Attributes in SURFconext

When a user logs in to a service provider, SURFconext sends a so-called SAML assertion to the service provider. This SAML assertion contains a number of statements about the user who is logging in to you service, including his identity, and possibly a number of additional attributes (see below). More information about SAML can be found on this page.

In general, SURFconext's SAML2 implementation adheres to the SAML2int standard.

Contents of this page:

User identifiers

The user's identity is transmitted in the form of the NameId element of the SAML statement. SPs should use the NameId (rather than email address, or other attributes that might change over time) to identify users. The NameId is guaranteed to be stable and never change for a fixed user (except in the case of transient identifiers, see below).

SURFconext can provide NameIds of three different types:

A persistent identifier. A persistent NameId contains a random string that uniquely identifies the user for this SP, and which persists over multiple sessions for the same user.
A transient identifier. A transient NameId contain a random string that uniquely identifies the user for this SP during the session. Once the user's session at SURFconext expires and the users logs into your service once more, a new transient identifier will be generated for the user and SP.
A legacy identifier. A legacy NameId contains a human-readable identifier of the form urn:collab:person:example.com:johndoe. This form of the identifier is deprecated and is not available for newly connected services. The reason for this is that SURFconext wants to have fine-grained control over the released attributes. This is easier to manage if no personal information is disclosed in the NameId identifier. If the SP needs information that is contained in the legacy NameId format (for example, the user's home institution), they should use proper attributes (for example, schacHomeOrganisation, see below) as a source for this information.

Persistent and transient identifiers typically have the form "bd09168cf0c2e675b2def0ade6f50b7d4bb4aaef". However, this form may change in the future, and service providers MUST NOT rely on the fact that the NameId is a 40-character hexadecimal string.

The two supported NameId types, for respectively persistent and transient NameId specifiers, are

urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
urn:oasis:names:tc:SAML:2.0:nameid-format:transient

which are specified in sections 8.3.7 and 8.3.8 of the SAML2 core specification.

By default, SURFconext offers the transient form of the NameId to services. Service providers who have a need for persistent identifiers can negotiate use of the persistent NameId format when their service is connected to SURFconext.

Attributes

By default, the NameId is the only piece of information about the authenticated user that SURFconext conveys to SPs. However, in many cases these services require more information about the user, such as a name or an email address.

Because of European privacy regulations, we cannot release such information to the SPs by default. In order to receive additional information, the user's home institution needs to give permission for each SP to receive its users' data. Typically, such permission will be arranged for during the initial SURFconext setup procedure.

Furthermore, when a user first logs in to a service, SURFconext informs them about the attributes and the information contained therein that is going to be sent to the service. If the user does not consent to his information being transmitted, they can still abort the login to the service.

SURFconext supports two atttributes schemas: the urn:oid schema and the urn:mace schema. Both of these can be used to convey the same information (except for the NameId, which is only available in the urn:oid schema. By default SURFconext will provide attributes in both schemata as part of the assertion. It is not recommended to mix the use of these schemata, but for legacy reason SURFconext offers both.

Attribute overview

SURFconext supported relaying of the following attributes:

