...
SURFconext supports two atttributes schemas: the urn:oid schema and the urn:mace schema. Both of these can be used to convey the same information (except for the NameId, which is only available in the urn:oid schema. By default SURFconext will provide attributes in both schemata as part of the assertion. It is not recommended to mix the use of these schemata.
Attribute overview
SURFconext supported relaying of the following attributes:
Friendly name | Attribute name | Definition | Data type | Example | |
|---|---|---|---|---|---|
ID | (NameId) | UTF8 string | bd09168cf0c2e675b2def0ade6f50b7d4bb4aae | ||
Surname | UTF8 string | Vermeegen | |||
Given name | UTF8 string | Mërgim Lukáš | |||
Common name | UTF8 String | Prof.dr. Mërgim Lukáš Vermeegen | |||
Display name | urn:mace:dir:attribute-def:displayName | UTF8 String | Prof.dr. Mërgim L. Vermeegen | ||
Email address | urn:mace:dir:attribute-def:mail | RFC-5322 address | m.l.vermeegen@university.example.org | ]]></ac:plain-text-body></ac:structured-macro> | |
Organization | urn:mace:terena.org:attribute-def:schacHomeOrganization | RFC-1035 domain string | university.example.org | ||
Organization Type | urn:mace:terena.org:attribute-def:schacHomeOrganizationType | RFC-2141 URN | urn:mace:terena.org:schac:homeOrganizationType:int:university | ||
Affiliation | urn:mace:dir:attribute-def:eduPersonAffiliation | Enum type (UTF8 String) | faculty, student, staff, alum, member, affiliate, employee, library-walk-in | ||
Entitlement | urn:mace:dir:attribute-def:eduPersonEntitlement | RFC-2141 URN | to be determined | ||
PrincipalName | urn:mace:dir:attribute-def:eduPersonPrincipalName | UTF8 String | not.a@vålîd.émail.addreß | ||
isMemberOf | urn:mace:dir:attribute-def:isMemberOf | RFC-2141 URN | urn:collab:org:surf.nl | ||
uid | urn:mace:dir:attribute-def:uid | UTF8 String | s9603145 | ||
preferredLanguage | urn:mace:dir:attribute-def:preferredLanguage | BCP47 language tag | nl-BE |
Note that not all identity providers might make all attributes available.
More information
http://www.incommon.org/federation/attributesummary.html
saml2int.org
Attributes
The following attributes can be included in the response from SURFconext to the service provider. They contain information about the authenticated user. This will make it possible for the service to for instance show the "displayName" of the user in the interface or determine the affiliation of the user for authorization. For instance a student has a different view than a teacher.
Detailed attribute descriptions
uid
urn:mace | |
urn:oid | |
Multiplicity | single-value |
Description | The unique code for a person that is used as the login name within the institution. |
Notes |
|
Surname
urn:mace | |||||
Attribute | Attribute (OID) | Example | Remarks | ||
|---|---|---|---|---|---|
| | John Doe | Usually this is equal to | ||
urn:oid | urn:oid:0.9.2342.19200300.100.1.3 | john@example.org | This attribute can contain multiple email addresses. | | urn:oid:2.5.4.4 |
Multiplicity Doe |
| ||||
| | John Doe |
| ||
single-value | |||||
Description | The surname of a person (including any words such as "van", "de", "von" etc.) used for personalisation; this can be a combination of existing attributes. | ||||
Notes |
|
Given name
urn:mace | ||
urn:oid | John | |
Multiplicity | single-value | |
Description | Given name / "name known by"; combinations of title, initials, and "name known by" are possible. | |
Notes |
|
Common name
urn:mace | |||||||
urn:eduPersonPrincipalNameoid | urn:oid:1.3.6.1.4.1.5923.1.1.1.6 | john_doe@example.org | This is not necessarily a valid email address! | | | example.org | |
Multiplicity | single-value (?) Volgens de rfc is het multi-valued | ||||||
Description | Full name. | ||||||
Notes | For example, a typical name of a person in an English-speaking country comprises a personal title (e.g. Mr., Ms., Rd, Professor, Sir, Lord), a first name, middle name(s), last name, generation qualifier (if any, e.g. Jr.) and decorations and awards (if any, e.g. CBE). |
Display name
urn:mace | |||
urn:oid | john_doe | ||
Multiplicity | single-value | ||
Description | Name as displayed in applications | ||
Notes |
|
Email address
urn:mace You should not use this for (unique) user identification purposes in your service! | urn:mace:dir:attribute-def:eduPersonAffiliationmail | ||
urn:oid | student | Supported values: | |
| | urn:collab:org:surf.nl | Contact us before you want to use this attribute! |
...
