Page tree
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 19 Next »

Attribute Release Policy

When Identity Providers are asked if they want to be coupled to your service, they will be informed of the attributes your service requests. The IP must agree to the release of these attributes to your service.

 

When a user logs in to a Service Provider, SURFconext sends a SAML assertion to the Service Provider, containing:

  • user identifier (NameID)
  • additional attributes (optional)

User identifiers

The user's identity is transmitted in the form of the NameID element. Every IP must supply a NameID, but for privacy reasons SURFconext will generate a new one, which is duplicated in the attribute eduPersonTargetedID.

To identify a user you must use NameID or eduPersonTargetedID. NameID is guaranteed to be stable for a fixed user (except in the case of transient identifiers). SURFconext will generate a NameID for each new user. It is unique for the user and specific to the SP, so SP's cannot correlate their received NameID's between each other. There are two types of NameIDs:

  • urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
    A persistent NameID contains a unique string identifying the user for this SP and persisting over multiple sessions.
  • urn:oasis:names:tc:SAML:2.0:nameid-format:transient
    A transient NameID contains a unique string identifying the user for this SP during the session. If the user logs in again, a new transient identifier will be generated.

Attribute schemas

SURFconext supports two attribute schemas:

  • urn:oid schema (SAML2.0 compliant) 
  • urn schema (SAML1.1 compliant) 

Both can be used to convey the same information (except for the NameID, which is only available in the urn:oid schema). By default SURFconext will provide attributes in both schemas as part of the assertion. However it is not recommended to mix the use of the schemas.

Attribute overview

 

Friendly name

Attribute name

Definition

Data type

Example

 ID

(NameID) 
urn:mace:dir:attribute-def:eduPersonTargetedID
urn:oid:1.3.6.1.4.1.5923.1.1.1.10

eduPerson (1)

UTF8 string 
(unbounded)

bd09168cf0c2e675b2def0ade6f50b7d4bb4aae

Attributes

urn:mace:dir:attribute-def:sn
urn:oid:2.5.4.4

X.520

UTF8 string 
(unbounded)

Vermeegen 
孝慈

Attributes

urn:mace:dir:attribute-def:givenName
urn:oid:2.5.4.42

X.520

UTF8 string 
(unbounded)

Mërgim Lukáš 
Þrúður

Attributes

urn:mace:dir:attribute-def:cn
urn:oid:2.5.4.3

X.520

UTF8 String 
(unbounded)

Prof.dr. Mërgim Lukáš Vermeegen 
加来 千代, PhD.

Attributes

urn:mace:dir:attribute-def:displayName
urn:oid:2.16.840.1.113730.3.1.241

RFC2798

UTF8 String 
(unbounded)

Prof.dr. Mërgim L. Vermeegen 
加来 千代, PhD.

Attributes

urn:mace:dir:attribute-def:mail
urn:oid:0.9.2342.19200300.100.1.3

RFC4524

RFC-5322 address 
(max 256 chars)

m.l.vermeegen@university.example.org 
maarten.'t.hart@uniharderwijk.nl 
"very.unusual.@.but valid.nonetheless"@example.com
mlv@[IPv6:2001:db8::1234:4321]

Attributes

urn:mace:terena.org:attribute-def:schacHomeOrganization 
urn:oid:1.3.6.1.4.1.25178.1.2.9

Schac

RFC-1035 domain string

example.nl
something.example.org  

Attributes

urn:mace:terena.org:attribute-def:schacHomeOrganizationType 
urn:oid:1.3.6.1.4.1.25178.1.2.10

Schac

RFC-2141 URN 
see Schac standard  

urn:mace:terena.org:schac:homeOrganizationType:int:university 
urn:mace:terena.org:schac:homeOrganizationType:es:opi

Attributes

urn:schac:attribute-def:schacPersonalUniqueCode
urn:oid:1.3.6.1.4.1.25178.1.2.14

Schac

RFC-2141 URN
see SURFnet registry 

urn:schac:personalUniqueCode:nl:local:example.edu:employeeid:x12-3456
urn:schac:personalUniqueCode:nl:local:example.nl:studentid:s1234567

Attributes

urn:mace:dir:attribute-def:eduPersonAffiliation
urn:oid:1.3.6.1.4.1.5923.1.1.1.1

eduPerson (1)

Enum type (UTF8 String)

employee, student, staff, member (alum, affiliate, faculty, library-walk-in are not allowed)

