You are viewing an old version of this page. View the current version.
Compare with Current
View Page History
« Previous
Version 7
Next »
Attribute Release Policy
SURFconext has a minimal disclosure principle: only the absolute necessary (personal) information is transferred to a service. When you request a connection to the Production environment, you must specify the attributes needed. SURFconext Support will review your request and configure an Attribute Release Policy accordingly.
Attributes
When a user logs in to a Service Provider, SURFconext sends a SAML assertion to the Service Provider. The assertion contains:
- user identifiers: information about the user who is logging in
- additional attributes (optional)
[ Attributen zeggen iets over een gebruiker (bijvoorbeeld dat het een student is, dat zijn voornaam 'teun' is, en dat ie studeert aan instelling X)
Ze hebben als doel de dienst te definiëren (bv. waar leeft de dienst) en te beschrijven (bv. hoe heet de dienst). Elementen zijn configureerbare variabelen van de SAML metadata.]
User identifiers
The user's identity is transmitted in the form of the NameID element. Every IP must supply a NameID, but for privacy reasons SURFconext will generate a new one, which is duplicated in the attribute eduPersonTargetedID.
To identify a user you must use NameID or eduPersonTargetedID. NameID is guaranteed to be stable for a fixed user (except in the case of transient identifiers). SURFconext will generate a NameID for each new user. It is unique for the user and specific to the SP, so SP's cannot correlate their received NameID's between each other. There are two types of NameIDs:
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
A persistent NameID contains a unique string identifying the user for this SP and persisting over multiple sessions.urn:oasis:names:tc:SAML:2.0:nameid-format:transient
A transient NameID contains a unique string identifying the user for this SP during the session. If the user logs in again, a new transient identifier will be generated.
Attribute
SURFconext supports two attribute schemas:
urn:oid
schema (SAML2.0 compliant) urn
schema (SAML1.1 compliant)
Both can be used to convey the same information (except for the NameID, which is only available in the urn:oid
schema). By default SURFconext will provide attributes in both schemas as part of the assertion. However it is not recommended to mix the use of the schemas.
Attribute overview
| | | | |
---|
ID | (NameID) urn:mace:dir:attribute-def:eduPersonTargetedID urn:oid:1.3.6.1.4.1.5923.1.1.1.10 | eduPerson (1) | UTF8 string (unbounded) | bd09168cf0c2e675b2def0ade6f50b7d4bb4aae |
Surname | urn:mace:dir:attribute-def:sn urn:oid:2.5.4.4 | X.520 | UTF8 string (unbounded) | Vermeegen 孝慈 |
Given name | urn:mace:dir:attribute-def:givenName urn:oid:2.5.4.42 | X.520 | UTF8 string (unbounded) | Mërgim Lukáš Þrúður |
Common name | urn:mace:dir:attribute-def:cn urn:oid:2.5.4.3 | X.520 | UTF8 String (unbounded) | Prof.dr. Mërgim Lukáš Vermeegen 加来 千代, PhD. |
Display name | urn:mace:dir:attribute-def:displayName urn:oid:2.16.840.1.113730.3.1.241 | RFC2798 | UTF8 String (unbounded) | Prof.dr. Mërgim L. Vermeegen 加来 千代, PhD. |
Email address | urn:mace:dir:attribute-def:mail urn:oid:0.9.2342.19200300.100.1.3 | RFC4524 | RFC-5322 address (max 256 chars) | m.l.vermeegen@university.example.org maarten.'t.hart@uniharderwijk.nl "very.unusual.@.but valid.nonetheless"@example.com mlv@[IPv6:2001:db8::1234:4321] |
Organization | urn:mace:terena.org:attribute-def:schacHomeOrganization urn:oid:1.3.6.1.4.1.25178.1.2.9 | Schac | RFC-1035 domain string | example.nl something.example.org |
Organization Type | urn:mace:terena.org:attribute-def:schacHomeOrganizationType urn:oid:1.3.6.1.4.1.25178.1.2.10 | Schac | RFC-2141 URN see Schac standard | urn:mace:terena.org:schac:homeOrganizationType:int:university urn:mace:terena.org:schac:homeOrganizationType:es:opi |
Employee/student number | urn:schac:attribute-def:schacPersonalUniqueCode urn:oid:1.3.6.1.4.1.25178.1.2.14 | Schac | RFC-2141 URN see SURFnet registry | urn:schac:personalUniqueCode:nl:local:example.edu:employeeid:x12-3456 urn:schac:personalUniqueCode:nl:local:example.nl:studentid:s1234567 |
Affiliation | urn:mace:dir:attribute-def:eduPersonAffiliation urn:oid:1.3.6.1.4.1.5923.1.1.1.1 | eduPerson (1) | Enum type (UTF8 String) | employee, student, staff, member (alum, affiliate, faculty, library-walk-in are not allowed) |
Scoped affiliation | urn:mace:dir:attribute-def:eduPersonScopedAffiliation urn:oid:1.3.6.1.4.1.5923.1.1.1.9 | eduPerson (1) | UTF8 String user@domain | student@physics.uniharderwijk.nl employee@facilities.uniharderwijk.nl |
Entitlement | urn:mace:dir:attribute-def:eduPersonEntitlement urn:oid:1.3.6.1.4.1.5923.1.1.1.7 | eduPerson (1) | RFC-2141 URN Multi-valued | to be determined per service (see Standardized values for eduPersonEntitlement) |
PrincipalName | urn:mace:dir:attribute-def:eduPersonPrincipalName urn:oid:1.3.6.1.4.1.5923.1.1.1.6 | eduPerson (1) | UTF8 String user@domain | piet.jønsen@example.edu not.a@vålîd.émail.addreß |
isMemberOf | urn:mace:dir:attribute-def:isMemberOf urn:oid:1.3.6.1.4.1.5923.1.5.1.1 | eduMember | RFC-2141 URN Multi-valued | urn:collab:org:surf.nl urn:collab:org:clarin.org |
uid | urn:mace:dir:attribute-def:uid urn:oid:0.9.2342.19200300.100.1.1 | RFC4519 | UTF8 String (max 256 chars) | s9603145 flåp@example.edu |
preferredLanguage | urn:mace:dir:attribute-def:preferredLanguage urn:oid:2.16.840.1.113730.3.1.39 | RFC2798 BCP47 | List of BCP47 language tags | nl nl, en-gb;q=0.8, en;q=0.7 |
ORCID | urn:mace:dir:attribute-def:eduPersonORCID urn:oid:1.3.6.1.4.1.5923.1.1.1.16 | eduPerson (1) | URL registered with ORCID.org | http://orcid.org/0000-0002-1825-0097 |
Note that not all identity providers might make all attributes available.
(1) eduPerson Object Class Specification (201602): http://software.internet2.edu/eduperson/internet2-mace-dir-eduperson-201602.html
Detailed attribute descriptions