Page tree
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 45 Next »

When a user logs in to a service provider, SURFconext sends a so-called SAML assertion to the service provider. This SAML assertion contains a number of statements about the user who is logging in to you service, including his identity, and possibly a number of additional attributes (see below).  More information about SAML can be found on this page.

In general, SURFconext's SAML2 implementation adheres to the SAML2int standard.

Contents of this page:

User identifiers

The user's identity is transmitted in the form of the NameId element of the SAML statement.  SPs should use the NameId (rather than email address, or other attributes that might change over time) to identify users.  The NameId is guaranteed to be stable and never change for a fixed user (except in the case of transient identifiers, see below).

SURFconext can provide NameIds of three different types:

  • A persistent identifier.  A persistent NameId contains a random string that uniquely identifies the user for this SP, and which persists over multiple sessions for the same user.
  • A transient identifier.  A transient NameId contain a random string that uniquely identifies the user for this SP during the session.  Once the user's session at SURFconext expires and the users logs into your service once more, a new transient identifier will be generated for the user and SP.
  • A legacy identifier.  A legacy NameId contains a human-readable identifier of the form urn:collab:person:example.com:johndoe.  This form of the identifier is deprecated and is not available for newly connected services. The reason for this is that SURFconext wants to have fine-grained control over the released attributes.  This is easier to manage if no personal information is disclosed in the NameId identifier. If the SP needs information that is contained in the legacy NameId format (for example, the user's home institution), they should use proper attributes (for example, schacHomeOrganisation, see below) as a source for this information.

Persistent and transient identifiers typically have the form "bd09168cf0c2e675b2def0ade6f50b7d4bb4aaef".  However, this form may change in the future, and service providers MUST NOT rely on the fact that the NameId is a 40-character hexadecimal string.

The two supported NameId types, for respectively persistent and transient NameId specifiers, are

  • urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
  • urn:oasis:names:tc:SAML:2.0:nameid-format:transient

which are specified in sections 8.3.7 and 8.3.8 of the SAML2 core specification.

By default, SURFconext offers the transient form of the NameId to services.  Service providers who have a need for persistent identifiers can negotiate use of the persistent NameId format when their service is connected to SURFconext.

Attributes

By default, the NameId is the only piece of information about the authenticated user that SURFconext conveys to SPs.  However, in many cases these services require more information about the user, such as a name or an email address. 

Because of European privacy regulations, we cannot release such information to the SPs by default.  In order to receive additional information, the user's home institution needs to give permission for each SP to receive its users' data.  Typically, such permission will be arranged for during the initial SURFconext setup procedure.

Furthermore, when a user first logs in to a service, SURFconext informs them about the attributes and the information contained therein that is going to be sent to the service.  If the user does not consent to his information being transmitted, they can still abort the login to the service. 

SURFconext supports two atttributes schemas: the urn:oid schema and the urn:mace schema. Both of these can be used to convey the same information (except for the NameId, which is only available in the  urn:oid schema. By default SURFconext will provide attributes in both schemata as part of the assertion.  It is not recommended to mix the use of these schemata, but for legacy reason SURFconext offers both.

Attribute overview

SURFconext supported relaying of the following attributes:

Friendly name

Attribute name

S/M

Definition

Data type

Example

ID

(NameId)
urn:mace:dir:attribute-def:eduPersonTargetedID
urn:oid:1.3.6.1.4.1.5923.1.1.1.10

 

eduPerson

UTF8 string
(unbounded)

bd09168cf0c2e675b2def0ade6f50b7d4bb4aae

Surname

urn:mace:dir:attribute-def:sn
urn:oid:2.5.4.4

 

X.520

UTF8 string
(unbounded)

Vermeegen
?

Given name

urn:mace:dir:attribute-def:givenName
urn:oid:2.5.4.42

 

X.520

UTF8 string
(unbounded)

Mërgim Lukáš
??

Common name

urn:mace:dir:attribute-def:cn
urn:oid:2.5.4.3

 

X.520

UTF8 String
(unbounded)

Prof.dr. Mërgim Lukáš Vermeegen
? ??, PhD.

Display name

urn:mace:dir:attribute-def:displayName
urn:oid:2.16.840.1.113730.3.1.241

 

RFC2798

UTF8 String
(unbounded)

Prof.dr. Mërgim L. Vermeegen
? ??, PhD.

