When a user logs in to a service provider, SURFconext sends a so-called SAML assertion to the service provider. This SAML assertion contains a number of statements about the user who is logging in to you service, including his identity, and possibly a number of additional attributes (see below). More information about SAML can be found on this page.
User identifiers
The user's identity is transmitted in the form of the NameId element of the SAML statement. SPs should use the NameId (rather than email address, or other attributes that might change over time) to identify users. The NameId is guaranteed to be stable and never change for a fixed user (except in the case of transient identifiers, see below).
SURFconext can provide NameIds of three different types:
- A persistent identifier. A persistent NameId contains a random string that uniquely identifies the user for this SP, and which persists over multiple sessions for the same user.
- A transient identifier. A transient NameId contain a random string that uniquely identifies the user for this SP during the session. Once the user's session at SURFconext expires and the users logs into your service once more, a new transient identifier will be generated for the user and SP.
- A legacy identifier. A legacy NameId contains a human-readable identifier of the form
urn:collab:person:example.com:johndoe
. This form of the identifier is deprecated and is not available for newly connected services. The reason for this is that SURFconext wants to have fine-grained control over the released attributes. This is easier to manage if no personal information is disclosed in the NameId identifier. If the SP needs information that is contained in the legacy NameId format (for example, the user's home institution), they should use proper attributes (for example, schacHomeOrganisation, see below) as a source for this information.
Persistent and transient identifiers typically have the form "bd09168cf0c2e675b2def0ade6f50b7d4bb4aaef
". However, this form may change in the future, and service providers MUST NOT rely on the fact that the NameId is a 40-character hexadecimal string.
Formally, these formats are defined in the SAML2int standard. The two supported NameId types are
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
which are specified in sections 8.3.7 and 8.3.8 of the SAML2 core specification.
The legacy format is not standardized, and currently has the type urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified
.
Attributes
By default, SURFconext only transmits persistent NameIds to SPs. However, in many cases these services require more information about the users, such as a name or an email address.
Because of European privacy regulations, we cannot release such information to the SPs by default. In order to receive additional information, the user's home institution needs to give permission for each SP to receive its users' data. Typically, such permission will be arranged for during the initial SURFconext setup procedure.
SURFconext supports two atttributes schemas: the urn:oid
schema and the urn:mace
schema. Both of these can be used to convey the same information (except for the NameId, which is only available in the urn:oid
schema. By default SURFconext will provide attributes in both schemata as part of the assertion. It is not recommended to mix the use of these schemata.
Attribute overview
SURFconext supported relaying of the following attributes:
Friendly name |
Attribute name |
Definition |
Data type |
Example |
|
---|---|---|---|---|---|
ID |
(NameId) |
UTF8 string |
bd09168cf0c2e675b2def0ade6f50b7d4bb4aae |
||
Surname |
UTF8 string |
Vermeegen |
|||
Given name |
UTF8 string |
Mërgim Lukáš |
|||
Common name |
UTF8 String |
Prof.dr. Mërgim Lukáš Vermeegen |
|||
Display name |
urn:mace:dir:attribute-def:displayName |
UTF8 String |
Prof.dr. Mërgim L. Vermeegen |
||
Email address |
urn:mace:dir:attribute-def:mail |
RFC-5322 address |
m.l.vermeegen@university.example.org |
]]></ac:plain-text-body></ac:structured-macro> |
|
Organization |
urn:mace:terena.org:attribute-def:schacHomeOrganization |
RFC-1035 domain string |
university.example.org |
||
Organization Type |
urn:mace:terena.org:attribute-def:schacHomeOrganizationType |
RFC-2141 URN |
urn:mace:terena.org:schac:homeOrganizationType:int:university |
||
Affiliation |
urn:mace:dir:attribute-def:eduPersonAffiliation |
Enum type (UTF8 String) |
faculty, student, staff, alum, member, affiliate, employee, library-walk-in |
||
Entitlement |
urn:mace:dir:attribute-def:eduPersonEntitlement |
RFC-2141 URN |
to be determined |
||
PrincipalName |
urn:mace:dir:attribute-def:eduPersonPrincipalName |
UTF8 String |
not.a@vålîd.émail.addreß |
||
isMemberOf |
urn:mace:dir:attribute-def:isMemberOf |
RFC-2141 URN |
urn:collab:org:surf.nl |
||
uid |
urn:mace:dir:attribute-def:uid |
UTF8 String |
s9603145 |
||
preferredLanguage |
urn:mace:dir:attribute-def:preferredLanguage |
BCP47 language tag |
nl-BE |
Note that not all identity providers might make all attributes available.