Attributesurn:mace:dir:attribute-def:eduPersonScopedAffiliation
urn:oid:1.3.6.1.4.1.5923.1.1.1.9
eduPerson (1)UTF8 String 
user@domain

student@physics.uniharderwijk.nl
employee@facilities.uniharderwijk.nl

Attributes

urn:mace:dir:attribute-def:eduPersonEntitlement
urn:oid:1.3.6.1.4.1.5923.1.1.1.7

eduPerson (1)

RFC-2141 URN 
Multi-valued

to be determined per service (see Standardized values for eduPersonEntitlement)

Attributes

urn:mace:dir:attribute-def:eduPersonPrincipalName 
urn:oid:1.3.6.1.4.1.5923.1.1.1.6

eduPerson (1)

UTF8 String 
user@domain

piet.jønsen@example.edu
not.a@vålîd.émail.addreß

Attributes

urn:mace:dir:attribute-def:isMemberOf
urn:oid:1.3.6.1.4.1.5923.1.5.1.1

eduMember

RFC-2141 URN 
Multi-valued

urn:collab:org:surf.nl 
urn:collab:org:clarin.org

Attributes

urn:mace:dir:attribute-def:uid 
urn:oid:0.9.2342.19200300.100.1.1

RFC4519

UTF8 String 
(max 256 chars)

s9603145 
flåp@example.edu

Attributes

urn:mace:dir:attribute-def:preferredLanguage
urn:oid:2.16.840.1.113730.3.1.39

RFC2798
BCP47

List of BCP47 language tags

nl 
nl, en-gb;q=0.8, en;q=0.7

ORCID

urn:mace:dir:attribute-def:eduPersonORCID

urn:oid:1.3.6.1.4.1.5923.1.1.1.16

eduPerson (1)

URL registered with ORCID.org

http://orcid.org/0000-0002-1825-0097

Note that not all Identity Providers might make all attributes available.

(1) eduPerson Object Class Specification (201602): http://software.internet2.edu/eduperson/internet2-mace-dir-eduperson-201602.html

Detailed attribute descriptions

ID

See Attributes.

Surname

urn:mace

urn:mace:dir:attribute-def:sn

urn:oid

urn:oid:2.5.4.4

Multiplicity

single-valued

Data typeUTF8 string (unbounded)

Description

Surname of a person (including words as "van", "de", "von", etc.) used for personalisation; can be a combination of existing attributes.

ExamplesVermeegen 
孝慈

Notes

 

Given name

urn:mace

urn:mace:dir:attribute-def:givenName

urn:oid

urn:oid:2.5.4.42

Multiplicity

single-valued

Data typeUTF8 string (unbounded)

Description

Given name / "name known by"; combinations of title, initials, and "name known by" are possible.

Examples

Jan Klaassen
Mërgim K. Lukáš 
Þrúður

Notes

 

Common name

urn:mace

urn:mace:dir:attribute-def:cn

urn:oid

urn:oid:2.5.4.3

Multiplicity

multi-valued

Data typeUTF8 string 
(unbounded)

Description

Full name.

ExamplesProf.dr. Mërgim Lukáš Vermeegen 
加来 千代, PhD.

Notes

For example, a typical name of a person in an English-speaking country comprises a personal title (e.g. Mr., Ms., Rd, Professor, Sir, Lord), a first name, middle name(s), last name, generation qualifier (if any, e.g. Jr.) and decorations and awards (if any, e.g. CBE).

Display name

urn:mace

urn:mace:dir:attribute-def:displayName

urn:oid

urn:oid:2.16.840.1.113730.3.1.241

Multiplicity

single-valued

Data typeUTF8 string (unbounded)

Description

Name as displayed in applications

ExamplesProf.dr. Mërgim Lukáš Vermeegen 
加来 千代, PhD.

Notes

Can be changed by the end-users themselves and is therefore not suitable for identification.

Email address

urn:mace

urn:mace:dir:attribute-def:mail

urn:oid

urn:oid:0.9.2342.19200300.100.1.3

Multiplicity

multi-valued

Data typeRFC-5322 address (max 256 chars)

Description

e-mail address; syntax in accordance with RFC 5322

Examplesm.l.vermeegen@university.example.org 
"very.unusual.@.unusual.com"@example.com 
mlv@[IPv6:2001:db8::1234:4321]

Notes

  • Multiple email addresses are allowed
  • Is not necessarily the email address of this person at his institution.
  • Do not use Email address to identify a user: use NameId. Also do not use it for authentication and authorization: email addresses may change over time.

