You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

Attributes

The following attributes can be included in the response from SURFconext to the service provider. They contain information about the authenticated user. This will make it possible for the service to for instance show the "displayName" of the user in the interface or determine the affiliation of the user for authorization. For instance a student has a different view than a teacher.

Attribute

Attribute (OID)

Example

Remarks

urn:mace:dir:attribute-def:displayName

urn:oid:2.16.840.1.113730.3.1.241

John Doe

Usually this is equal to cn.

urn:mace:dir:attribute-def:mail

urn:oid:0.9.2342.19200300.100.1.3

john@example.org

This attribute can contain multiple email addresses.

urn:mace:dir:attribute-def:sn

urn:oid:2.5.4.4

Doe

 

urn:mace:dir:attribute-def:cn

urn:oid:2.5.4.3

John Doe

 

urn:mace:dir:attribute-def:givenName

urn:oid:2.5.4.42

John

 

urn:mace:dir:attribute-def:eduPersonPrincipalName

urn:oid:1.3.6.1.4.1.5923.1.1.1.6

john_doe@example.org

This is not necessarily a valid email address!

urn:mace:terena.org:attribute-def:schacHomeOrganization

urn:oid:1.3.6.1.4.1.1466.115.121.1.15

example.org

 

urn:mace:dir:attribute-def:uid

urn:oid:0.9.2342.19200300.100.1.1

john_doe

You should not use this for (unique) user identification purposes in your service!

urn:mace:dir:attribute-def:eduPersonAffiliation

urn:oid:1.3.6.1.4.1.5923.1.1.1.1

student

Supported values: employee, student and affiliate.

urn:mace:dir:attribute-def:isMemberOf

urn:oid:1.3.6.1.4.1.5923.1.5.1.1

urn:collab:org:surf.nl

Contact us before you want to use this attribute!

In order to uniquely identify a user the persistent Name ID value can be used. This value can be extracted from the Name ID and is also available in the attribute urn:mace:dir:attribute-def:eduPersonTargetedID (urn:oid:1.3.6.1.4.1.5923.1.1.1.10) if the SAML software does not support extracting Name ID values.

Currently we convert schacHomeOrganization to the wrong OID. The correct value is urn:oid:1.3.6.1.4.1.25178.1.2.9. This will be fixed soonish.

UID is the unique identifier of the user at the home institution, it is not unique for all users in SURFconext! Use eduPersonTargetedID (preferred) or eduPersonPrincipalName if you need to uniquely identify users.

A service provider SHOULD only at most request the following attributes, requesting these and any other attributes MUST BE accompanied by an explanation of why they are needed:

  • urn:mace:dir:attribute-def:displayName
  • urn:mace:dir:attribute-def:mail
  • urn:mace:dir:attribute-def:cn
  • urn:mace:dir:attribute-def:eduPersonAffiliation
  • urn:mace:terena.org:attribute-def:schacHomeOrganization

The attributes are available in both human readable format and OID format. See also this eduGAIN recommendation.

Ultimately it is up to the identity provider and service provider to agree on a set of attributes to be released by the IdP, SURFconext only mediates. However, it is strongly recommend to stick to the above attributes as they are standardized and ensure greater interoperability.

  • No labels