Versions Compared

Old Version 24

changes.mady.by.user Bas Zoetekouw

Saved on

compared with

New Version 25

changes.mady.by.user Bas Zoetekouw

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Friendly name

Attribute name

Definition

Data type

Example

ID

(NameId)
urn:oid:1.3.6.1.4.1.5923.1.1.1.10

eduPerson

UTF8 string
(unbounded)

bd09168cf0c2e675b2def0ade6f50b7d4bb4aae

Surname

urn:mace:dir:attribute-def:sn
urn:oid:2.5.4.4

X.520

UTF8 string
(unbounded)

Vermeegen
?

Given name

urn:mace:dir:attribute-def:givenName
urn:oid:2.5.4.42

X.520

UTF8 string
(unbounded)

Mërgim Lukáš
??

Common name

urn:mace:dir:attribute-def:cn
urn:oid:2.5.4.3

X.520

UTF8 String
(unbounded)

Prof.dr. Mërgim Lukáš Vermeegen
? ??, PhD.

Display name

urn:mace:dir:attribute-def:displayName
urn:oid:1.3.6.1.4.1.1466.115.121.1.15

RFC2798

UTF8 String
(unbounded)

Prof.dr. Mërgim L. Vermeegen
? ??, PhD.

Email address

urn:mace:dir:attribute-def:mail
urn:oid:0.9.2342.19200300.100.1.3

RFC4524

RFC-5322 address
(max 256 chars)

m.l.vermeegen@university.example.org
"very.unusual.@.unusual.com"@example.com
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="6c1608caf9cd9161-cea6830c-4ef64a07-8404a2c2-17369c9a6069fffa652477fc"><ac:plain-text-body><![CDATA[mlv@[IPv6:2001:db8::1234:4321]

]]></ac:plain-text-body></ac:structured-macro>

Organization

urn:mace:terena.org:attribute-def:schacHomeOrganization
urn:oid:1.3.6.1.4.1.25178.1.2.9

Schac

RFC-1035 domain string

university.example.org
 

Organization Type

urn:mace:terena.org:attribute-def:schacHomeOrganizationType
urn:oid:1.3.6.1.4.1.25178.1.2.10

Schac

RFC-2141 URN
see Schac standard

urn:mace:terena.org:schac:homeOrganizationType:int:university
urn:mace:terena.org:schac:homeOrganizationType:es:opi

Affiliation

urn:mace:dir:attribute-def:eduPersonAffiliation
urn:oid:1.3.6.1.4.1.5923.1.1.1.1

eduPerson

Enum type (UTF8 String)

faculty, student, staff, alum, member, affiliate, employee, library-walk-in

Entitlement

urn:mace:dir:attribute-def:eduPersonEntitlement
urn:oid:1.3.6.1.4.1.5923.1.1.1.7

eduPerson

RFC-2141 URN
Multi-valued

to be determined

PrincipalName

urn:mace:dir:attribute-def:eduPersonPrincipalName
urn:oid:1.3.6.1.4.1.5923.1.1.1.6

eduPerson

UTF8 String
user@domain

not.a@vålîd.émail.addreß
??@aninstitutionname

isMemberOf

urn:mace:dir:attribute-def:isMemberOf
urn:oid:1.3.6.1.4.1.5923.1.5.1.1

eduMember

RFC-2141 URN
Multi-valued

urn:collab:org:surf.nl
urn:collab:org:clarin.org

uid

urn:mace:dir:attribute-def:uid
urn:oid:1.3.6.1.4.1.1466.115.121.1.15

RFC4519

UTF8 String
(max 256 chars)

s9603145
flåp_example.edu

preferredLanguage

urn:mace:dir:attribute-def:preferredLanguage
urn:oid:2.16.840.1.113730.3.1.39

RFC2798

BCP47 language tag

nl-BE
en-US

...

urn:mace

urn:mace:dir:attribute-def:uid

urn:oid

urn:oid:1.3.6.1.4.1.1466.115.121.1.15

Multiplicity

single-value valued

Description

The unique code for a person that is used as the login name within the institution.

Notes

  • Ideally the uid is not only a login name/code but also an identifier that is guaranteed as being unique within the institution over the course of time. At the moment, there is no such guarantee.
  • Use the NameId for unique identifiers in SURFconext rather than uid.
  • Use the eduPersonPrincipalName attribute if a human-readable unique identifier is required
  • A uid may contain any unicode character. E.g., "org:surfnet.nl:joe von stühl" is a valid uid.
  • SURFconext translates @-characters in the uid to underscores.  Yes, this means that uids are not guaranteed to be unique.

