You are viewing an old version of this page. View the current version.
Compare with Current
View Page History
« Previous
Version 8
Next »
Attribute Release Policy
SURFconext has a minimal disclosure principle: only the absolute necessary (personal) information is transferred to a service. When you request a connection to the Production environment, you must specify the attributes needed. SURFconext Support will review your request and configure an Attribute Release Policy accordingly.
Attributes
When a user logs in to a Service Provider, SURFconext sends a SAML assertion to the Service Provider. The assertion contains:
- user identifiers: information about the user who is logging in
- additional attributes (optional)
[ Attributen zeggen iets over een gebruiker (bijvoorbeeld dat het een student is, dat zijn voornaam 'teun' is, en dat ie studeert aan instelling X)
Ze hebben als doel de dienst te definiëren (bv. waar leeft de dienst) en te beschrijven (bv. hoe heet de dienst). Elementen zijn configureerbare variabelen van de SAML metadata.]
User identifiers
The user's identity is transmitted in the form of the NameID element. Every IP must supply a NameID, but for privacy reasons SURFconext will generate a new one, which is duplicated in the attribute eduPersonTargetedID.
To identify a user you must use NameID or eduPersonTargetedID. NameID is guaranteed to be stable for a fixed user (except in the case of transient identifiers). SURFconext will generate a NameID for each new user. It is unique for the user and specific to the SP, so SP's cannot correlate their received NameID's between each other. There are two types of NameIDs:
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
A persistent NameID contains a unique string identifying the user for this SP and persisting over multiple sessions.urn:oasis:names:tc:SAML:2.0:nameid-format:transient
A transient NameID contains a unique string identifying the user for this SP during the session. If the user logs in again, a new transient identifier will be generated.
Attribute
SURFconext supports two attribute schemas:
urn:oid schema (SAML2.0 compliant) urn schema (SAML1.1 compliant)
Both can be used to convey the same information (except for the NameID, which is only available in the urn:oid schema). By default SURFconext will provide attributes in both schemas as part of the assertion. However it is not recommended to mix the use of the schemas.
Attribute overview
| | | | |
|---|
ID | (NameID)
urn:mace:dir:attribute-def:eduPersonTargetedID
urn:oid:1.3.6.1.4.1.5923.1.1.1.10 | eduPerson (1) | UTF8 string
(unbounded) | bd09168cf0c2e675b2def0ade6f50b7d4bb4aae |
Surname | urn:mace:dir:attribute-def:sn
urn:oid:2.5.4.4 | X.520 | UTF8 string
(unbounded) | Vermeegen
孝慈 |
Given name | urn:mace:dir:attribute-def:givenName
urn:oid:2.5.4.42 | X.520 | UTF8 string
(unbounded) | Mërgim Lukáš
Þrúður |
Common name | urn:mace:dir:attribute-def:cn
urn:oid:2.5.4.3 | X.520 | UTF8 String
(unbounded) | Prof.dr. Mërgim Lukáš Vermeegen
加来 千代, PhD. |
Display name | urn:mace:dir:attribute-def:displayName
urn:oid:2.16.840.1.113730.3.1.241 | RFC2798 | UTF8 String
(unbounded) | Prof.dr. Mërgim L. Vermeegen
加来 千代, PhD. |
Email address | urn:mace:dir:attribute-def:mail
urn:oid:0.9.2342.19200300.100.1.3 | RFC4524 | RFC-5322 address
(max 256 chars) | m.l.vermeegen@university.example.org
maarten.'t.hart@uniharderwijk.nl
"very.unusual.@.but valid.nonetheless"@example.com
mlv@[IPv6:2001:db8::1234:4321] |
Organization | urn:mace:terena.org:attribute-def:schacHomeOrganization
urn:oid:1.3.6.1.4.1.25178.1.2.9 | Schac | RFC-1035 domain string | example.nl
something.example.org |
Organization Type | urn:mace:terena.org:attribute-def:schacHomeOrganizationType
urn:oid:1.3.6.1.4.1.25178.1.2.10 | Schac | RFC-2141 URN
see Schac standard | urn:mace:terena.org:schac:homeOrganizationType:int:university
urn:mace:terena.org:schac:homeOrganizationType:es:opi |
| Employee/student number | urn:schac:attribute-def:schacPersonalUniqueCode
urn:oid:1.3.6.1.4.1.25178.1.2.14 | Schac | RFC-2141 URN
see SURFnet registry | urn:schac:personalUniqueCode:nl:local:example.edu:employeeid:x12-3456
urn:schac:personalUniqueCode:nl:local:example.nl:studentid:s1234567 |
Affiliation | urn:mace:dir:attribute-def:eduPersonAffiliation
urn:oid:1.3.6.1.4.1.5923.1.1.1.1 | eduPerson (1) | Enum type (UTF8 String) | employee, student, staff, member (alum, affiliate, faculty, library-walk-in are not allowed) |
| Scoped affiliation | urn:mace:dir:attribute-def:eduPersonScopedAffiliation
urn:oid:1.3.6.1.4.1.5923.1.1.1.9 | eduPerson (1) | UTF8 String
user@domain | student@physics.uniharderwijk.nl
employee@facilities.uniharderwijk.nl |
Entitlement | urn:mace:dir:attribute-def:eduPersonEntitlement
urn:oid:1.3.6.1.4.1.5923.1.1.1.7 | eduPerson (1) | RFC-2141 URN
Multi-valued | to be determined per service (see Standardized values for eduPersonEntitlement) |
PrincipalName | urn:mace:dir:attribute-def:eduPersonPrincipalName
urn:oid:1.3.6.1.4.1.5923.1.1.1.6 | eduPerson (1) | UTF8 String
user@domain | piet.jønsen@example.edu
not.a@vålîd.émail.addreß |
isMemberOf | urn:mace:dir:attribute-def:isMemberOf
urn:oid:1.3.6.1.4.1.5923.1.5.1.1 | eduMember | RFC-2141 URN
Multi-valued | urn:collab:org:surf.nl
urn:collab:org:clarin.org |
uid | urn:mace:dir:attribute-def:uid
urn:oid:0.9.2342.19200300.100.1.1 | RFC4519 | UTF8 String
(max 256 chars) | s9603145
flåp@example.edu |
preferredLanguage | urn:mace:dir:attribute-def:preferredLanguage
urn:oid:2.16.840.1.113730.3.1.39 | RFC2798
BCP47 | List of BCP47 language tags | nl
nl, en-gb;q=0.8, en;q=0.7 |
| ORCID | urn:mace:dir:attribute-def:eduPersonORCID urn:oid:1.3.6.1.4.1.5923.1.1.1.16 | eduPerson (1) | URL registered with ORCID.org | http://orcid.org/0000-0002-1825-0097 |
Note that not all identity providers might make all attributes available.
(1) eduPerson Object Class Specification (201602): http://software.internet2.edu/eduperson/internet2-mace-dir-eduperson-201602.html
Detailed attribute descriptions