Attributes
The following attributes can be included in the response from SURFconext to the service provider. They contain information about the authenticated user. This will make it possible for the service to for instance show the "displayName" of the user in the interface or determine the affiliation of the user for authorization. For instance a student has a different view than a teacher.
Attribute |
Attribute (OID) |
Example |
Remarks |
---|---|---|---|
|
|
John Doe |
Usually this is equal to |
|
|
john@example.org |
This attribute can contain multiple email addresses. |
|
|
Doe |
|
|
|
John Doe |
|
|
|
John |
|
|
|
john_doe@example.org |
This is not necessarily a valid email address! |
|
|
example.org |
|
|
|
john_doe |
You should not use this for (unique) user identification purposes in your service! |
|
|
student |
Supported values: |
|
|
urn:collab:org:surf.nl |
Contact us before you want to use this attribute! |
In order to uniquely identify a user the persistent Name ID value can be used. This value can be extracted from the Name ID and is also available in the attribute urn:mace:dir:attribute-def:eduPersonTargetedID
(urn:oid:1.3.6.1.4.1.5923.1.1.1.10
) if the SAML software does not support extracting Name ID values.
Currently we convert schacHomeOrganization
to the wrong OID. The correct value is urn:oid:1.3.6.1.4.1.25178.1.2.9
. This will be fixed soonish.
UID is the unique identifier of the user at the home institution, it is not unique for all users in SURFconext! Use eduPersonTargetedID (preferred) or eduPersonPrincipalName if you need to uniquely identify users.
A service provider SHOULD only at most request the following attributes, requesting these and any other attributes MUST BE accompanied by an explanation of why they are needed:
urn:mace:dir:attribute-def:displayName
urn:mace:dir:attribute-def:mail
urn:mace:dir:attribute-def:cn
urn:mace:dir:attribute-def:eduPersonAffiliation
urn:mace:terena.org:attribute-def:schacHomeOrganization
The attributes are available in both human readable format and OID format. See also this eduGAIN recommendation.
Ultimately it is up to the identity provider and service provider to agree on a set of attributes to be released by the IdP, SURFconext only mediates. However, it is strongly recommend to stick to the above attributes as they are standardized and ensure greater interoperability.