...

urn:mace

urn:mace:dir:attribute-def:sn

urn:oid

urn:oid:2.5.4.4

Multiplicity

single-value valued

Description

The surname of a person (including any words such as "van", "de", "von" etc.) used for personalisation; this can be a combination of existing attributes.

Notes

 

...

urn:mace

urn:mace:dir:attribute-def:givenName

urn:oid

urn:oid:2.5.4.42

Multiplicity

single-value valued

Description

Given name / "name known by"; combinations of title, initials, and "name known by" are possible.

Notes

 

...

urn:mace

urn:mace:dir:attribute-def:cn

urn:oid

urn:oid:2.5.4.3

Multiplicity

single-value (?)  Volgens de rfc is het multi-valued

Description

Full name.

Notes

For example, a typical name of a person in an English-speaking country comprises a personal title (e.g. Mr., Ms., Rd, Professor, Sir, Lord), a first name, middle name(s), last name, generation qualifier (if any, e.g. Jr.) and decorations and awards (if any, e.g. CBE).

...

urn:mace

urn:mace:dir:attribute-def:displayName

urn:oid

urn:oid:1.3.6.1.4.1.1466.115.121.1.15

Multiplicity

single-value valued

Description

Name as displayed in applications

Notes

 

...

urn:mace

urn:mace:dir:attribute-def:mail

urn:oid

urn:oid:0.9.2342.19200300.100.1.3

Multiplicity

multi-value valued

Description

e-mail address; syntax in accordance with RFC 5322

Notes

  • This is a multi-value attribute.Multiple email addresses are allowed
  • An email address is not necessarily the email address of this person at the institution, it can also be a @google.com, @hotmail.com or @vanitydomain.org address..
  • Do not use this attribute to uniquely identify a user.  Use the NameId or eduPersonPrincipleName instead.
  • A user's email address The mail may change over time for a user, also or an IdP may allow a user to set change this value themselves. This makes that attribute unsuitable for authentication and authorization purposes.

Affiliation

urn:mace

urn:mace:dir:attribute-def:eduPersonAffiliation

Multiplicity

multi-value

urn:oid

urn:oid:1.3.6.1.4.1.5923.1.1.1.1

Multiplicity

multi-valued

Description

Indicates

Description

indicates the relationship between the user and his /her own organisation; possible valueshome organisation.  The following values are permitted:

  • student - student
  • employee - all employees
  • staff - academic staff
  • alum - alumnus
  • affiliate - third party; no direct work relationship with the institution (either paid or unpaid)

Notes

Identity providers might internally use additional values for the affilication attribute, such as alum or affiliate.  Per SURFconext policy, such users are not allowed access to SURFconext.

Entitlements

urn:mace

Notes

Note that you must not allow alum or affiliate users to access SURFfederatie. Providing this attribute is not sufficient to deny these users access to SURFfederatie as many service providers do not receive this attribute. Please contact federatie-beheer@surfnet.nl if you have questions about this.

urn:mace:dir:

...

attribute-def:eduPersonEntitlement

urn:oid

urn:oid:1.3.6.1.4.1.5923.1.1.1.7

Multiplicity

multi-value

Description

entitlement; custom URI (URL or URN) that indicates an entitlement to something; is determined by a contract between the service provider and the institution. .

Notes

  • This attribute can be used to communicate entitlements, roles, etc, from identity providers to services, which can be used, for example, for authorization.
  • The values of this attribute are scoped to the identity provider that is authoritative for the attribute.  See also the SURFconext entitlement namespacing policy.

Principle name

urn:mace

Notes

 

urn:mace:dir:attribute-def:eduPersonPrincipalName

urn:oid

urn:oid:1.3.6.1.4.1.5923.1.1.1.6

Multiplicity

single-value

Description

Unique "net ID" beyond the scope of the particular institution, in the form "<user>@<scope>".E.g. "s012001234@student.example.com".

Notes

  • Although this value resembles an email address, it should not be used as such. In many cases mail cannot be delivered to this "address".
  • This value should never be reassigned to another user. I.e. after a user leaves an institution, it should not be assigned to another (future) user.

...