Versions Compared

Old Version 198

changes.mady.by.user Thijs Kinkhorst

Saved on

compared with

New Version 199

changes.mady.by.user André Klaver

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Warning
titleRemark

The NameID and eduPersonTargetedID, which is basically a copy of the NameID, is unlikely to change and very privacy aware but can change when service providers or identity provider make critical changes. This can cause user profiles for services to be lost. The NameID, as used in the SAML assertion to a service provider when loggin' on, is generated using the uid, schacHomeOrganization, the Entity ID of the service provider together with a secret that uses a SHA algorithm. Institutions or services that are in production and change one of these attributes, will cause a new NameID and eduPersonTargetedID to be generated by SURFconext when doing so. This can cause loss of access to profiles at services. We will notify identity providers and service providers when we see a change in one of these attributes to prevent user data being lost.

Changing attributes

As an Identity Provider it is important to realize that changing attributes in production on SURFconext in any way can have an impact on services users have access to. Attributes that you offer to SURFconext are used to create profiles, and data is often linked to them. Changing an attribute in any way can have unwanted results like users that are no longer able to access their valuable data. An example could be to modify the way you fill the email address (amongst others). For example: changing 'student.123456@university.nl' to 'john.doe@university.nl'. Do you plan to do this or do you start a project where this is the case? Contact us and send an email to support@surfconext.nl.

Useful links

  • Table with attributes we recommend our institutions to release: https://wiki.surfnet.nl/display/surfconextdev/Vereiste+attributen
  • Profile Page https://profile.surfconext.nl/ , showing what attributes are released by your IdP to SURFconext
  • For new IdP's or for IdP's that upgrade their environment: system administrators will at some point be asked to share the metadata of their account for analyses. When asked, visit this page and click the 'Mail to SURFconext' button. We will get back to you when we have judged the submitted metadata.This page will also show you the attributes shared and their values.

...

Anchor
authnmethodsreferences
authnmethodsreferences
MS AuthnMethodsReferences

Name

http://schemas.microsoft.com/claims/authnmethodsreferences

Multiplicity

multi-valued

Data type

URI

Description

The AuthnContext-referenties involved in authenticating the current user on their home IdP.

Examples

urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
http://schemas.microsoft.com/claims/multipleauthn

Opmerkingen 

  • Exclusively for use between IdPs and SURFconext; not available to SPs.
  • Used when the institution has a Microsoft ADFS IdP, to communicate the used MFA method to SURFconext. Not needed or useful when this functionality is not used by the institution in question.
  • No other uses. For comparable but more generic SAML 2.0-functionality, see the AuthnContextClassRef sent in each assertion.