Detailed attribute descriptions
uid
urn:mace |
|
urn:oid |
|
Multiplicity |
single-value |
Description |
The unique code for a person that is used as the login name within the institution. |
Notes |
|
Surname
urn:mace |
|
urn:oid |
|
Multiplicity |
single-value |
Description |
The surname of a person (including any words such as "van", "de", "von" etc.) used for personalisation; this can be a combination of existing attributes. |
Notes |
|
Given name
urn:mace |
|
urn:oid |
|
Multiplicity |
single-value |
Description |
Given name / "name known by"; combinations of title, initials, and "name known by" are possible. |
Notes |
|
Common name
urn:mace |
|
urn:oid |
|
Multiplicity |
single-value (?) Volgens de rfc is het multi-valued |
Description |
Full name. |
Notes |
For example, a typical name of a person in an English-speaking country comprises a personal title (e.g. Mr., Ms., Rd, Professor, Sir, Lord), a first name, middle name(s), last name, generation qualifier (if any, e.g. Jr.) and decorations and awards (if any, e.g. CBE). |
Display name
urn:mace |
|
urn:oid |
|
Multiplicity |
single-value |
Description |
Name as displayed in applications |
Notes |
|
Email address
urn:mace |
|
urn:oid |
|
Multiplicity |
multi-value |
Description |
e-mail address; syntax in accordance with RFC 5322 |
Notes |
|
urn:mace:dir:attribute-def:eduPersonAffiliation
Multiplicity |
multi-value |
Description |
indicates the relationship between the user and his/her own organisation; possible values:
|
Notes |
Note that you must not allow alum or affiliate users to access SURFfederatie. Providing this attribute is not sufficient to deny these users access to SURFfederatie as many service providers do not receive this attribute. Please contact federatie-beheer@surfnet.nl if you have questions about this. |
urn:mace:dir:attribute-def:eduPersonEntitlement
Multiplicity |
multi-value |
Description |
entitlement; URI (URL or URN) that indicates an entitlement to something; is determined by a contract between the service provider and the institution. |
Notes |
|
urn:mace:dir:attribute-def:eduPersonPrincipalName
Multiplicity |
single-value |
Description |
Unique "net ID" beyond the scope of the particular institution, in the form "<user>@<scope>".E.g. "s012001234@student.example.com". |
Notes |
|
urn:mace:dir:attribute-def:preferredLanguage
Multiplicity |
single-value |
Description |
a two-letter abbreviation for the preferred language according to the ISO 639 language abbreviation code table; no subcodes. |
Notes |
|
Attributes defined in urn:mace:terena.org:attribute-def
International standardised attributes according to the Terena SCHAC schema have been defined within the namespace urn:mace:terena.org:schac: http://www.terena.org/activities/tf-emc2/schacreleases.html. The version of the SCHAC table used is 1.3.0 (12 December 2006).
urn:mace:terena.org:attribute-def:schacHomeOrganization
Multiplicity |
single-value |
Description |
designation for the person's organisation using the organisation's domain name; syntax in accordance with RFC 1035. |
Notes |
|
urn:mace:terena.org:attribute-def:schacHomeOrganizationType
Multiplicity |
single-value |
Description |
designation of the type of organisation to which a person belongs, using the values registered by Terena on: http://www.terena.org/registry/terena.org/schac/homeOrganizationType |
Notes |
|
Attributes defined in urn:mace:surffederatie.nl:attribute-def
Nationally standardised attributes within SURFfederatie have been defined within the namespace urn:mace:surffederatie.nl:attribute-def. The name of all these attributes starts with the prefix "nl"
urn:mace:surffederatie.nl:attribute-def:nlEduPersonHomeOrganization
Multiplicity |
single-value |
Description |
|
Notes |
This attribute is deprecated. It has been replaced by the urn:mace:terena.org:attribute-def:schacHomeOrganization attribute |
urn:mace:surffederatie.nl:attribute-def:nlEduPersonOrgUnit
Multiplicity |
multi-value |
Description |
Name of the department |
Notes |
|
urn:mace:surffederatie.nl:attribute-def:nlEduPersonStudyBranch
Multiplicity |
multi-value |
Description |
Study programme; numerical string containing the CROHO code. Empty if the programme is not a regular one. |
Notes |
|
urn:mace:surffederatie.nl:attribute-def:nlStudielinkNummer
Multiplicity |
single-value |
Description |
A student's Studielink number as registered at www.studielink.nl |
Notes |
|
urn:mace:surffederatie.nl:attribute-def:nlDigitalAuthorIdentifier
Multiplicity |
single-value |
Description |
Digital Author Identifier (DAI) as described here |
Notes |
|
The names of the attributes in the above table are the commonly used abbreviations. In the description below the attributes are listed using their full name. The SURFfederatie gateway will always provide the attributes by their full name. The attributes are defined in three different namespaces: urn:mace:dir:attribute-def, urn:mace:terena.org:schac and urn:mace:surffederatie.nl:attribute-def.
Attributes defined in urn:mace:dir:attribute-def
International standardised attributes according to the EduPerson schema have been defined within the namespace urn:mace:dir:attribute-def: http://middleware.internet2.edu/urn-mace/urn-mace-dir-attribute-def.html. The version of the EduPerson schema used is: MACE-Dir/Educause, eduPerson Object Class Specification (200806), http://middleware.internet2.edu/eduperson/docs/internet2-mace-dir-eduperson-200806.html, June 2008