When a user logs in to a service provider, SURFconext sends a so-called SAML assertion to the service provider. This SAML assertion contains a number of statements about the user who is logging in to you service, including his identity, and possibly a number of additional attributes (see below).

SURFconext's SAML2 implementation adheres to the SAML2int standard.

On this page we will show you which attributes SURFconext and their Identity Providers have to offer.

User identifiers

The user's identity is transmitted in the form of the NameID element of the SAML statement. Every Identity Provider must supply a NameID, but for privacy reasons SURFconext will generate a new one regardless. For convenience, this identifier is duplicated in the SAML attribute eduPersonTargetedID (see below).

Service Providers should use the NameID or eduPersonTargetedID (rather than email address, or other attributes that might change over time) to identify users. The NameId is guaranteed to be stable and never change for a fixed user (except in the case of transient identifiers, see below).

SURFconext can provide NameIDs of 2 different types:

A persistent identifier. A persistent NameID contains a random string that uniquely identifies the user for this SP, and which persists over multiple sessions for the same user.
A transient identifier. A transient NameID contain a random string that uniquely identifies the user for this SP during the session. Once the user's session at SURFconext expires and the users logs into your service once more, a new transient identifier will be generated for the user and SP.

Persistent and transient identifiers typically have the form 'bd09168cf0c2e675b2def0ade6f50b7d4bb4aaef'. However, please do not rely on the identifier being a hexadecimal string, as the syntax may change in the future.

The two supported NameID types, for respectively persistent and transient NameID specifiers, are:

urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
urn:oasis:names:tc:SAML:2.0:nameid-format:transient

Attribute schemas

SURFconext supports two attributes schemas: a (SAML2.0 compliant) urn:oid schema and a (SAML1.1) named urn schema. Both of these can be used to convey the same information (except for the NameID, which is only available in the urn:oid schema). By default SURFconext will provide attributes in both schemata as part of the assertion. It is not recommended to mix the use of these schemata, but for legacy reason SURFconext offers both.

Attribute overview

SURFconext supported relaying of the following attributes:

Friendly name	Attribute name	Definition	Data type	Example
ID	(NameID) urn:mace:dir:attribute-def:eduPersonTargetedID urn:oid:1.3.6.1.4.1.5923.1.1.1.10	eduPerson	UTF8 string (unbounded)	bd09168cf0c2e675b2def0ade6f50b7d4bb4aae
Surname	urn:mace:dir:attribute-def:sn urn:oid:2.5.4.4	X.520	UTF8 string (unbounded)	Vermeegen 孝慈
Given name	urn:mace:dir:attribute-def:givenName urn:oid:2.5.4.42	X.520	UTF8 string (unbounded)	Mërgim Lukáš Þrúður
Common name	urn:mace:dir:attribute-def:cn urn:oid:2.5.4.3	X.520	UTF8 String (unbounded)	Prof.dr. Mërgim Lukáš Vermeegen 加来千代, PhD.
Display name	urn:mace:dir:attribute-def:displayName urn:oid:2.16.840.1.113730.3.1.241	RFC2798	UTF8 String (unbounded)	Prof.dr. Mërgim L. Vermeegen 加来千代, PhD.
Email address	urn:mace:dir:attribute-def:mail urn:oid:0.9.2342.19200300.100.1.3	RFC4524	RFC-5322 address (max 256 chars)	m.l.vermeegen@university.example.org "very.unusual.@.unusual.com"@example.com mlv@[IPv6:2001:db8::1234:4321]
Organization	urn:mace:terena.org:attribute-def:schacHomeOrganization urn:oid:1.3.6.1.4.1.25178.1.2.9	Schac	RFC-1035 domain string	example.nl something.example.org
Organization Type	urn:mace:terena.org:attribute-def:schacHomeOrganizationType urn:oid:1.3.6.1.4.1.25178.1.2.10	Schac	RFC-2141 URN see Schac standard	urn:mace:terena.org:schac:homeOrganizationType:int:university urn:mace:terena.org:schac:homeOrganizationType:es:opi
Employee/student number	urn:schac:attribute-def:schacPersonalUniqueCode urn:oid:1.3.6.1.4.1.25178.1.2.14	Schac	RFC-2141 URN see SURFnet registry	urn:schac:personalUniqueCode:nl:local:example.edu:employeeid:x12-3456 urn:schac:personalUniqueCode:nl:local:example.nl:studentid:s1234567
Affiliation	urn:mace:dir:attribute-def:eduPersonAffiliation urn:oid:1.3.6.1.4.1.5923.1.1.1.1	eduPerson	Enum type (UTF8 String)	employee, student, staff, member (alum, affiliate, faculty, library-walk-in are not allowed)
Entitlement	urn:mace:dir:attribute-def:eduPersonEntitlement urn:oid:1.3.6.1.4.1.5923.1.1.1.7	eduPerson	RFC-2141 URN Multi-valued	to be determined per service (see Standardized values for eduPersonEntitlement)
PrincipalName	urn:mace:dir:attribute-def:eduPersonPrincipalName urn:oid:1.3.6.1.4.1.5923.1.1.1.6	eduPerson	UTF8 String user@domain	piet.jønsen@example.edu not.a@vålîd.émail.addreß
isMemberOf	urn:mace:dir:attribute-def:isMemberOf urn:oid:1.3.6.1.4.1.5923.1.5.1.1	eduMember	RFC-2141 URN Multi-valued	urn:collab:org:surf.nl urn:collab:org:clarin.org
uid	urn:mace:dir:attribute-def:uid urn:oid:0.9.2342.19200300.100.1.1	RFC4519	UTF8 String (max 256 chars)	s9603145 flåp@example.edu
preferredLanguage	urn:mace:dir:attribute-def:preferredLanguage urn:oid:2.16.840.1.113730.3.1.39	RFC2798 BCP47	List of BCP47 language tags	nl nl, en-gb;q=0.8, en;q=0.7