Multiplicity | multi-value |
Description | e-mail address; syntax in accordance with RFC 5322 |
Notes |
|
...
urn:mace:dir:attribute-def:
...
eduPersonAffiliation
| Note |
|---|
Currently we convert |
| Note |
|---|
UID is the unique identifier of the user at the home institution, it is not unique for all users in SURFconext! Use eduPersonTargetedID (preferred) or eduPersonPrincipalName if you need to uniquely identify users. |
A service provider SHOULD only at most request the following attributes, requesting these and any other attributes MUST BE accompanied by an explanation of why they are needed:
...
Multiplicity | multi-value |
Description | indicates the relationship between the user and his/her own organisation; possible values:
|
Notes | Note that you must not allow alum or affiliate users to access SURFfederatie. Providing this attribute is not sufficient to deny these users access to SURFfederatie as many service providers do not receive this attribute. Please contact federatie-beheer@surfnet.nl if you have questions about this. |
urn:mace:dir:attribute-def:
...
eduPersonEntitlement
Multiplicity | multi-value |
Description | entitlement; URI (URL or URN) that indicates an entitlement to something; is determined by a contract between the service provider and the institution. |
Notes |
|
...
urn:mace:dir:attribute-def:
...
The attributes are available in both human readable format and OID format. See also this eduGAIN recommendation.
Ultimately it is up to the identity provider and service provider to agree on a set of attributes to be released by the IdP, SURFconext only mediates. However, it is strongly recommend to stick to the above attributes as they are standardized and ensure greater interoperability.
The table below lists the attributes that have been defined for use within SURFfederatie. This list was created in consultation with the connected institutions, specifically within the 3TU partnership. With a view to the expected future international collaboration, this table is largely based on the EduPerson and SCHAC tables. A number of attributes that are specific to SURFfederatie and the Netherlands have been added.
| Info |
|---|
Note that the attributes described on this page are the standardised attributes that an identity provider may provide to the SURFnet federation gateway. If you are a service provider connecting to SURFconext, please refer to the attribute description on ?Authentication using SAML page. |
Attributes overview
A more detailed description of each attribute can be found in the next section.
...
Attribute Name
(abbreviated)
...
Description
...
Example value(s)
...
...
uid
...
user id/login name
...
joebloggs
...
4236712
...
sn
...
surname
...
Bloggs
...
Smith
...
givenName
...
given name
...
Joe
...
Prof. H.A.B.
...
cn
...
full name
...
Joseph Bloggs
...
...
displayName
...
display name
...
Joey
...
...
...
e-mail address
...
j.bloggs@rug.nl
...
H.A.B.Smith@tudelft.nl
smith_78@hotmail.com
...
eduPersonAffiliation
...
affiliation type
...
student
...
employee
...
eduPersonEntitlement
...
entitlement
...
?depends on service provider
...
...
eduPersonPrincipalName
...
unique name
...
joebloggs@rug.nl
...
