Versions Compared

Old Version 131

changes.mady.by.user André Klaver

Saved on

compared with

New Version 132

changes.mady.by.user André Klaver

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • user identifier (transient/persistent NameID)

  • additional attributes (optional)

 


Note

SURFconext's SAML2 implementation adheres to the SAML2int standard 0.2.1.

...

  • urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
    A persistent NameID contains a unique string identifying the user for this SP and persisting over multiple sessions.
  • urn:oasis:names:tc:SAML:2.0:nameid-format:transient
    A transient NameID contains a unique string identifying the user for this SP during the session. If the user logs in again, a new transient identifier will be generated.

 Note that the attribute eduPersonTargetedID is generated from the SURF generated Persistent NameID. The NameID, as used in the SAML assertion to a service provider when loggin' on, is generated using the uid, schacHomeOrganisation, the Entity ID of the service provider together with a secret that uses a SHA algorithm. The attentive reader will notice that for services or institutions that are in production and are going to change one of these attributes, this can have major consequences.

Attribute schemas

A schema is an abstract representation of an object's characteristics and relationship to other objects.

...

(1) eduPerson Object Class Specification (201602): http://software.internet2.edu/eduperson/internet2-mace-dir-eduperson-201602.html 


Detailed attribute descriptions

...

urn:mace

urn:mace:dir:attribute-def:sn

urn:oid

urn:oid:2.5.4.4

Multiplicity

single-valued

Data typeUTF8 string (unbounded)

Description

The surname of a person (including any words such as “van”, “de”, “von” etc.) used for personalisation; this can be a combination of existing attributes.

ExamplesVermeegen 
孝慈

Notes 


Anchor
givenname
givenname
Given name

urn:mace

urn:mace:dir:attribute-def:givenName

urn:oid

urn:oid:2.5.4.42

Multiplicity

single-valued

Data typeUTF8 string (unbounded)

Description

Given name / “name known by”; combinations of title, initials, and “name known by” are possible.

Examples

Jan Klaassen
Mërgim K. Lukáš 
Þrúður

Notes

 


Anchor
cn
cn
Common name

urn:mace

urn:mace:dir:attribute-def:cn

urn:oid

urn:oid:2.5.4.3

Multiplicity

multi-valued

Data typeUTF8 string 
(unbounded)

Description

Full name.

ExamplesProf.dr. Mërgim Lukáš Vermeegen 
加来 千代, PhD.

Notes

For example, a typical name of a person in an English-speaking country comprises a personal title (e.g. Mr., Ms., Rd, Professor, Sir, Lord), a first name, middle name(s), last name, generation qualifier (if any, e.g. Jr.) and decorations and awards (if any, e.g. CBE).

...

urn:maceurn:mace:dir:attribute-def:eduPersonScopedAffiliation
urn:oidurn:oid:1.3.6.1.4.1.1466.115.121.1.15
Multiplicitymulti-valued
Data typeUTF8 String of the form affiliation@domain (see below)
Description

Indicates the relationship between the user and the domain of his home organisation. The affiliation part must be one of the allowed values of the eduPersonAffiliation attribute (see definition right above).

The value is the role of the user and the domain name of the organisation. eduPersonScopedAffiliation can hence be defined as: <eduPersonAffiliation> "@" <schacHomeOrganization>. Just like eduPersonScopedAffiliation, this is a multi valued attribute.

The domain part must be the schacHomeOrganization of the user (or a subdomain thereof). 

Examplesstudent@uniharderwijk.nl
faculty@uniharderwijk.nl
Notes
  • This attribute is primarily a different way to convey the same information as is contained in eduPersonAffiliation and schacHomeOrganization. It's recommended to release this attribute next to eduPersonAffiliation and schacHomeOrganization, because some SPs ask for this attribute instead of the two separate ones.
  • If desired, this attribute can be used to describe the role of the user within a specific faculty, field, study or department that the user is part of. Because the attribute is multi-valued, a user can be a student at one and an employee at another department.

 


Anchor
ePE
ePE
Entitlements

urn:mace

urn:mace:dir:attribute-def:eduPersonEntitlement

urn:oid

urn:oid:1.3.6.1.4.1.5923.1.1.1.7

Multiplicity

multi-value

Data typeRFC-2141 URN

Description

entitlement; custom URI (URL or URN) that indicates an entitlement to something.

Examples

urn:mace:terena.org:tcs:personal-admin
urn:x-surfnet:surfdomeinen.nl:role:dnsadmin

Notes

  • This attribute can be used to communicate entitlements, roles, etc, from identity providers to services, which can be used, for example, for authorization.
  • The values of this attribute are scoped to the identity provider that is authoritative for the attribute. 
  • Formatting rules apply: See also the SURFconext entitlement namespacing policy.

...

urn:mace

urn:mace:dir:attribute-def:eduPersonTargetedID

urn:oid

urn:oid:1.3.6.1.4.1.5923.1.1.1.10

Multiplicity

single-valued

Data typeUTF8 string (unbounded)

Description 

The attribute eduPersonTargetedID is a copy of the Subject -> NameID which is generated by SURFconext itself. When an Identity Provider provides the eduPersonTargetedID itself, it is always overwritten by SURFconext.

Examplesbd09168cf0c2e675b2def0ade6f50b7d4bb4aae

Notes 

This attribute is created because the Subject -> NameID itself is not part of the SAML v2.0 response and therefore only is available for application if the local SAML implementation explicitly support this. Within SURFconext the Subject -> NameID is explicitly copied into the eduPersonTargetedID attribute, in order for the identifier to be used like any other attribute.

 


Anchor
orcid
orcid
eduPersonOrcid

urn:mace

urn:mace:dir:attribute-def:eduPersonOrcid

urn:oid

urn:oid:1.3.6.1.4.1.5923.1.1.1.16

Multiplicity

multi-valued (see remark below)

Data type

URL, registered with ORCID.org

Description 

The ORCID is a persistent digital identifier that distinguishes the account holder from every other researcher. Through integration in research workflows such as manuscript and grant submission, the ORCID identifier supports automated linkages between the account holder and his/her professional activities ensuring that the account holder's work is recognized. Values MUST be valid ORCID identifiers in the ORCID-preferred URL representation, i.e. http://orcid.org/0000-0002-1825-0097

Examples

http://orcid.org/0000-0002-1825-0097

http://orcid.org/0000-0001-9351-8252

Notes 

For more information see https://www.surf.nl/en/news/2016/02/global-author-identifier-service-orcid-now-available-through-surfconext-and-edugain.html

Although the attribute is in theory multi-valued, in practice it probably makes sense that it has no more than one value.

 

...