...
- A persistent identifier. A persistent NameId contains a random string that uniquely identifies the user for this SP, and which persists over multiple sessions for the same user.
- A transient identifier. A transient NameId contain a random string that uniquely identifies the user for this SP during the session. Once the user's session at SURFconext expires and the users logs into your service once more, a new transient identifier will be generated for the user and SP.
- A legacy identifier. A legacy NameId contains a human-readable identifier of the form
urn:collab:person:example.com:johndoe
. This form of the identifier is deprecated and is not available for newly connected services. The reason for this is that SURFconext wants to have fine-grained control over the released attributes. This is easier to manage if no personal information is disclosed in the NameId identifier. If the SP needs information that is contained in the legacy NameId format (for example, the user's home institution), they should use proper attributes (for example, schacHomeOrganisation, see below) as a source for this informaitoninformation.
Persistent and transient identifiers are typically of have the form "bd09168cf0c2e675b2def0ade6f50b7d4bb4aaef
". However, this form may change in the future, and service providers MUST NOT rely on the fact that the NameId is a 40-character hexadecimal string.
...
Because of European privacy regulations, we cannot release such information to the SPs by default. In order to receive additional information, the user's home institution needs to give permission for each SP to receive its users' data. Typically, such permission will be arranged for during the initial SURFconext connection setup procedure.
SURFconext supports 2 'types' of two atttributes schemas: the urn:oid
schema and the urn:mace
schema. Both of these can be used to convey the same information (except for the NameId, which is only available in the urn:oid
schema. By default SURFconext will provide attributes in both schemata as part of the assertion. Altough bth are provided, it It is not reccommened recommended to mix the use of these schemata.
...
Friendly name | Attribute name | Definition | Data type | Example | |
---|---|---|---|---|---|
ID | (NameId) | Random UTF8 string | bd09168cf0c2e675b2def0ade6f50b7d4bb4aae | ||
Surname | UTF8 string | Vermeegen | |||
Given name | UTF8 string | Mërgim Lukáš | |||
Common name | UTF8 String | Prof.dr. Mërgim Lukáš Vermeegen | |||
Display name | urn:mace:dir:attribute-def:displayName | UTF8 String | Prof.dr. Mërgim L. Vermeegen | ||
Email address | urn:mace:dir:attribute-def:mail | RFC-5322 address | m.l.vermeegen@university.example.org | ]]></ac:plain-text-body></ac:structured-macro> | |
Organization | urn:mace:terena.org:attribute-def:schacHomeOrganization | RFC-1035 domain string | university.example.org | ||
Organization Type | urn:mace:terena.org:attribute-def:schacHomeOrganizationType | RFC-2141 URN | urn:mace:terena.org:schac:homeOrganizationType:int:university | ||
Affiliation | urn:mace:dir:attribute-def:eduPersonAffiliation | Enum type (UTF8 String) | faculty, student, staff, alum, member, affiliate, employee, library-walk-in | ||
Entitlement | urn:mace:dir:attribute-def:eduPersonEntitlement | RFC-2141 URN | to be determined | ||
PrincipalName | urn:mace:dir:attribute-def:eduPersonPrincipalName | UTF8 String | not.a@vålîd.émail.addreß | ||
isMemberOf | urn:mace:dir:attribute-def:isMemberOf | RFC-2141 URN | urn:collab:org:surf.nl | ||
uid | urn:mace:dir:attribute-def:uid | UTF8 String | s9603145 | ||
preferredLanguage | urn:mace:dir:attribute-def:preferredLanguage | BCP47 language tag | nl-BE |
...
Multiplicity | single-value |
Description | The unique code for a person that is used as the login name within the institution. |
Notes |
|
urn:mace:dir:attribute-def:sn
...