Attribute Release Policy

SURFconext has a minimal disclosure principle: only the absolute necessary (personal) information is transferred to a service. When you request a connection to the Production environment, you must specify the attributes needed. SURFconext Support will review your request and configure an Attribute Release Policy accordingly.

When Identity Providers are asked if they want to be coupled to your service, they will be informed of the attributes your service requests. The IP must agree to the release of these attributes to your service.

When a user logs in to a Service Provider, SURFconext sends a SAML assertion to the Service Provider, containing:

user identifier (NameID)
additional attributes (optional)

User identifiers

The user's identity is transmitted in the form of the NameID element. Every IP must supply a NameID, but for privacy reasons SURFconext will generate a new one, which is duplicated in the attribute eduPersonTargetedID.

To identify a user you must use NameID or eduPersonTargetedID. NameID is guaranteed to be stable for a fixed user (except in the case of transient identifiers). SURFconext will generate a NameID for each new user. It is unique for the user and specific to the SP, so SP's cannot correlate their received NameID's between each other. There are two types of NameIDs:

urn:oasis:names:tc:SAML:2.0:nameid-format:persistentA persistent NameID contains a unique string identifying the user for this SP and persisting over multiple sessions.
urn:oasis:names:tc:SAML:2.0:nameid-format:transientA transient NameID contains a unique string identifying the user for this SP during the session. If the user logs in again, a new transient identifier will be generated.

Attribute schemas

SURFconext supports two attribute schemas:

urn:oid schema (SAML2.0 compliant)
urn schema (SAML1.1 compliant)

Both can be used to convey the same information (except for the NameID, which is only available in the urn:oid schema). By default SURFconext will provide attributes in both schemas as part of the assertion. However it is not recommended to mix the use of the schemas.

