urn:mace:dir:attribute-def:eduPersonEntitlement (urn:oid:1.3.6.1.4.1.5923.1.1.1.7) is a multivalued attribute that signifies access rights to a specific Service. According to spec [coininfra:1], eduPersonEntitlement must be filled with an URI (either URN or URL) that indicates a set of rights to specific resources.
Within SURFconext we want to standardize the values of this attribute, because:
- We want to scope the vale of the attribute, so it is clear who is authoritative for its value.
- We want to be able to filer this attribute in our ARP
- As it has to be a URI, we want to attach a namespace to the value so we can used a (as of yet to be) registered namespace
- We do not wat to create something new if in an international context a good alternative already exists.
To meet the above requirements I propose to adopt the following formatting specification for the value of the attribute:
National Attributes (with no international counterpart)
urn:surf:entitlement:[entitlementValue]
IdP initiated:
urn:surf:[schacHomeOrg]:entitlement:[entitlementValue]
e.g. urn:surf.nl:hva.nl:entitlement:O2
Where in this case O2 is a 'specific' department within HvA
SP Initiated:
urn:[SP namespace]:[servicename]:[entitlementValue]
e.g.: urn:mace:terena.org:tcs:personal-admin
if no SP namespace is available a FQDN should be used.
[coininfra:1] http://middleware.internet2.edu/eduperson/docs/internet2-mace-dir-eduperson-200806.html#eduPersonEntitlement