Friendly name	Attribute name	Definition	Data type	Example
ID	(NameId) urn:mace:dir:attribute-def:eduPersonTargetedID urn:oid:1.3.6.1.4.1.5923.1.1.1.10	eduPerson	UTF8 string (unbounded)	bd09168cf0c2e675b2def0ade6f50b7d4bb4aae
Surname	urn:mace:dir:attribute-def:sn urn:oid:2.5.4.4	X.520	UTF8 string (unbounded)	Vermeegen ?
Given name	urn:mace:dir:attribute-def:givenName urn:oid:2.5.4.42	X.520	UTF8 string (unbounded)	Mërgim Lukáš ??
Common name	urn:mace:dir:attribute-def:cn urn:oid:2.5.4.3	X.520	UTF8 String (unbounded)	Prof.dr. Mërgim Lukáš Vermeegen ? ??, PhD.
Display name	urn:mace:dir:attribute-def:displayName urn:oid:2.16.840.1.113730.3.1.241	RFC2798	UTF8 String (unbounded)	Prof.dr. Mërgim L. Vermeegen ? ??, PhD.
Email address	urn:mace:dir:attribute-def:mail urn:oid:0.9.2342.19200300.100.1.3	RFC4524	RFC-5322 address (max 256 chars)	m.l.vermeegen@university.example.org "very.unusual.@.unusual.com"@example.com <ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="32248a46-6008-45c5-9919-ccbeff6bbcb4"><ac:plain-text-body><![CDATA[mlv@[IPv6:2001:db8::1234:4321]	]]></ac:plain-text-body></ac:structured-macro>
Organization	urn:mace:terena.org:attribute-def:schacHomeOrganization urn:oid:1.3.6.1.4.1.25178.1.2.9	Schac	RFC-1035 domain string	university.example.org
Organization Type	urn:mace:terena.org:attribute-def:schacHomeOrganizationType urn:oid:1.3.6.1.4.1.25178.1.2.10	Schac	RFC-2141 URN see Schac standard	urn:mace:terena.org:schac:homeOrganizationType:int:university urn:mace:terena.org:schac:homeOrganizationType:es:opi
Affiliation	urn:mace:dir:attribute-def:eduPersonAffiliation urn:oid:1.3.6.1.4.1.5923.1.1.1.1	eduPerson	Enum type (UTF8 String)	faculty, student, staff, (alum, member, affiliate, employee, library-walk-in)
Entitlement	urn:mace:dir:attribute-def:eduPersonEntitlement urn:oid:1.3.6.1.4.1.5923.1.1.1.7	eduPerson	RFC-2141 URN Multi-valued	to be determined per service
PrincipalName	urn:mace:dir:attribute-def:eduPersonPrincipalName urn:oid:1.3.6.1.4.1.5923.1.1.1.6	eduPerson	UTF8 String user@domain	not.a@vålîd.émail.addreß ??@aninstitutionname
isMemberOf	urn:mace:dir:attribute-def:isMemberOf urn:oid:1.3.6.1.4.1.5923.1.5.1.1	eduMember	RFC-2141 URN Multi-valued	urn:collab:org:surf.nl urn:collab:org:clarin.org
uid	urn:mace:dir:attribute-def:uid urn:oid:0.9.2342.19200300.100.1.1	RFC4519	UTF8 String (max 256 chars)	s9603145 flåp@example.edu
preferredLanguage	urn:mace:dir:attribute-def:preferredLanguage urn:oid:2.16.840.1.113730.3.1.39	RFC2798 BCP47	List of BCP47 language tags	nl nl, en-gb;q=0.8, en;q=0.7

Note that not all identity providers might make all attributes available.

Detailed attribute descriptions

ID

See conextdocumentation:above.

Surname

urn:mace	urn:mace:dir:attribute-def:sn
urn:oid	urn:oid:2.5.4.4
Multiplicity	single-valued
Description	The surname of a person (including any words such as "van", "de", "von" etc.) used for personalisation; this can be a combination of existing attributes.
Notes

Given name

urn:mace	urn:mace:dir:attribute-def:givenName
urn:oid	urn:oid:2.5.4.42
Multiplicity	single-valued
Description	Given name / "name known by"; combinations of title, initials, and "name known by" are possible.
Notes

Common name

urn:mace	urn:mace:dir:attribute-def:cn
urn:oid	urn:oid:2.5.4.3
Multiplicity	multi-valued
Description	Full name.
Notes	For example, a typical name of a person in an English-speaking country comprises a personal title (e.g. Mr., Ms., Rd, Professor, Sir, Lord), a first name, middle name(s), last name, generation qualifier (if any, e.g. Jr.) and decorations and awards (if any, e.g. CBE).

Display name

urn:mace	urn:mace:dir:attribute-def:displayName
urn:oid	urn:oid:1.3.6.1.4.1.1466.115.121.1.15
Multiplicity	single-valued
Description	Name as displayed in applications
Notes	This attribute can typically be changed by the end-users themselves, and is therefore not very suitable for identification.

Email address

urn:mace	urn:mace:dir:attribute-def:mail
urn:oid	urn:oid:0.9.2342.19200300.100.1.3
Multiplicity	multi-valued
Description	e-mail address; syntax in accordance with RFC 5322
Notes	Multiple email addresses are allowed An email address is not necessarily the email address of this person at the institution. Do not use this attribute to uniquely identify a user. Use the NameId instead. A user's email address may change over time, or an IdP may allow a user to change this value themselves. This makes that attribute unsuitable for authentication and authorization purposes.

uid

urn:mace	urn:mace:dir:attribute-def:uid
urn:oid	urn:oid:1.3.6.1.4.1.1466.115.121.1.15
Multiplicity	multi-valued
Description	The unique code for a person that is used as the login name within the institution.
Notes	The uid is not a unique identifier for SURFconext users. Uid values are at most unique for each IdP. Ideally the uid is not only a login name/code but also an identifier that is guaranteed as being unique within the institution over the course of time. At the moment, there is no such guarantee. Use the NameId for unique identifiers in SURFconext rather than uid. Use the eduPersonPrincipalName attribute if a human-readable unique identifier is required A uid may contain any unicode character. E.g., "`org:surfnet.nl:joe von stühl`" is a valid uid. SURFconext translates @-characters in the uid to underscores. Yes, this means that uids are not guaranteed to be unique.