Attribute overview

Friendly name	Attribute name	Definition	Data type	Example
ID	(NameID) urn:mace:dir:attribute-def:eduPersonTargetedID urn:oid:1.3.6.1.4.1.5923.1.1.1.10	eduPerson (1)	UTF8 string (unbounded)	bd09168cf0c2e675b2def0ade6f50b7d4bb4aae
Surname	urn:mace:dir:attribute-def:sn urn:oid:2.5.4.4	X.520	UTF8 string (unbounded)	Vermeegen 孝慈
Given name	urn:mace:dir:attribute-def:givenName urn:oid:2.5.4.42	X.520	UTF8 string (unbounded)	Mërgim Lukáš Þrúður
Common name	urn:mace:dir:attribute-def:cn urn:oid:2.5.4.3	X.520	UTF8 String (unbounded)	Prof.dr. Mërgim Lukáš Vermeegen 加来千代, PhD.
Display name	urn:mace:dir:attribute-def:displayName urn:oid:2.16.840.1.113730.3.1.241	RFC2798	UTF8 String (unbounded)	Prof.dr. Mërgim L. Vermeegen 加来千代, PhD.
Email address	urn:mace:dir:attribute-def:mail urn:oid:0.9.2342.19200300.100.1.3	RFC4524	RFC-5322 address (max 256 chars)	m.l.vermeegen@university.example.org maarten.'t.hart@uniharderwijk.nl "very.unusual.@.but valid.nonetheless"@example.com mlv@[IPv6:2001:db8::1234:4321]
Organization	urn:mace:terena.org:attribute-def:schacHomeOrganization urn:oid:1.3.6.1.4.1.25178.1.2.9	Schac	RFC-1035 domain string	example.nl something.example.org
Organization Type	urn:mace:terena.org:attribute-def:schacHomeOrganizationType urn:oid:1.3.6.1.4.1.25178.1.2.10	Schac	RFC-2141 URN see Schac standard	urn:mace:terena.org:schac:homeOrganizationType:int:university urn:mace:terena.org:schac:homeOrganizationType:es:opi
Employee/student number	urn:schac:attribute-def:schacPersonalUniqueCode urn:oid:1.3.6.1.4.1.25178.1.2.14	Schac	RFC-2141 URN see SURFnet registry	urn:schac:personalUniqueCode:nl:local:example.edu:employeeid:x12-3456 urn:schac:personalUniqueCode:nl:local:example.nl:studentid:s1234567
Affiliation	urn:mace:dir:attribute-def:eduPersonAffiliation urn:oid:1.3.6.1.4.1.5923.1.1.1.1	eduPerson (1)	Enum type (UTF8 String)	employee, student, staff, member (alum, affiliate, faculty, library-walk-in are not allowed)
Scoped affiliation	urn:mace:dir:attribute-def:eduPersonScopedAffiliation urn:oid:1.3.6.1.4.1.5923.1.1.1.9	eduPerson (1)	UTF8 String user@domain	student@physics.uniharderwijk.nl employee@facilities.uniharderwijk.nl
Entitlement	urn:mace:dir:attribute-def:eduPersonEntitlement urn:oid:1.3.6.1.4.1.5923.1.1.1.7	eduPerson (1)	RFC-2141 URN Multi-valued	to be determined per service (see Standardized values for eduPersonEntitlement)
PrincipalName	urn:mace:dir:attribute-def:eduPersonPrincipalName urn:oid:1.3.6.1.4.1.5923.1.1.1.6	eduPerson (1)	UTF8 String user@domain	piet.jønsen@example.edu not.a@vålîd.émail.addreß
isMemberOf	urn:mace:dir:attribute-def:isMemberOf urn:oid:1.3.6.1.4.1.5923.1.5.1.1	eduMember	RFC-2141 URN Multi-valued	urn:collab:org:surf.nl urn:collab:org:clarin.org
uid	urn:mace:dir:attribute-def:uid urn:oid:0.9.2342.19200300.100.1.1	RFC4519	UTF8 String (max 256 chars)	s9603145 flåp@example.edu
preferredLanguage	urn:mace:dir:attribute-def:preferredLanguage urn:oid:2.16.840.1.113730.3.1.39	RFC2798 BCP47	List of BCP47 language tags	nl nl, en-gb;q=0.8, en;q=0.7
ORCID	urn:mace:dir:attribute-def:eduPersonORCID urn:oid:1.3.6.1.4.1.5923.1.1.1.16	eduPerson (1)	URL registered with ORCID.org	http://orcid.org/0000-0002-1825-0097

Note that not all Identity Providers might make all attributes available.

(1) eduPerson Object Class Specification (201602): http://software.internet2.edu/eduperson/internet2-mace-dir-eduperson-201602.html

Detailed attribute descriptions

ID

See Attributes.

Surname

urn:mace	urn:mace:dir:attribute-def:sn
urn:oid	urn:oid:2.5.4.4
Multiplicity	single-valued
Data type	UTF8 string (unbounded)
Description	Surname of a person (including words as "van", "de", "von", etc.) used for personalisation; can be a combination of existing attributes.
Examples	Vermeegen 孝慈
Notes

Given name

urn:mace	urn:mace:dir:attribute-def:givenName
urn:oid	urn:oid:2.5.4.42
Multiplicity	single-valued
Data type	UTF8 string (unbounded)
Description	Given name / "name known by"; combinations of title, initials, and "name known by" are possible.
Examples	Jan Klaassen Mërgim K. Lukáš Þrúður
Notes

Common name

urn:mace	urn:mace:dir:attribute-def:cn
urn:oid	urn:oid:2.5.4.3
Multiplicity	multi-valued
Data type	UTF8 string (unbounded)
Description	Full name.
Examples	Prof.dr. Mërgim Lukáš Vermeegen 加来千代, PhD.
Notes	For example, a typical name of a person in an English-speaking country comprises a personal title (e.g. Mr., Ms., Rd, Professor, Sir, Lord), a first name, middle name(s), last name, generation qualifier (if any, e.g. Jr.) and decorations and awards (if any, e.g. CBE).