Email address

urn:mace:dir:attribute-def:mail
urn:oid:0.9.2342.19200300.100.1.3

 

RFC4524

RFC-5322 address
(max 256 chars)

m.l.vermeegen@university.example.org
"very.unusual.@.unusual.com"@example.com
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="b763bb8e-9f51-4565-b6d1-0a97adf4f3ca"><ac:plain-text-body><![CDATA[mlv@[IPv6:2001:db8::1234:4321]

]]></ac:plain-text-body></ac:structured-macro>

Organization

urn:mace:terena.org:attribute-def:schacHomeOrganization
urn:oid:1.3.6.1.4.1.25178.1.2.9

 

Schac

RFC-1035 domain string

university.example.org
 

Organization Type

urn:mace:terena.org:attribute-def:schacHomeOrganizationType
urn:oid:1.3.6.1.4.1.25178.1.2.10

 

Schac

RFC-2141 URN
see Schac standard

urn:mace:terena.org:schac:homeOrganizationType:int:university
urn:mace:terena.org:schac:homeOrganizationType:es:opi

Affiliation

urn:mace:dir:attribute-def:eduPersonAffiliation
urn:oid:1.3.6.1.4.1.5923.1.1.1.1

 

eduPerson

Enum type (UTF8 String)

faculty, student, staff, (alum, member, affiliate, employee, library-walk-in)

Entitlement

urn:mace:dir:attribute-def:eduPersonEntitlement
urn:oid:1.3.6.1.4.1.5923.1.1.1.7

 

eduPerson

RFC-2141 URN
Multi-valued

to be determined per service

PrincipalName

urn:mace:dir:attribute-def:eduPersonPrincipalName
urn:oid:1.3.6.1.4.1.5923.1.1.1.6

 

eduPerson

UTF8 String
user@domain

not.a@vålîd.émail.addreß
??@aninstitutionname

isMemberOf

urn:mace:dir:attribute-def:isMemberOf
urn:oid:1.3.6.1.4.1.5923.1.5.1.1

 

eduMember

RFC-2141 URN
Multi-valued

urn:collab:org:surf.nl
urn:collab:org:clarin.org

uid

urn:mace:dir:attribute-def:uid
urn:oid:0.9.2342.19200300.100.1.1

 

RFC4519

UTF8 String
(max 256 chars)

s9603145
flåp@example.edu

preferredLanguage

urn:mace:dir:attribute-def:preferredLanguage
urn:oid:2.16.840.1.113730.3.1.39

 

RFC2798
BCP47

List of BCP47 language tags

nl
nl, en-gb;q=0.8, en;q=0.7

Note that not all identity providers might make all attributes available.

Detailed attribute descriptions

ID

See conextdocumentation:above.

Surname

urn:mace

urn:mace:dir:attribute-def:sn

urn:oid

urn:oid:2.5.4.4

Multiplicity

single-valued

Description

The surname of a person (including any words such as "van", "de", "von" etc.) used for personalisation; this can be a combination of existing attributes.

Notes

 

Given name

urn:mace

urn:mace:dir:attribute-def:givenName

urn:oid

urn:oid:2.5.4.42

Multiplicity

single-valued

Description

Given name / "name known by"; combinations of title, initials, and "name known by" are possible.

Notes

 

Common name

urn:mace

urn:mace:dir:attribute-def:cn

urn:oid

urn:oid:2.5.4.3

Multiplicity

multi-valued

Description

Full name.

Notes

For example, a typical name of a person in an English-speaking country comprises a personal title (e.g. Mr., Ms., Rd, Professor, Sir, Lord), a first name, middle name(s), last name, generation qualifier (if any, e.g. Jr.) and decorations and awards (if any, e.g. CBE).

Display name

urn:mace

urn:mace:dir:attribute-def:displayName

urn:oid

urn:oid:1.3.6.1.4.1.1466.115.121.1.15

Multiplicity

single-valued

Description

Name as displayed in applications

Notes

  •  This attribute can typically be changed by the end-users themselves, and is therefore not very suitable for identification.

Email address

urn:mace

urn:mace:dir:attribute-def:mail

urn:oid

urn:oid:0.9.2342.19200300.100.1.3

Multiplicity

multi-valued

Description

e-mail address; syntax in accordance with RFC 5322

Notes

  • Multiple email addresses are allowed
  • An email address is not necessarily the email address of this person at the institution.
  • Do not use this attribute to uniquely identify a user.  Use the NameId  instead.
  • A user's email address may change over time, or an IdP may allow a user to change this value themselves. This makes that attribute unsuitable for authentication and authorization purposes.

uid

urn:mace

urn:mace:dir:attribute-def:uid

urn:oid

urn:oid:1.3.6.1.4.1.1466.115.121.1.15

Multiplicity

multi-valued

Description

The unique code for a person that is used as the login name within the institution.