...
preferredLanguage
...
preferred language
...
nl
...
en
...
schacHomeOrganization
...
domain name
...
tudelft.nl
...
eduPersonPrincipalName
Multiplicity | single-value |
Description | Unique "net ID" beyond the scope of the particular institution, in the form "<user>@<scope>".E.g. "s012001234@student.example.com". |
Notes |
|
urn:mace:dir:attribute-def:preferredLanguage
Multiplicity | single-value |
Description | a two-letter abbreviation for the preferred language according to the ISO 639 language abbreviation code table; no subcodes. |
Notes |
|
Attributes defined in urn:mace:terena.org:attribute-def
International standardised attributes according to the Terena SCHAC schema have been defined within the namespace urn:mace:terena.org:schac: http://www.terena.org/activities/tf-emc2/schacreleases.html. The version of the SCHAC table used is 1.3.0 (12 December 2006).
urn:mace:terena.org:attribute-def:schacHomeOrganization
Multiplicity | single-value |
Description | designation for the person's organisation using the organisation's domain name; syntax in accordance with RFC 1035. |
Notes |
|
...
schacHomeOrganizationType
...
type of organisation
urn:mace:terena.org:
...
...
nlEduPersonHomeOrganization
(deprecated)
...
name of institution
...
Delft University of Technology
...
Utrecht University of Applied Sciences
...
nlEduPersonStudyBranch
...
ROHO code
...
52734
...
...
nlEduPersonOrgUnit
...
department name
...
Faculty of Humanities
...
Library
...
nlStudielinkNummer
...
studielink number
...
xxxxxxxxxx
...
...
nlDigitalAuthorIdentifier
...
DAI number
...
070014345
...
attribute-def:schacHomeOrganizationType
Multiplicity | single-value |
Description | designation of the type of organisation to which a person belongs, using the values registered by Terena on: http://www.terena.org/registry/terena.org/schac/homeOrganizationType |
Notes |
|
Attributes defined in urn:mace:surffederatie.nl:attribute-def
Nationally standardised attributes within SURFfederatie have been defined within the namespace urn:mace:surffederatie.nl:attribute-def. The name of all these attributes starts with the prefix "nl"
urn:mace:surffederatie.nl:attribute-def:nlEduPersonHomeOrganization
Multiplicity | single-value |
Description |
|
Notes | This attribute is deprecated. It has been replaced by the urn |
Detailed attribute descriptions
The names of the attributes in the above table are the commonly used abbreviations. In the description below the attributes are listed using their full name. The SURFfederatie gateway will always provide the attributes by their full name. The attributes are defined in three different namespaces: urn:mace:dir:attribute-def, urn:mace:terena.org:schac and urn:mace:surffederatie.nl:attribute-def.
Attributes defined in urn:mace:dir:attribute-def
International standardised attributes according to the EduPerson schema have been defined within the namespace urn:mace:dir:attribute-def: http://middleware.internet2.edu/urn-mace/urn-mace-dir-attribute-def.html. The version of the EduPerson schema used is: MACE-Dir/Educause, eduPerson Object Class Specification (200806), http://middleware.internet2.edu/eduperson/docs/internet2-mace-dir-eduperson-200806.html, June 2008
urn:mace:dir:attribute-def:uid
Multiplicity | single-value |
Description | The unique code for a person that is used as the login name within the institution. |
Notes |
|
urn:mace:dir:attribute-def:sn
Multiplicity | single-value |
Description | The surname of a person (including any words such as "van", "de", "von" etc.) used for personalisation; this can be a combination of existing attributes. |
Notes |
|
urn:mace:dir:attribute-def:givenName
Multiplicity | single-value |
Description | Given name / "name known by"; combinations of title, initials, and "name known by" are possible. |
Notes |
|
urn:mace:dir:attribute-def:cn
...
Multiplicity
...
single-value
...
Description
...
Full given name.
...