Display name

urn:mace	urn:mace:dir:attribute-def:displayName
urn:oid	urn:oid:2.16.840.1.113730.3.1.241
Multiplicity	single-valued
Data type	UTF8 string (unbounded)
Description	Name as displayed in applications
Examples	Prof.dr. Mërgim Lukáš Vermeegen 加来千代, PhD.
Notes	Can be changed by the end-users themselves and is therefore not suitable for identification.

Email address

urn:mace	urn:mace:dir:attribute-def:mail
urn:oid	urn:oid:0.9.2342.19200300.100.1.3
Multiplicity	multi-valued
Data type	RFC-5322 address (max 256 chars)
Description	e-mail address; syntax in accordance with RFC 5322
Examples	m.l.vermeegen@university.example.org "very.unusual.@.unusual.com"@example.com mlv@[IPv6:2001:db8::1234:4321]
Notes	Multiple email addresses are allowed Is not necessarily the email address of this person at his institution. Do not use Email address to identify a user: use NameId. Also do not use it for authentication and authorization: email addresses may change over time.

Organisation

urn:mace	urn:mace:terena.org:attribute-def:schacHomeOrganization
urn:oid	urn:oid:1.3.6.1.4.1.25178.1.2.9
Multiplicity	single-valued
Data type	RFC-1035 domain string. Must be a secondary-level domain under control by the institution. Preferably use the institutions main domain name.
Description	Domain name of the users organisation; syntax conform RFC 1035.
Examples	uniharderwijk.nl example.nl
Notes	In the past SURFconext used to send the home organisation in the attribute urn:oid:1.3.6.1.4.1.1466.115.121.1.15, which was incorrect. Since 2013, the correct oid urn:oid:1.3.6.1.4.1.25178.1.2.9 is in use. For reasons of compatibility, the old (wrong) key is also still sent. It should not be used in new implementations. Matching values should be case-insensitive, i.e. "uniharderwijk.nl" and "UniHarderwijk.nl" should be considered as equal. Use the same value for all your users. The value of Organisation is stored in the SURFconext configuration. So we can check that no illegal values are sent.

Organization type

urn:mace	urn:mace:terena.org:attribute-def:schacHomeOrganizationType
urn:oid	urn:oid:1.3.6.1.4.1.25178.1.2.10
Multiplicity	single-value
Data type	RFC-2141 URN (see Schac standard)
Description	Organisation type as defined by Terena.
Examples	urn:mace:terena.org:schac:homeOrganizationType:int:university urn:mace:terena.org:schac:homeOrganizationType:es:opi
Notes	In practice this attribute is almost not used by IdPs or SPs; contact support@surfconext.nl if you would like to use it.

Employee/student number

urn:mace	urn:schac:attribute-def:schacPersonalUniqueCode
urn:oid	urn:oid:1.3.6.1.4.1.25178.1.2.14
Multiplicity	multi-value
Data type	RFC-2141 URN (see SURFnet registry).
Description	The id used in the university's internal systems.
Examples	urn:schac:personalUniqueCode:nl:local:example.edu:employeeid:x12-3456 urn:schac:personalUniqueCode:nl:local:example.nl:studentid:s1234567
Notes	Is mainly used to match user accounts of the university's internal systems. Attribute values are registered by SURFnet on https://wiki.surfnet.nl/x/xoTdAg. Contact support@surfconext.nl if you want to use this attribute.

