

urn:mace:dir:attribute-def:eduPersonPrincipalName
urn:oid:1.3.6.1.4.1.5923.1.1.1.6

piet.jønsen@example.edu

not.a@vålîd.émail.addreß

isMemberOf

urn:mace:dir:attribute-def:isMemberOf
urn:oid:1.3.6.1.4.1.5923.1.5.1.1

urn:collab:org:surf.nl

urn:collab:org:clarin.org

uid

urn:mace:dir:attribute-def:uid
urn:oid:0.9.2342.19200300.100.1.1

s9603145

flåp@example.edu

preferredLanguage

urn:mace:dir:attribute-def:preferredLanguage
urn:oid:2.16.840.1.113730.3.1.39

nl

nl, en-gb;q=0.8, en;q=0.7

ORCID

urn:mace:dir:attribute-def:eduPersonORCID

urn:oid:1.3.6.1.4.1.5923.1.1.1.16

http://orcid.org/0000-0002-1825-0097
Assurance

urn:mace:dir:attribute-def:eduPersonAssurance

urn:oid:1.3.6.1.4.1.5923.1.1.1.11

https://refeds.org/assurance/ID/unique
ECK ID

urn:mace:surf.nl:attribute-def:eckid

https://ketenid.nl/spv1/eacf3765ad342...cf3a11fe9cab2365f95da3e9965501f7c98e
(Attribute made shorter for readability)
SURF CRM IDurn:mace:surf.nl:attribute-def:surf-crm-idad93daef-0911-e511-80d0-005056956c1a
MS AuthnMethodsReferenceshttp://schemas.microsoft.com/claims/authnmethodsreferencesurn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
http://schemas.microsoft.com/claims/multipleauthn

OrganizationalUnitName

urn:mace:dir:attribute-def:ou
urn:oid:2.5.4.11

ICT Services
Geesteswetenschappen
Facilitair

eduidurn:mace:eduid.nl:1.1658b6b41-7c13-431d-b3b4-663e9077c24c
f4c9afe4-b9e1-42bb-92b8-047ac8711e29

...

urn:mace

urn:mace:dir:attribute-def:sn

urn:oid

urn:oid:2.5.4.4

Multiplicity

single-valued

Data typeUTF8 string (unbounded)

Description

The surname of a person (including any words such as “van”, “de”, “von” etc.) used for personalization; this can be a combination of existing attributes.

Examples

Vermeegen 

Valk, van der
孝慈

Notes


Anchor
givenName
givenName
Given name

...

urn:mace

urn:mace:terena.org:attribute-def:schacHomeOrganization

urn:oid

urn:oid:1.3.6.1.4.1.25178.1.2.9

Multiplicity

single-valued

Data typeRFC-1035 domain string. The domain MUST be a secondary-level domain that is under control by the institution. Preferably, the institution's main domain name should be used.

Description

The user's organization using the organization's domain name; syntax in accordance with RFC 1035.

Examples

uniharderwijk.nl
example.nl 

Notes

  •  In the past, SURFconext used to send the home organization in the attribute urn:oid:1.3.6.1.4.1.1466.115.121.1.15, which was incorrect.  Since 2013, the correct oid urn:oid:1.3.6.1.4.1.25178.1.2.9 is in use.  For reasons of compatibility, the old (wrong) key is still sent.  It will be removed in 2022the near future.
  • Matching values against this attribute should be case-insensitive, i.e. the values "uniharderwijk.nl" and "UniHarderwijk.nl" should be considered equal. For Interoperability reasons however we require lower-case values as specified above in SURFconext.
  • It is desirable to have the same value for all your users.
  • SURFconext will store the allowed value for your institution in our configuration so we can check that no illegal values are being sent.

...

urn:mace

urn:mace:terena.org:attribute-def:schacHomeOrganizationType

urn:oid

urn:oid:1.3.6.1.4.1.25178.1.2.10

Multiplicity

single-value

Data typeRFC-2141 URN (see Schac standard)

Description

designation of the type of organization as defined on httphttps://wwwwiki.terenarefeds.org/registry/terena.org/schac/homeOrganizationType/display/STAN/SCHAC+Releases?preview=/44957731/128909315/SCHAC%2B1.6.0-final.pdf

Examplesurn:mace:terena.org:schac:homeOrganizationType:int:university 
urn:mace:terena.org:schac:homeOrganizationType:es:opi

Notes

...

urn:mace

urn:mace:dir:attribute-def:eduPersonAssurance

urn:oid

urn:oid:1.3.6.1.4.1.5923.1.1.1.16

Multiplicity

multi-valued

Data type

URL

Description 

Set of URIs that assert compliance with specific standards for identity assurance.

Examples
https://refeds.org/assurance/ID/unique
https://refeds.org/assurance/IAP/medium

Notes 

Assertion by the home institution about specific aspects of identity proofing or authentication strength. Although in principe any URI is allowed, SURFconext recommends to populate this according to the standards as outlined in REFEDS Assurance Framework. For institutions, more information is available at Waardes voor Vrijgeven van eduPersonAssurance.

Anchor
eckid
eckid
ECK ID

urn:mace

urn:mace:surf.nl:attribute-def:eckid

urn:oid

-

Multiplicity

single-valued

Data type

URL as specified by Edu-K, all-lowercase

Description 

Educatieve Content Keten Identifier (ECK ID) is a pseudonymous identifier for access to content for primary, secondary and vocational education.

Examples
  • https://ketenid.nl/spv1/eacf3765ad342feb5f65c2bf8194b4ccc3d68cec3c01d3c260636747a2b06d092fcc3a8d655bbdc4ae7d815ed005cf3a11f e9cab2365f95da3e9965501f7c98e
  • https://ketenid.nl/201703/1a5c9c7203901866532c2d72ce056e1d29cacc70836fe2bc3a517f3f9a53eed3d77ef370ad6dcf80b3f34ced1c547c7d2e679e8e47002355f938213b3656b206

Notes 

This attribute may only be used for “the access to and use of digital learning resources or the digital administration of tests and exams”.

For more information see https://www.eck-id.nl (Dutch). Also, if you query this claim information from an external data stores, such as an Enterprise Active Directory, Lightweight Directory Access Protocol (LDAP) directories or a Microsoft SQL Server, you can also define custom attribute stores to query the ECK ID claim from external data stores. Read this Microsoft blog to get to know more.

...