Note that not all identity providers might make all attributes available.

Detailed attribute descriptions

ID

See User identifiers.

Surname

urn:mace	urn:mace:dir:attribute-def:sn
urn:oid	urn:oid:2.5.4.4
Multiplicity	single-valued
Data type	UTF8 string (unbounded)
Description	The surname of a person (including any words such as “van”, “de”, “von” etc.) used for personalisation; this can be a combination of existing attributes.
Examples	Vermeegen 孝慈
Notes

Given name

urn:mace	urn:mace:dir:attribute-def:givenName
urn:oid	urn:oid:2.5.4.42
Multiplicity	single-valued
Data type	UTF8 string (unbounded)
Description	Given name / “name known by”; combinations of title, initials, and “name known by” are possible.
Examples	Jan Klaassen Mërgim K. Lukáš Þrúður
Notes

Common name

urn:mace	urn:mace:dir:attribute-def:cn
urn:oid	urn:oid:2.5.4.3
Multiplicity	multi-valued
Data type	UTF8 string (unbounded)
Description	Full name.
Examples	Prof.dr. Mërgim Lukáš Vermeegen 加来千代, PhD.
Notes	For example, a typical name of a person in an English-speaking country comprises a personal title (e.g. Mr., Ms., Rd, Professor, Sir, Lord), a first name, middle name(s), last name, generation qualifier (if any, e.g. Jr.) and decorations and awards (if any, e.g. CBE).

Display name

urn:mace	urn:mace:dir:attribute-def:displayName
urn:oid	urn:oid:2.16.840.1.113730.3.1.241
Multiplicity	single-valued
Data type	UTF8 string (unbounded)
Description	Name as displayed in applications
Examples	Prof.dr. Mërgim Lukáš Vermeegen 加来千代, PhD.
Notes	This attribute can typically be changed by the end-users themselves, and is therefore not very suitable for identification.

Email address

urn:mace	urn:mace:dir:attribute-def:mail
urn:oid	urn:oid:0.9.2342.19200300.100.1.3
Multiplicity	multi-valued
Data type	RFC-5322 address (max 256 chars)
Description	e-mail address; syntax in accordance with RFC 5322
Examples	m.l.vermeegen@university.example.org "very.unusual.@.unusual.com"@example.com mlv@[IPv6:2001:db8::1234:4321]
Notes	Multiple email addresses are allowed An email address is not necessarily the email address of this person at the institution. Do not use this attribute to uniquely identify a user. Use the NameId instead. A user's email address may change over time, or an IdP may allow a user to change this value themselves. This makes that attribute unsuitable for authentication and authorization purposes.

uid

urn:mace	urn:mace:dir:attribute-def:uid
urn:oid	urn:oid:0.9.2342.19200300.100.1.1
Multiplicity	multi-valued
Data type	UTF8 String (max 256 chars); use of spaces and `@`-characters is discouraged.
Description	The unique code for a person that is used as the login name within the institution.
Examples	s9603145 flåp@example.edu
Notes	The uid is not a unique identifier for SURFconext users. Uid values are at most unique for each IdP. Ideally the uid is not only a login name/code but also an identifier that is guaranteed as being unique within the institution over the course of time. At the moment, there is no such guarantee. Use the NameId for unique identifiers in SURFconext rather than uid. Use the eduPersonPrincipalName attribute if a human-readable unique identifier is required A uid may contain any unicode character. E.g., "`org:surfnet.nl:joe von stühl`" is a valid uid. SURFconext translates @-characters in the uid to underscores. Yes, this means that uids are not guaranteed to be unique.

Home organisation

urn:mace	urn:mace:terena.org:attribute-def:schacHomeOrganization
urn:oid	urn:oid:1.3.6.1.4.1.25178.1.2.9
Multiplicity	single-valued
Data type
Description	The user's organisation using the organisation’s domain name; syntax in accordance with RFC 1035.
Examples
Notes	In the past, SURFconext used to send the home organisation in the attribute urn:oid:1.3.6.1.4.1.1466.115.121.1.15, which was incorrect. Since 2013, the correct oid urn:oid:1.3.6.1.4.1.25178.1.2.9 is in use. For reasons of compatibility, the old (wrong) key is also still sent. It should not be used in new implementations. Matching values against this attribute should be case-insensitive, i.e. the values "uniharderwijk.nl" and "UniHarderwijk.nl" should be considered equal.