Notes

  • The uid is not a unique identifier for SURFconext users.  Uid values are at most unique for each IdP.
  • Ideally the uid is not only a login name/code but also an identifier that is guaranteed as being unique within the institution over the course of time. At the moment, there is no such guarantee.
  • Use the NameId for unique identifiers in SURFconext rather than uid.
  • Use the eduPersonPrincipalName attribute if a human-readable unique identifier is required
  • A uid may contain any unicode character. E.g., "org:surfnet.nl:joe von stühl" is a valid uid.
  • SURFconext translates @-characters in the uid to underscores.  Yes, this means that uids are not guaranteed to be unique.

Home organisation

urn:mace

urn:mace:terena.org:attribute-def:schacHomeOrganization

urn:oid

urn:oid:1.3.6.1.4.1.25178.1.2.9

Multiplicity

single-valued

Description

The user's organisation using the organisation's domain name; syntax in accordance with RFC 1035.

Notes

  •  In the past, SURFconext used to send the home organisation in the attribute urn:oid:1.3.6.1.4.1.1466.115.121.1.15, which was incorrect.  Since 2013, the correct oid urn:oid:1.3.6.1.4.1.25178.1.2.9 is in use.  For reasons of compatibility, the old (wrong) key is also still sent.  It should not be used in new implementations.

Organization type

urn:mace

urn:mace:terena.org:attribute-def:schacHomeOrganizationType

urn:oid

urn:oid:1.3.6.1.4.1.25178.1.2.10

Multiplicity

single-value

Description

designation of the type of organisation as defined on http://www.terena.org/registry/terena.org/schac/homeOrganizationType

Notes

Affiliation

urn:mace

urn:mace:dir:attribute-def:eduPersonAffiliation

urn:oid

urn:oid:1.3.6.1.4.1.5923.1.1.1.1

Multiplicity

multi-valued

Description

Indicates the relationship between the user and his home organisation.  The following values are permitted:

  • student — student
  • employee — all employees
  • staff — academic staff

Notes

Identity providers might internally use additional values for the affilication attribute, such as alum or affiliate.  Per SURFconext policy, such users are not allowed access to SURFconext.
(warning) The attribute values are case senitive!

Entitlements

urn:mace

urn:mace:dir:attribute-def:eduPersonEntitlement

urn:oid

urn:oid:1.3.6.1.4.1.5923.1.1.1.7

Multiplicity

multi-value

Description

entitlement; custom URI (URL or URN) that indicates an entitlement to something.

Notes

  • This attribute can be used to communicate entitlements, roles, etc, from identity providers to services, which can be used, for example, for authorization.
  • The values of this attribute are scoped to the identity provider that is authoritative for the attribute.  See also the SURFconext entitlement namespacing policy.

Principle name

urn:mace

urn:mace:dir:attribute-def:eduPersonPrincipalName

urn:oid

urn:oid:1.3.6.1.4.1.5923.1.1.1.6

Multiplicity

single-valued

Description

Unique identifier for a user.  

Notes

  • Although this value resembles an email address, it MUST NOT be used as an email address. In many cases mail cannot be delivered to this "address".
  • Even though this value uniquely identifies a user, it is not guaranteed that it is persistent over sessions (even though it usually is).
  • Do not use this to uniquely identify users.  Use the NameId instead.

isMemberOf

urn:mace

urn:mace:dir:attribute-def:isMemberOf

urn:oid

urn:oid:1.3.6.1.4.1.5923.1.5.1.1

Multiplicity

multi-valued

Description

Lists the collaborative organisations the user is a member of.

Notes

  • Attribute values are URIs (URN or URL)
  • Only current supported value is urn:collab:org:surf.nl, which indicated that the user's home institution is a member of SURFnet
  • In the future, this can be used to determine membership of non-institutional collaborative organisations.

Preferred Language

urn:mace

urn:mace:dir:attribute-def:preferredLanguage

urn:oid

urn:oid:2.16.840.1.113730.3.1.39

Multiplicity

single-valued

Description

a two-letter abbreviation for the preferred language according to the ISO 639 language abbreviation code table; no subcodes.

Notes

Used to indicate an individual's preferred written or spoken language. This is useful for international correspondence or human-computer interaction. Values for this attribute type MUST conform to the definition of the Accept-Language header field defined in RFC 2068 with one exception: ?the value ":" should be omitted. 

  • No labels