When a user logs in to a service provider, SURFconext sends a so-called SAML assertion to the service provider. This SAML assertion contains a number of statements about the user who is logging in to you service, including his identity, and possibly a number of additional attributes (see below).
SURFconext's SAML2 implementation adheres to the SAML2int standard.
On this page we will show you which attributes SURFconext and their Identity Providers have to offer.
User identifiers
The user's identity is transmitted in the form of the NameID element of the SAML statement.For convenience, this identifier is duplicated in the SAML attribute eduPersonTargetedID (see below).
Service Providers should use the NameID (rather than email address, or other attributes that might change over time) to identify users. The NameId is guaranteed to be stable and never change for a fixed user (except in the case of transient identifiers, see below).
SURFconext can provide NameIDs of 2 different types:
- A persistent identifier. A persistent NameID contains a random string that uniquely identifies the user for this SP, and which persists over multiple sessions for the same user.
- A transient identifier. A transient NameID contain a random string that uniquely identifies the user for this SP during the session. Once the user's session at SURFconext expires and the users logs into your service once more, a new transient identifier will be generated for the user and SP.
Persistent and transient identifiers typically have the form 'bd09168cf0c2e675b2def0ade6f50b7d4bb4aaef
'. However, this form may change in the future.
The two supported NameID types, for respectively persistent and transient NameID specifiers, are:
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
Attribute schemas
SURFconext supports two atttributes schemas: the urn:oid
schema and the urn:mace
schema. Both of these can be used to convey the same information (except for the NameID, which is only available in the urn:oid
schema. By default SURFconext will provide attributes in both schemata as part of the assertion. It is not recommended to mix the use of these schemata, but for legacy reason SURFconext offers both.
Attribute overview
SURFconext supported relaying of the following attributes:
Friendly name | Attribute name | S/M | Definition | Data type | Example |
---|---|---|---|---|---|
(NameID) |
| UTF8 string | bd09168cf0c2e675b2def0ade6f50b7d4bb4aae | ||
| UTF8 string | Vermeegen | |||
| UTF8 string | Mërgim Lukáš | |||
| UTF8 String | Prof.dr. Mërgim Lukáš Vermeegen | |||
urn:mace:dir:attribute-def:displayName |
| UTF8 String | Prof.dr. Mërgim L. Vermeegen | ||
urn:mace:dir:attribute-def:mail |
| RFC-5322 address | m.l.vermeegen@university.example.org | ||
urn:mace:terena.org:attribute-def:schacHomeOrganization |
| RFC-1035 domain string | university.example.org | ||
urn:mace:terena.org:attribute-def:schacHomeOrganizationType |
| RFC-2141 URN | urn:mace:terena.org:schac:homeOrganizationType:int:university | ||
urn:mace:dir:attribute-def:eduPersonAffiliation |
| Enum type (UTF8 String) | faculty, student, staff, (alum, member, affiliate, employee, library-walk-in) | ||
urn:mace:dir:attribute-def:eduPersonEntitlement |
| RFC-2141 URN | to be determined per service | ||
urn:mace:dir:attribute-def:eduPersonPrincipalName |
| UTF8 String | not.a@vålîd.émail.addreß | ||
urn:mace:dir:attribute-def:isMemberOf |
| RFC-2141 URN | urn:collab:org:surf.nl | ||
urn:mace:dir:attribute-def:uid |
| UTF8 String | s9603145 | ||
urn:mace:dir:attribute-def:preferredLanguage |
| List of BCP47 language tags | nl |
Note that not all identity providers might make all attributes available.
Detailed attribute descriptions
ID
See User identifiers.
Surname
urn:mace | |
urn:oid | |
Multiplicity | single-valued |
Description | The surname of a person (including any words such as “van”, “de”, “von” etc.) used for personalisation; this can be a combination of existing attributes. |
Notes |
|
Given name
urn:mace | |
urn:oid | |
Multiplicity | single-valued |
Description | Given name / “name known by”; combinations of title, initials, and “name known by” are possible. |
Notes |
|
Common name
urn:mace | |
urn:oid | |
Multiplicity | multi-valued |
Description | Full name. |
Notes | For example, a typical name of a person in an English-speaking country comprises a personal title (e.g. Mr., Ms., Rd, Professor, Sir, Lord), a first name, middle name(s), last name, generation qualifier (if any, e.g. Jr.) and decorations and awards (if any, e.g. CBE). |
Display name
urn:mace | |
urn:oid | |
Multiplicity | single-valued |
Description | Name as displayed in applications |
Notes |
|
Email address
urn:mace | |
urn:oid | |
Multiplicity | multi-valued |
Description | e-mail address; syntax in accordance with RFC 5322 |
Notes |
|
uid
urn:mace | |
urn:oid | |
Multiplicity | multi-valued |
Description | The unique code for a person that is used as the login name within the institution. |
Notes |
|
Home organisation
urn:mace | |
urn:oid | |
Multiplicity | single-valued |
Description | The user's organisation using the organisation’s domain name; syntax in accordance with RFC 1035. |
Notes |
|
Organization type
urn:mace | |
urn:oid | |
Multiplicity | single-value |
Description | designation of the type of organisation as defined on http://www.terena.org/registry/terena.org/schac/homeOrganizationType |
Notes |
|
Affiliation
urn:mace | |
urn:oid | |
Multiplicity | multi-valued |
Description | Indicates the relationship between the user and his home organisation. The following values are permitted:
|
Notes | Identity providers might internally use additional values for the affilication attribute, such as |
Entitlements
urn:mace | |
urn:oid | |
Multiplicity | multi-value |
Description | entitlement; custom URI (URL or URN) that indicates an entitlement to something. |
Notes |
|
Principle name
urn:mace | |
urn:oid | |
Multiplicity | single-valued |
Description | Unique identifier for a user. |
Notes |
|
isMemberOf
urn:mace | |
urn:oid | |
Multiplicity | multi-valued |
Description | Lists the collaborative organisations the user is a member of. |
Notes |
|
Preferred Language
urn:mace | |
urn:oid | |
Multiplicity | single-valued |
Description | a two-letter abbreviation for the preferred language according to the ISO 639 language abbreviation code table; no subcodes. |
Notes | Used to indicate an individual's preferred written or spoken language. This is useful for international correspondence or human-computer interaction. Values for this attribute type MUST conform to the definition of the Accept-Language header field defined in RFC 2068 with one exception: ?the value " |