Affiliation

urn:mace	urn:mace:dir:attribute-def:eduPersonAffiliation
urn:oid	urn:oid:1.3.6.1.4.1.5923.1.1.1.1
Multiplicity	multi-valued
Data type	UTF8 String (only the values below are allowed).
Description	Relationship between user and his home organisation: `student` — person enrolled at an institution, an external student or course participant `employee` — person with a position at or labour agreement with an institution `staff` — academic staff (in Dutch: wetenschappelijk personeel) and teachers `member` — someone holding at least one of the above affiliations `affiliate` — person who is authorized by the Institution (not (yet) used by any services)
Examples	see above
Notes	Users with the affiliation `student`, `employee`, or `staff`, should also have the value `member`. Identity Providers can use other values (e.g. `alum)`. However they are not allowed to access SURFconext. Other values mentioned in the eduPerson specification like `faculty` and `library-walk-in` are not allowed within SURFconext. Use only lower-case values.

Scoped Affiliation

urn:mace	urn:mace:dir:attribute-def:eduPersonScopedAffiliation
urn:oid	urn:oid:1.3.6.1.4.1.5923.1.1.1.9
Multiplicity	multi-valued
Data type	UTF8 String of the form affiliation@subdomain.
Description	Indicates the relationship between the user and a specific (security) domain with his home organisation in a fine-grained way. For example, it can specify that a user is a student in the Physics department or a secretary working in a specific department.The value consists of an affiliation-part and a domain-part, i.e. <affiliation>@<sub.domain.nl>. The affiliation-part must be one of the values allowed for Affiliation (see above). The domain-part must be a subdomain of the user's schacHomeOrganization. This subdomain does not necessarily need to exist in DNS. E.g if schacHomeOrganization = uniharderwijk.nl, the domain-part could be science.uniharderwijk.nl or physics.science.uniharderwijk.nl,
Examples	student@physics.uniharderwijk.nl employee@facilities.uniharderwijk.nl
Notes	Can be used to express the faculty, field of study, department, etc. to which a user is affiliated. The attribute is multivalued: a user can be a student in a certain field and at the same time an employee of a certain department of the university. There is no common register or policy of which subdomains are valid or express a certain concept. For example, `staff@cs.uniharderwijk.nl` might indicate the user is a staff member of the computer science department of the University of Harderwijk, while `staff@cs.surfnet.nl` might indicate an employee of the community support department of SURFnet. Therefore, if you are an SP and would like to use this attribute, you always need to confer with the university if you need to interpret these values.

Entitlement

urn:mace	urn:mace:dir:attribute-def:eduPersonEntitlement
urn:oid	urn:oid:1.3.6.1.4.1.5923.1.1.1.7
Multiplicity	multi-value
Data type	RFC-2141 URN
Description	entitlement; custom URI (URL or URN) that indicates an entitlement to something.
Examples	`urn:mace:terena.org:tcs:personal-admin`urn:x-surfnet:surfdomeinen.nl:role:dnsadmin
Notes	This attribute can be used to communicate entitlements, roles, etc, from identity providers to services, which can be used, for example, for authorization. The values of this attribute are scoped to the identity provider that is authoritative for the attribute. Formatting rules apply: See also the SURFconext entitlement namespacing policy.

Principal name

urn:mace	urn:mace:dir:attribute-def:eduPersonPrincipalName
urn:oid	urn:oid:1.3.6.1.4.1.5923.1.1.1.6
Multiplicity	single-valued
Data type	UTF8 String of the form `user@domain`. The domain MUST be equal to or a be a subdomain of the schacHomeOrganization.
Description	Unique identifier for a user.
Examples	piet.jønsen@example.edu not.a@vålîd.émail.addreß
Notes	Although this value resembles an email address, it MUST NOT be used as an email address. In many cases mail cannot be delivered to this "address". Even though this value uniquely identifies a user, it is not guaranteed that it is persistent over sessions (even though it usually is). Preferedly do not use this to uniquely identify users. Use the NameId instead. SURFconext will store the allowed domain part for your institution in our configuration so we can check that no illegal values are being sent.