Organization type

urn:mace	urn:mace:terena.org:attribute-def:schacHomeOrganizationType
urn:oid	urn:oid:1.3.6.1.4.1.25178.1.2.10
Multiplicity	single-value
Data type
Description	designation of the type of organisation as defined on http://www.terena.org/registry/terena.org/schac/homeOrganizationType
Examples
Notes	Attribute values are registered by Terena on http://www.terena.org/registry/terena.org/schac/homeOrganizationType In practice, this attribute is not in use.

Employee-student number

urn:mace	urn:schac:attribute-def:schacPersonalUniqueCode
urn:oid	urn:oid:1.3.6.1.4.1.25178.1.2.14
Multiplicity	multi-value
Data type
Description	The user's student, employee, and/or member id as used in the university's internal systems
Examples
Notes	Attribute values are registered by SURFnet on https://wiki.surfnet.nl/x/xoTdAg Please contact the SURFnet support team if you would like to use this attribute as an SP, or if you would like to provide it as an IdP. This attribute's main use is for matching user accounts to the university's internal systems

Affiliation

urn:mace	urn:mace:dir:attribute-def:eduPersonAffiliation
urn:oid	urn:oid:1.3.6.1.4.1.5923.1.1.1.1
Multiplicity	multi-valued
Data type
Description	Indicates the relationship between the user and his home organisation. The following values are permitted: `student` — student `employee` — all employees `staff` — academic staff `member` — anyone employed by or studying at the institution
Examples
Notes	Any user who has the affiliation `student`, `employee`, or `staff`, should also have the value `member`. Identity providers might internally use additional values for the affiliation attribute, such as `alum` or `affiliate`. Per SURFconext policy, such users are not allowed access to SURFconext. According to the eduPerson specification, the values of this attribute are case insensitive; for interoperability reasons however, we require lower-case values as specified above in SURFconext.

Entitlements

urn:mace	urn:mace:dir:attribute-def:eduPersonEntitlement
urn:oid	urn:oid:1.3.6.1.4.1.5923.1.1.1.7
Multiplicity	multi-value
Data type
Description	entitlement; custom URI (URL or URN) that indicates an entitlement to something.
Examples
Notes	This attribute can be used to communicate entitlements, roles, etc, from identity providers to services, which can be used, for example, for authorization. The values of this attribute are scoped to the identity provider that is authoritative for the attribute. Formatting rules apply: See also the SURFconext entitlement namespacing policy.

Principle name

urn:mace	urn:mace:dir:attribute-def:eduPersonPrincipalName
urn:oid	urn:oid:1.3.6.1.4.1.5923.1.1.1.6
Multiplicity	single-valued
Data type
Description	Unique identifier for a user.
Examples
Notes	Although this value resembles an email address, it MUST NOT be used as an email address. In many cases mail cannot be delivered to this "address". Even though this value uniquely identifies a user, it is not guaranteed that it is persistent over sessions (even though it usually is). Do not use this to uniquely identify users. Use the NameId instead.

isMemberOf

urn:mace	urn:mace:dir:attribute-def:isMemberOf
urn:oid	urn:oid:1.3.6.1.4.1.5923.1.5.1.1
Multiplicity	multi-valued
Data type
Description	Lists the collaborative organisations the user is a member of.
Examples
Notes	Attribute values are URIs (URN or URL) Only current supported value is `urn:collab:org:surf.nl`, which indicated that the user's home institution is a member of SURFnet In the future, this can be used to determine membership of non-institutional collaborative organisations.

Preferred Language

urn:mace	urn:mace:dir:attribute-def:preferredLanguage
urn:oid	urn:oid:2.16.840.1.113730.3.1.39
Multiplicity	single-valued
Data type
Description	a two-letter abbreviation for the preferred language according to the ISO 639 language abbreviation code table; no subcodes.
Examples
Notes	Used to indicate an individual's preferred written or spoken language. This is useful for international correspondence or human-computer interaction. Values for this attribute type MUST conform to the definition of the Accept-Language header field defined in RFC 2068 with one exception: ?the value "`:`" should be omitted.

EduPersonTargetedID

urn:mace	urn:mace:dir:attribute-def:eduPersonTargetedID
urn:oid	urn:oid:1.3.6.1.4.1.5923.1.1.1.10
Multiplicity	single-valued
Data type
Description	The attribute eduPersonTargetedID is a copy of the Subject -> NameID which is generated by SURFconext itself. When an Identity Provider provides the eduPersonTargetedID itself, it is always overwritten by SURFconext.
Examples
Notes	This attribute is created because the Subject -> NameID itself is not part of the SAML v2.0 response and therefore can not be used. Within SURFconext the Subject -> NameID is explicitly placed in the attribute eduPersonTargetedID, so that you can use it.

EduPersonUserCredentials

1 april!

SURFconext geeft nooit dergelijke informatie door. Gevoelige gebruikersinformatie zoals wachtwoorden is lokaal opgeslagen bij de instelling en wordt nooit met derden gedeeld. Dit is juist de kracht van SURFconext.

Page tree

Attributes in SURFconext