Organization

urn:mace

urn:mace:terena.org:attribute-def:schacHomeOrganization

urn:oid

urn:oid:1.3.6.1.4.1.25178.1.2.9

Multiplicity

single-valued

Data typeRFC-1035 domain string. Must be a secondary-level domain under control by the institution. Preferably use the institutions main domain name.

Description

Domain name of the users organisation; syntax conform RFC 1035.

Examples

uniharderwijk.nl
example.nl 

Notes

  • In the past SURFconext used to send the home organization in the attribute urn:oid:1.3.6.1.4.1.1466.115.121.1.15, which was incorrect. Since 2013, the correct oid urn:oid:1.3.6.1.4.1.25178.1.2.9 is in use. For reasons of compatibility, the old (wrong) key is also still sent. It should not be used in new implementations.
  • Matching values should be case-insensitive, i.e. "uniharderwijk.nl" and "UniHarderwijk.nl" should be considered as equal.
  • Use the same value for all your users.
  • The value of Organisation is stored in the SURFconext configuration. So we can check that no illegal values are sent.

Organization type

urn:mace

urn:mace:terena.org:attribute-def:schacHomeOrganizationType

urn:oid

urn:oid:1.3.6.1.4.1.25178.1.2.10

Multiplicity

single-value

Data typeRFC-2141 URN (see Schac standard)

Description

Organisation type as defined by Terena.

Examplesurn:mace:terena.org:schac:homeOrganizationType:int:university 
urn:mace:terena.org:schac:homeOrganizationType:es:opi

Notes

In practice this attribute is almost not used by IdPs or SPs; contact support@surfconext.nl if you would like to use it.

Employee/student number

urn:mace

urn:schac:attribute-def:schacPersonalUniqueCode

urn:oid

urn:oid:1.3.6.1.4.1.25178.1.2.14

Multiplicity

multi-value

Data typeRFC-2141 URN (see SURFnet registry).

Description

The id used in the university's internal systems.

Examplesurn:schac:personalUniqueCode:nl:local:example.edu:employeeid:x12-3456
urn:schac:personalUniqueCode:nl:local:example.nl:studentid:s1234567

Notes

Affiliation

urn:mace

urn:mace:dir:attribute-def:eduPersonAffiliation

urn:oid

urn:oid:1.3.6.1.4.1.5923.1.1.1.1

Multiplicity

multi-valued

Data typeUTF8 String (only the values below are allowed).

Description

Relationship between user and his home organisation:

  • student — person enrolled at an institution, an external student or course participant
  • employee — person with a position at or labour agreement with an institution
  • staff — academic staff (in Dutch: wetenschappelijk personeel) and teachers
  • member — someone holding at least one of the above affiliations
  • affiliate — person who is authorized by the Institution (not (yet) used by any services)
Examplessee above

Notes

  • Users with the affiliation studentemployee, or staff, should also have the value member.
  • Identity Providers can use other values (e.g. alum). However they are not allowed to access SURFconext.
  • Other values mentioned in the eduPerson specification like faculty and library-walk-in are not allowed within SURFconext.
  • Use only lower-case values.

Scoped Affiliation

urn:mace

urn:mace:dir:attribute-def:eduPersonScopedAffiliation

urn:oid

urn:oid:1.3.6.1.4.1.5923.1.1.1.9 

Multiplicity

multi-valued

Data typeUTF8 String of the form affiliation@subdomain.

Description

Indicates the relationship between the user and a specific (security) domain with his home organisation in a fine-grained way. For example, it can specify that a user is a student in the Physics department or a secretary working in a specific department.The value consists of an affiliation-part and a domain-part, i.e. <affiliation>@<sub.domain.nl>.

  • The affiliation-part must be one of the values allowed for Affiliation (see above).
  • The domain-part must be a subdomain of the user's schacHomeOrganization. This subdomain does not necessarily need to exist in DNS. E.g if schacHomeOrganization = uniharderwijk.nl, the domain-part could be science.uniharderwijk.nl or physics.science.uniharderwijk.nl,
Examples

student@physics.uniharderwijk.nl
employee@facilities.uniharderwijk.nl

Notes

  • Can be used to express the faculty, field of study, department, etc. to which a user is affiliated.
  • The attribute is multi-valued: a user can be a student in a certain field and at the same time an employee of a certain department of the university.
  • There is no register of valid subdomains. SP's wanting to use this attribute, need to confer with the IdP to interpret the values of Scoped Affiliation.

Entitlement

urn:mace

urn:mace:dir:attribute-def:eduPersonEntitlement

urn:oid

urn:oid:1.3.6.1.4.1.5923.1.1.1.7

Multiplicity

multi-value

Data typeRFC-2141 URN

Description

Custom URI (URL or URN) indicating an entitlement to something.

