This page will list all the SAML2 attributes that SURFconext and their Identity Providers identity providers have to offer. An attribute is a characteristic that describes a user. It is a 'name:value' pair. The attributes included in the SAML assertion correspond to certain attributes a service provider needs to work properly. In general they are needed to:
- Convey user information from the Identity identity provider or (IdP) to the service provider (SP)
- Create an account for the user at the service provider
- Authorize specific services at the service provider
Now, when a user logs in to a Service Providerservice provider, SURFconext sends a SAML assertion to the Service Provider service provider via the browser of the user, that contains a:
- User identifier. Al All services receive these and are either a configurable Transient or Persistent NameIDa transient or persistent NameID (chosen via SP Dashboard).
and Additional attributes. These are optional and differ per Service per service.
Note |
---|
SURFconext's SAML2 implementation adheres to the SAML2int standard 0.2.1. The header on the link above states that work on saml2int has moved to Kantara Initiative. Until further notice, the SAML2int standard SURFconext adheres to remains at 0.2.1. |
Note | ||
---|---|---|
| ||
For content providers, SURFconext (in consultation with the partnership of the Dutch university libraries and the Koninklijke Bibliotheek (UKB), Hogeschoolbibliotheken (SHB)) applies a separate attribute release policy. The following are allowed:
|
...
Friendly name | Attribute name | Example |
---|---|---|
SAML NameID element | bd09168cf0c2e675b2def0ade6f50b7d4bb4aae | |
urn:mace:dir:attribute-def:sn | Doe Vermeegen | |
urn:mace:dir:attribute-def:givenName | John Mërgim Lukáš Þrúður | |
urn:mace:dir:attribute-def:cn | John Doe Prof.dr. Mërgim Lukáš Vermeegen 加来 千代, PhD. | |
urn:mace:dir:attribute-def:displayName | Dr. John Doe Prof.dr. Mërgim L. Vermeegen 加来 千代, PhD. | |
urn:mace:dir:attribute-def:mail | m.l.vermeegen@university.example.org maarten.'t.hart@uniharderwijk.nl "very.unusual.@.but valid.nonetheless"@example.com mlv@[IPv6:2001:db8::1234:4321] | |
urn:mace:terena.org:attribute-def:schacHomeOrganization | example.nl something.example.org | |
urn:mace:terena.org:attribute-def:schacHomeOrganizationType | urn:mace:terena.org:schac:homeOrganizationType:int:university urn:mace:terena.org:schac:homeOrganizationType:es:opi | |
Employee/student number | urn:schac:attribute-def:schacPersonalUniqueCode | urn:schac:personalUniqueCode:nl:local:example.edu:employeeid:x12-3456 urn:schac:personalUniqueCode:nl:local:example.nl:studentid:s1234567 |
urn:mace:dir:attribute-def:eduPersonAffiliation | employee, student, faculty, member, affiliate, pre-student | |
Scoped affiliation | urn:mace:dir:attribute-def:eduPersonScopedAffiliation urn:oid:1.3.6.1.4.1.5923.1.1.1.9 | student@uniharderwijk.nl employee@uniharderwijk.nl |
urn:mace:dir:attribute-def:eduPersonEntitlement | to be determined per service (see Standardized values for eduPersonEntitlement) | |
urn:mace:dir:attribute-def:eduPersonPrincipalName | piet.jønsen@example.edu not.a@vålîd.émail.addreß | |
urn:mace:dir:attribute-def:isMemberOf | urn:collab:org:surf.nl urn:collab:org:clarin.org | |
urn:mace:dir:attribute-def:uid | s9603145 flåp@example.edu | |
urn:mace:dir:attribute-def:preferredLanguage | nl nl, en-gb;q=0.8, en;q=0.7 | |
ORCID | urn:mace:dir:attribute-def:eduPersonORCID urn:oid:1.3.6.1.4.1.5923.1.1.1.16 | http://orcid.org/0000-0002-1825-0097 |
Assurance | urn:mace:dir:attribute-def:eduPersonAssurance urn:oid:1.3.6.1.4.1.5923.1.1.1.11 | https://refeds.org/assurance/ID/unique |
ECK ID | urn:mace:surf.nl:attribute-def:eckid | https://ketenid.nl/spv1/eacf3765ad342...cf3a11fe9cab2365f95da3e9965501f7c98e (Attribute made shorter for readability) |
SURF CRM ID | urn:mace:surf.nl:attribute-def:surf-crm-id | ad93daef-0911-e511-80d0-005056956c1a |
MS AuthnMethodsReferences | http://schemas.microsoft.com/claims/authnmethodsreferences | urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport http://schemas.microsoft.com/claims/multipleauthn |
urn:mace:dir:attribute-def:ou urn:oid:2.5.4.11 | ICT Services | |
eduid | urn:mace:eduid.nl:1.1 | 658b6b41-7c13-431d-b3b4-663e9077c24c f4c9afe4-b9e1-42bb-92b8-047ac8711e29 |
...