Notes
urn:mace:dir:attribute-def:displayName
Multiplicity | single-value |
Description | Display name as displayed in applications |
Notes |
|
urn:mace:dir:attribute-def:mail
Multiplicity | multi-value |
Description | e-mail address; syntax in accordance with RFC 1274 and RFC 822. |
Notes |
|
urn:mace:dir:attribute-def:eduPersonAffiliation
Multiplicity | multi-value |
Description | indicates the relationship between the user and his/her own organisation; possible values:
|
Notes | Note that you must not allow alum or affiliate users to access SURFfederatie. Providing this attribute is not sufficient to deny these users access to SURFfederatie as many service providers do not receive this attribute. Please contact federatie-beheer@surfnet.nl if you have questions about this. |
urn:mace:dir:attribute-def:eduPersonEntitlement
Multiplicity | multi-value |
Description | entitlement; URI (URL or URN) that indicates an entitlement to something; is determined by a contract between the service provider and the institution. |
Notes |
|
urn:mace:dir:attribute-def:eduPersonPrincipalName
Multiplicity | single-value |
Description | Unique "net ID" beyond the scope of the particular institution, in the form "<user>@<scope>".E.g. "s012001234@student.example.com". |
Notes |
|
urn:mace:dir:attribute-def:preferredLanguage
Multiplicity | single-value |
Description | a two-letter abbreviation for the preferred language according to the ISO 639 language abbreviation code table; no subcodes. |
Notes |
|
...
:mace:terena.org:attribute-def |
...
:schacHomeOrganization attribute |
...
urn:mace:
...
surffederatie.nl:attribute-def:nlEduPersonOrgUnit
Multiplicity | multi-value |
Description | Name of the department |
Notes |
|
...
urn:mace:
...
surffederatie.
...
nl:attribute-def:
...
nlEduPersonStudyBranch
Multiplicity | single multi-value |
Description | Study programme; numerical string containing the CROHO code. Empty if the programme is not a regular one. |
Notes |
|
urn:mace:
...
surffederatie.
...
nl:attribute-def:
...
nlStudielinkNummer
Multiplicity | single-value |
Description | of the type of organisation to which a person belongs, using the values registered by Terena on: http://www.terena.org/registry/terena.org/schac/homeOrganizationType A student's Studielink number as registered at www.studielink.nl |
Notes |
|
...
urn:mace:surffederatie.nl:attribute
...
Nationally standardised attributes within SURFfederatie have been defined within the namespace urn:mace:surffederatie.nl:attribute-def. The name of all these attributes starts with the prefix "nl"
urn:mace:surffederatie.nl:attribute-def:nlEduPersonHomeOrganization
...
Multiplicity
...
single-value
...
Description
...
-def:nlDigitalAuthorIdentifier
Multiplicity | single-value |
Description | Digital Author Identifier (DAI) as described here |
Notes |
|
The names of the attributes in the above table are the commonly used abbreviations. In the description below the attributes are listed using their full name. The SURFfederatie gateway will always provide the attributes by their full name. The attributes are defined in three different namespaces: urn:mace:dir:attribute-def, urn
...
Notes
...
:mace:terena.org:
...
schac and urn:mace:surffederatie.nl:attribute-def
...
.
Attributes defined in urn:mace:dir:attribute-def
Multiplicity | multi-value |
Description | Name of the department |
Notes |
|
International standardised attributes according to the EduPerson schema have been defined within the namespace
urn:mace:
...
dir:attribute-def
...
Multiplicity | multi-value |
Description | Study programme; numerical string containing the CROHO code. Empty if the programme is not a regular one. |
Notes |
|
urn:mace:surffederatie.nl:attribute-def:nlStudielinkNummer
Multiplicity | single-value |
Description | A student's Studielink number as registered at www.studielink.nl |
Notes |
|
urn:mace:surffederatie.nl:attribute-def:nlDigitalAuthorIdentifier
...
Multiplicity
...
single-value
...
Description
...
Digital Author Identifier (DAI) as described here
...
Notes
...
: http://middleware.internet2.edu/urn-mace/urn-mace-dir-attribute-def.html. The version of the EduPerson schema used is: MACE-Dir/Educause, eduPerson Object Class Specification (200806), http://middleware.internet2.edu/eduperson/docs/internet2-mace-dir-eduperson-200806.html, June 2008