By default the user's attributes are released by their Identiy Provider, then filtered by SURFconext in the Attribute Release Policy (ARP), and released to the Service Provider. Attribute Aggregation gives the ability to add attributes for a user from a third party source and release them to the SP in the same set as the original IdP attributes.
SURFconext currently supports the following sources for attribute aggregation:
More attribute sources will be added later. Let us know what you'd like to use!
See the VOOT pages for the group information that SURFconext can provide. The standard is to supply this via the REST interface which requires a separate interface to the SURFconext, next to the SAML- or OpenID Connect interface for authentication.
Via Attribute Aggregation we can provide the user's team memberships in the urn:mace:dir:attribute-def:isMemberOf attribute (see Attribute schema). You will receive this as an extra attribute in the standard login flow, and it will contain the full urns of the groups this user is a member of.
However, to prevent the SAML message from growing too large (a user can be in hundreds of groups), we currently only send group names that have been whitelisted by us for your service. Therefore, the functionality is currently useful for those SP's that require only to know if a user is a member of one or a few specific groups. If you need all the groups of a user, you are advised to use the VOOT REST API.
A proof of concept has been built where SURFconext can provide the eduPersonOrcid attribute to SP's that have a use for this researcher ID, after users have once linked their Orcid ID to their SURFconext account. Contact us if you would be able to make use of this functionality.
In collaboration with our procurement sister organisation SURFmarket we are supplying information about individual product licences from SURFmarket to the SPs that provide the licenced content. More details are in a blog about eStudybooks. This is currently limited to participants of this pilot.
For SURF Services only.
If your application requires the knowledge of SAB-roles, we can provide them to you in the SAML login flow in the urn:mace:dir:attribute-def:eduPersonEntitlement attribute. The role will be passed in its full urn notation, e.g. urn:mace:surfnet.nl:surfnet.nl:sab:role:SURFmedia-beheerder and is multi-valued. You can also get the institution abbreviation and guid. This way, your SP does not require any separate interface to SAB to retrieve this information. See the SAB interfaces space for more information about SAB and the specific instruction for SAB via SURFconext attribuutaggregatie.
We can also pass the SURF CRM guid in the attribute surf-crm-id. Also only for SURF services.
Just contact our support team.