Examples

urn:mace:terena.org:tcs:personal-admin
urn:x-surfnet:surfdomeinen.nl:role:dnsadmin

Notes

  • Can be used to communicate entitlements, roles, etc, from identity providers to services, which can be used for example for authorization.
  • The values of this attribute are scoped to the identity provider that is authoritative for the attribute. 
  • Formatting rules apply.

PrincipalName

urn:mace

urn:mace:dir:attribute-def:eduPersonPrincipalName

urn:oid

urn:oid:1.3.6.1.4.1.5923.1.1.1.6

Multiplicity

single-valued

Data typeUTF8 String of the form user@domain. Domain must be equal to or a subdomain of schacHomeOrganization.

Description

Unique identifier for a user.

Examplespiet.jønsen@example.edu
not.a@vålîd.émail.addreß

Notes

  • Do not use as an email address!
  • All though uniquely identifying a user, it is not guaranteed that PrincipalName is persistent over sessions.
  • Do not use to identify users. Use NameId for this.
  • The allowed domain part for your institution is stored in the SURFconext configuration. So we can check that no illegal values are sent.

isMemberOf

urn:mace

urn:mace:dir:attribute-def:isMemberOf

urn:oid

urn:oid:1.3.6.1.4.1.5923.1.5.1.1

Multiplicity

multi-valued

Data typeRFC-2141 URN 

Description

Organisations the user is member of.

Examplesurn:collab:org:surf.nl

Notes

  • Only urn:collab:org:surf.nl is supported. It indicates that the user's home institution is a member of SURFnet.
  • This attribute is generated by SURFconext and is available to SPs; it should not be set by IdPs.

uid

urn:mace

urn:mace:dir:attribute-def:uid

urn:oid

urn:oid:0.9.2342.19200300.100.1.1

Multiplicity

multi-valued

Data typeUTF8 string (max 256 chars); do not use space or @-sign.

Description

Code for a person, used as login name within his institution.

Examples

s9603145 
piet 
flåp@example.edu

Notes

  • uid is not a unique identifier within SURFconext, only within the specific IdP.
  • Ideally uid is unique within the institution over the course of time. At the moment, there is no such guarantee.
  • Use NameId as a unique identifier in SURFconext.
  • Use eduPersonPrincipalName if a human-readable unique identifier is required.
  • uid may contain any unicode character. E.g., "org:surfnet.nl:joe von stühl" is a valid uid.
  • SURFconext translates @-signs in the uid to underscores when constructing NameID.

preferredLanguage

urn:mace

urn:mace:dir:attribute-def:preferredLanguage

urn:oid

urn:oid:2.16.840.1.113730.3.1.39

Multiplicity

single-valued

Data typeRFC2798 BCP47

Description

two-letter abbreviation for the preferred language, conform ISO 639.

Examples

nl
en

Notes

Can be useful for international correspondence or human-computer interaction. Values MUST conform to the definition of the Accept-Language header field defined in RFC 2068, only ":" should be omitted. 

EduPersonTargetedID

urn:mace

urn:mace:dir:attribute-def:eduPersonTargetedID

urn:oid

urn:oid:1.3.6.1.4.1.5923.1.1.1.10

Multiplicity

single-valued

Data typeUTF8 string (unbounded)

Description 

EduPersonTargetedID is a copy of the Subject -> NameID generated by SURFconext. When an IdP provides the eduPersonTargetedID itself, it is always overwritten by SURFconext.

Examplebd09168cf0c2e675b2def0ade6f50b7d4bb4aae

Note

This attribute is created because the Subject -> NameID itself is not part of the SAML v2.0 response and therefore only available for the application if the local SAML implementation explicitly support this.

 

eduPersonOrcid

urn:mace

urn:mace:dir:attribute-def:eduPersonOrcid

urn:oid

urn:oid:1.3.6.1.4.1.5923.1.1.1.16

Multiplicity

multi-valued

Data type

URL, registered with ORCID.org

Description 

ORCID is a persistent digital identifier distinguishing the account holder from other researchers. EduPersonOrcid supports automated linkages between the account holder and his professional activities, ensuring that his work is recognized.

Must be valid ORCID identifier in the ORCID-preferred URL representation, i.e. http://orcid.org/0000-0002-1825-0097.

Example

http://orcid.org/0000-0002-1825-0097

Note

For more information: https://www.surf.nl/en/news/2016/02/global-author-identifier-service-orcid-now-available-through-surfconext-and-edugain.html.

 

  • No labels