Home organisation

urn:mace	urn:mace:terena.org:attribute-def:schacHomeOrganization
urn:oid	urn:oid:1.3.6.1.4.1.25178.1.2.9
Multiplicity	single-valued
Description	The user's organisation using the organisation's domain name; syntax in accordance with RFC 1035.
Notes	In the past, SURFconext used to send the home organisation in the attribute urn:oid:1.3.6.1.4.1.1466.115.121.1.15, which was incorrect. Since 2013, the correct oid urn:oid:1.3.6.1.4.1.25178.1.2.9 is in use. For reasons of compatibility, the old (wrong) key is also still sent. It should not be used in new implementations.

Organization type

urn:mace	urn:mace:terena.org:attribute-def:schacHomeOrganizationType
urn:oid	urn:oid:1.3.6.1.4.1.25178.1.2.10
Multiplicity	single-value
Description	designation of the type of organisation as defined on http://www.terena.org/registry/terena.org/schac/homeOrganizationType
Notes	Attribute values are registered by Terena on http://www.terena.org/registry/terena.org/schac/homeOrganizationType The only allowed values in use in SURFconext are "affiliate", "student" and "employee." In practice, this attribute is not in use.

Affiliation

urn:mace	urn:mace:dir:attribute-def:eduPersonAffiliation
urn:oid	urn:oid:1.3.6.1.4.1.5923.1.1.1.1
Multiplicity	multi-valued
Description	Indicates the relationship between the user and his home organisation. The following values are permitted: `student` — student `employee` — all employees `staff` — academic staff
Notes	Identity providers might internally use additional values for the affilication attribute, such as `alum` or `affiliate`. Per SURFconext policy, such users are not allowed access to SURFconext. The attribute values are case senitive!

Entitlements

urn:mace	urn:mace:dir:attribute-def:eduPersonEntitlement
urn:oid	urn:oid:1.3.6.1.4.1.5923.1.1.1.7
Multiplicity	multi-value
Description	entitlement; custom URI (URL or URN) that indicates an entitlement to something.
Notes	This attribute can be used to communicate entitlements, roles, etc, from identity providers to services, which can be used, for example, for authorization. The values of this attribute are scoped to the identity provider that is authoritative for the attribute. See also the SURFconext entitlement namespacing policy.

Principle name

urn:mace	urn:mace:dir:attribute-def:eduPersonPrincipalName
urn:oid	urn:oid:1.3.6.1.4.1.5923.1.1.1.6
Multiplicity	single-valued
Description	Unique identifier for a user.
Notes	Although this value resembles an email address, it MUST NOT be used as an email address. In many cases mail cannot be delivered to this "address". Even though this value uniquely identifies a user, it is not guaranteed that it is persistent over sessions (even though it usually is). Do not use this to uniquely identify users. Use the NameId instead.

isMemberOf

urn:mace	urn:mace:dir:attribute-def:isMemberOf
urn:oid	urn:oid:1.3.6.1.4.1.5923.1.5.1.1
Multiplicity	multi-valued
Description	Lists the collaborative organisations the user is a member of.
Notes	Attribute values are URIs (URN or URL) Only current supported value is `urn:collab:org:surf.nl`, which indicated that the user's home institution is a member of SURFnet In the future, this can be used to determine membership of non-institutional collaborative organisations.

Preferred Language

urn:mace	urn:mace:dir:attribute-def:preferredLanguage
urn:oid	urn:oid:2.16.840.1.113730.3.1.39
Multiplicity	single-valued
Description	a two-letter abbreviation for the preferred language according to the ISO 639 language abbreviation code table; no subcodes.
Notes	Used to indicate an individual's preferred written or spoken language. This is useful for international correspondence or human-computer interaction. Values for this attribute type MUST conform to the definition of the Accept-Language header field defined in RFC 2068 with one exception: ?the value "`:`" should be omitted.

Page tree