...
User identifiers
IdPs
When a user logs in to a service provider, SURFconext sends a so-called SAML assertion to the service provider. In this SAML assertion, the identity of the current user is asserted. The SAML assertion contains an identifier for the user, the so-called NameId.
SURFconext can provide NameIds of three different types:
- A persistent identifier. A persistsent NameId contains a random string that uniquely identifies the user for this SP, and which is persistent over sessions.
- A transient identifier. A transient NameId contain a random string that uniquely identifies the user for this SP during the session. Once the user's session at SURFconext expires, a new transient identifier will be generated for the user and SP.
- A legacy identifier. A legacy NameId contains a human-readable dentifier of the form urn:collab:person:example.com:johndoe. This form of the identifier is deprecated and is not available for newly connected services. Leg uit waarom
Persistent and transient identifiers are typically of the form "bd09168cf0c2e675b2def0ade6f50b7d4bb4aaef". However, this form may change in the future, and service providers MUST NOT rely on the fact that the NameId is a 40-character hexadecimal string.
This definition follows the SAML2int standard. The two supported NameId types are
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
which are specified in sections 8.3.7 and 8.3.8 of the SAML2 core specification.Identity providers that are connected to SURFconext, need to provide attributes:
SPs
The following attributes are available for SPs that connect to SURFconext
uid x
...
More information
http://www.incommon.org/federation/attributesummary.html
saml2int.org
...