isMemberOf

urn:mace	urn:mace:dir:attribute-def:isMemberOf
urn:oid	urn:oid:1.3.6.1.4.1.5923.1.5.1.1
Multiplicity	multi-valued
Data type	RFC-2141 URN
Description	Lists the collaborative organisations the user is a member of.
Examples	`urn:collab:org:surf.nl`
Notes	Attribute values are URIs (URN or URL) The only currently supported value is `urn:collab:org:surf.nl`, which indicated that the user's home institution is a member of SURFnet In the future, this can be used to determine membership of non-institutional collaborative organisations. This attribute is generated by SURFconext and is available to SPs; it should not be set by IdPs.

uid

urn:mace	urn:mace:dir:attribute-def:uid
urn:oid	urn:oid:0.9.2342.19200300.100.1.1
Multiplicity	multi-valued
Data type	UTF8 String (max 256 chars); use of spaces and `@`-characters is discouraged.
Description	The unique code for a person that is used as the login name within the institution.
Examples	s9603145 piet flåp@example.edu
Notes	The uid is not a unique identifier for SURFconext users. Uid values are at most unique for each IdP. Ideally the uid is not only a login name/code but also an identifier that is guaranteed as being unique within the institution over the course of time. At the moment, there is no such guarantee. Use the NameId for unique identifiers in SURFconext rather than uid. Use the eduPersonPrincipalName attribute if a human-readable unique identifier is required A uid may contain any unicode character. E.g., "`org:surfnet.nl:joe von stühl`" is a valid uid. SURFconext translates @-characters in the uid to underscores before constructing the NameID.

Preferred Language

urn:mace	urn:mace:dir:attribute-def:preferredLanguage
urn:oid	urn:oid:2.16.840.1.113730.3.1.39
Multiplicity	single-valued
Data type	RFC2798 BCP47
Description	a two-letter abbreviation for the preferred language according to the ISO 639 language abbreviation code table; no subcodes.
Examples	nl en
Notes	Used to indicate an individual's preferred written or spoken language. This is useful for international correspondence or human-computer interaction. Values for this attribute type MUST conform to the definition of the Accept-Language header field defined in RFC 2068 with one exception: ?the value "`:`" should be omitted.

EduPersonTargetedID

urn:mace	urn:mace:dir:attribute-def:eduPersonTargetedID
urn:oid	urn:oid:1.3.6.1.4.1.5923.1.1.1.10
Multiplicity	single-valued
Data type	UTF8 string (unbounded)
Description	The attribute eduPersonTargetedID is a copy of the Subject -> NameID which is generated by SURFconext itself. When an Identity Provider provides the eduPersonTargetedID itself, it is always overwritten by SURFconext.
Examples	bd09168cf0c2e675b2def0ade6f50b7d4bb4aae
Notes	This attribute is created because the Subject -> NameID itself is not part of the SAML v2.0 response and therefore only is available for application if the local SAML implementation explicitly support this. Within SURFconext the Subject -> NameID is explicitly copied into the `eduPersonTargetedID` attribute, in order for the identifier to be used like any other attribute.

eduPersonOrcid

urn:mace	urn:mace:dir:attribute-def:eduPersonOrcid
urn:oid	urn:oid:1.3.6.1.4.1.5923.1.1.1.16
Multiplicity	multi-valued
Data type	URL, registered with ORCID.org
Description	The ORCID is a persistent digital identifier that distinguishes the account holder from every other researcher. Through integration in research workflows such as manuscript and grant submission, the ORCID identifier supports automated linkages between the account holder and his/her professional activities ensuring that the account holder's work is recognized. Values MUST be valid ORCID identifiers in the ORCID-preferred URL representation, i.e. http://orcid.org/0000-0002-1825-0097
Examples	`http://orcid.org/0000-0002-1825-0097` `http://orcid.org/0000-0001-9351-8252`
Notes	For more information see https://www.surf.nl/en/news/2016/02/global-author-identifier-service-orcid-now-available-through-surfconext-and-edugain.html

Page tree

Attributes