urn:mace | urn:mace:dir:attribute-def:sn |
urn:oid | urn:oid:2.5.4.4 |
Multiplicity | single-valued |
Data type | UTF8 string (unbounded) |
Description | The surname of a person (including any words such as “van”, “de”, “von” etc.) used for personalization; this can be a combination of existing attributes. |
Examples | Vermeegen Valk, van der |
Notes |
Anchor | ||||
---|---|---|---|---|
|
...
urn:mace | urn:mace:terena.org:attribute-def:schacHomeOrganization |
urn:oid | urn:oid:1.3.6.1.4.1.25178.1.2.9 |
Multiplicity | single-valued |
Data type | RFC-1035 domain string. The domain MUST be a secondary-level domain that is under control by the institution. Preferably, the institution's main domain name should be used. |
Description | The user's organization using the organization's domain name; syntax in accordance with RFC 1035. |
Examples | uniharderwijk.nl |
Notes |
|
...
urn:mace | urn:mace:terena.org:attribute-def:schacHomeOrganizationType |
urn:oid | urn:oid:1.3.6.1.4.1.25178.1.2.10 |
Multiplicity | single-value |
Data type | RFC-2141 URN (see Schac standard) |
Description | designation of the type of organization as defined on httphttps://wwwwiki.terenarefeds.org/registry/terena.org/schac/homeOrganizationType/display/STAN/SCHAC+Releases?preview=/44957731/128909315/SCHAC%2B1.6.0-final.pdf |
Examples | urn:mace:terena.org:schac:homeOrganizationType:int:university urn:mace:terena.org:schac:homeOrganizationType:es:opi |
Notes |
|
...
urn:mace | urn:mace:dir:attribute-def:eduPersonAssurance |
urn:oid | urn:oid:1.3.6.1.4.1.5923.1.1.1.16 |
Multiplicity | multi-valued |
Data type | URL |
Description | Set of URIs that assert compliance with specific standards for identity assurance. |
Examples | https://refeds.org/assurance/ID/unique https://refeds.org/assurance/IAP/medium |
Notes | Assertion by the home institution about specific aspects of identity proofing or authentication strength. Although in principe any URI is allowed, SURFconext recommends to populate this according to the standards as outlined in REFEDS Assurance Framework. For institutions, more information is available at Waardes voor Vrijgeven van eduPersonAssurance. |
Anchor | ||||
---|---|---|---|---|
|
urn:mace | urn:mace:surf.nl:attribute-def:eckid |
urn:oid | - |
Multiplicity | single-valued |
Data type | URL as specified by Edu-K, all-lowercase |
Description | Educatieve Content Keten Identifier (ECK ID) is a pseudonymous identifier for access to content for primary, secondary and vocational education. |
Examples |
|
Notes | This attribute may only be used for “the access to and use of digital learning resources or the digital administration of tests and exams”. For more information see https://www.eck-id.nl (Dutch). Also, if you query this claim information from an external data stores, such as an Enterprise Active Directory, Lightweight Directory Access Protocol (LDAP) directories or a Microsoft SQL Server, you can also define custom attribute stores to query the ECK ID claim from external data stores. Read this Microsoft blog to get to know more. |
...