...
- user identifier (transient/persistent NameID)
additional attributes (optional)
Note |
---|
SURFconext's SAML2 implementation adheres to the SAML2int standard 0.2.1. |
...
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
A persistent NameID contains a unique string identifying the user for this SP and persisting over multiple sessions.urn:oasis:names:tc:SAML:2.0:nameid-format:transient
A transient NameID contains a unique string identifying the user for this SP during the session. If the user logs in again, a new transient identifier will be generated.
Note that the attribute eduPersonTargetedID is generated from the SURF generated Persistent NameID. The NameID, as used in the SAML assertion to a service provider when loggin' on, is generated using the uid, schacHomeOrganisation, the Entity ID of the service provider together with a secret that uses a SHA algorithm. The attentive reader will notice that for services or institutions that are in production and are going to change one of these attributes, this can have major consequences.
Attribute schemas
A schema is an abstract representation of an object's characteristics and relationship to other objects.
...
(1) eduPerson Object Class Specification (201602): http://software.internet2.edu/eduperson/internet2-mace-dir-eduperson-201602.html
Detailed attribute descriptions
...
urn:mace | urn:mace:dir:attribute-def:sn |
urn:oid | urn:oid:2.5.4.4 |
Multiplicity | single-valued |
Data type | UTF8 string (unbounded) |
Description | The surname of a person (including any words such as “van”, “de”, “von” etc.) used for personalisation; this can be a combination of existing attributes. |
Examples | Vermeegen 孝慈 |
Notes |
Anchor | ||||
---|---|---|---|---|
|
urn:mace | urn:mace:dir:attribute-def:givenName | |
urn:oid | urn:oid:2.5.4.42 | |
Multiplicity | single-valued | |
Data type | UTF8 string (unbounded) | |
Description | Given name / “name known by”; combinations of title, initials, and “name known by” are possible. | |
Examples | Jan Klaassen | |
Notes |
|
Anchor | ||||
---|---|---|---|---|
|
urn:mace | urn:mace:dir:attribute-def:cn |
urn:oid | urn:oid:2.5.4.3 |
Multiplicity | multi-valued |
Data type | UTF8 string (unbounded) |
Description | Full name. |
Examples | Prof.dr. Mërgim Lukáš Vermeegen 加来 千代, PhD. |
Notes | For example, a typical name of a person in an English-speaking country comprises a personal title (e.g. Mr., Ms., Rd, Professor, Sir, Lord), a first name, middle name(s), last name, generation qualifier (if any, e.g. Jr.) and decorations and awards (if any, e.g. CBE). |
...
urn:mace | urn:mace:dir:attribute-def:eduPersonScopedAffiliation |
urn:oid | urn:oid:1.3.6.1.4.1.1466.115.121.1.15 |
Multiplicity | multi-valued |
Data type | UTF8 String of the form affiliation@domain (see below) |
Description | Indicates the relationship between the user and the domain of his home organisation. The affiliation part must be one of the allowed values of the eduPersonAffiliation attribute (see definition right above). The value is the role of the user and the domain name of the organisation. eduPersonScopedAffiliation can hence be defined as: <eduPersonAffiliation> "@" <schacHomeOrganization>. Just like eduPersonScopedAffiliation, this is a multi valued attribute. The domain part must be the schacHomeOrganization of the user (or a subdomain thereof). |
Examples | student@uniharderwijk.nl faculty@uniharderwijk.nl |
Notes |
|
Anchor | ||||
---|---|---|---|---|
|
urn:mace | urn:mace:dir:attribute-def:eduPersonEntitlement |
urn:oid | urn:oid:1.3.6.1.4.1.5923.1.1.1.7 |
Multiplicity | multi-value |
Data type | RFC-2141 URN |
Description | entitlement; custom URI (URL or URN) that indicates an entitlement to something. |
Examples |
|
Notes |
|
...
urn:mace:dir:attribute-def:eduPersonTargetedID | |
urn:oid:1.3.6.1.4.1.5923.1.1.1.10 | |
Multiplicity | single-valued |
Data type | UTF8 string (unbounded) |
Description | The attribute eduPersonTargetedID is a copy of the Subject -> NameID which is generated by SURFconext itself. When an Identity Provider provides the eduPersonTargetedID itself, it is always overwritten by SURFconext. |
Examples | bd09168cf0c2e675b2def0ade6f50b7d4bb4aae |
Notes | This attribute is created because the Subject -> NameID itself is not part of the SAML v2.0 response and therefore only is available for application if the local SAML implementation explicitly support this. Within SURFconext the Subject -> NameID is explicitly copied into the |
Anchor | ||||
---|---|---|---|---|
|
urn:mace:dir:attribute-def:eduPersonOrcid | |
urn:oid:1.3.6.1.4.1.5923.1.1.1.16 | |
Multiplicity | multi-valued (see remark below) |
Data type | URL, registered with ORCID.org |
Description | The ORCID is a persistent digital identifier that distinguishes the account holder from every other researcher. Through integration in research workflows such as manuscript and grant submission, the ORCID identifier supports automated linkages between the account holder and his/her professional activities ensuring that the account holder's work is recognized. Values MUST be valid ORCID identifiers in the ORCID-preferred URL representation, i.e. http://orcid.org/0000-0002-1825-0097 |
Examples | |
Notes | For more information see https://www.surf.nl/en/news/2016/02/global-author-identifier-service-orcid-now-available-through-surfconext-and-edugain.html Although the attribute is in theory multi-valued, in practice it probably makes sense that it has no more than one value. |
...