Als een gebruiker inlogt op een Service Provider, stuurt SURFconext een zogenaamde SAML-assertion naar de Service Provider. Deze SAML-assertion bevat een aantal uitspraken over de gebruiker die inlogt, waaronder zijn identiteit en mogelijk een aantal andere attributen (zie het attributenoverzicht hierna).
De SAML2-implementatie van SURFconext voldoet aan hetSAML2int profiel. |
Op deze pagina leggen we uit welke attributen SURFconext en zijn Identity Providers kunnen bieden voor de diensten.
Binnen de SAML-assertion wordt de identiteit van een gebruiker doorgestuurd in de vorm van een NameID-element. Het NameID is gegarandeerd stabiel en onveranderlijk voor een gebruiker (behalve in gevallen van transient identifiers, zie hieronder). Wij bevelen sterk aan dat Service Providers het NameID gebruiken om gebruikers uniek te identificeren (in plaats van een e-mailadres of andere attributen die kunnen veranderen).
SURFconext kan 2 verschillende typen NameID's genereren:
De 2 ondersteunde NameID-types, respectievelijk voor persistent en transient NameID-aanduidingen, :
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
SURFconext ondersteunt 2 attributenschema's: het urn:oid
schema en het urn:mace
schema. Beide brengen dezelfde informatie over. SURFconext voorziet in attributen voor beide schema's als deel van de SAML-assertion. We raden af om beide schema's tegelijk te gebruiken, maar om redenen van legacy biedt SURFconext beide aan.
SURFconext ondersteunt het vrijgeven van de volgende attributen:
Friendly name |
Attribute name |
S/M |
Definition |
Data type |
Example |
|
---|---|---|---|---|---|---|
(NameID) |
|
UTF8 string |
bd09168cf0c2e675b2def0ade6f50b7d4bb4aae |
|||
|
UTF8 string |
Vermeegen |
||||
|
UTF8 string |
Mërgim Lukáš |
||||
|
UTF8 String |
Prof.dr. Mërgim Lukáš Vermeegen |
||||
urn:mace:dir:attribute-def:displayName |
|
UTF8 String |
Prof.dr. Mërgim L. Vermeegen |
|||
urn:mace:dir:attribute-def:mail |
|
RFC-5322 address |
m.l.vermeegen@university.example.org |
]]></ac:plain-text-body></ac:structured-macro> |
||
urn:mace:terena.org:attribute-def:schacHomeOrganization |
|
RFC-1035 domain string |
university.example.org |
|||
urn:mace:terena.org:attribute-def:schacHomeOrganizationType |
|
RFC-2141 URN |
urn:mace:terena.org:schac:homeOrganizationType:int:university |
|||
urn:mace:dir:attribute-def:eduPersonAffiliation |
|
Enum type (UTF8 String) |
faculty, student, staff, (alum, member, affiliate, employee, library-walk-in) |
|||
urn:mace:dir:attribute-def:eduPersonEntitlement |
|
RFC-2141 URN |
to be determined per service |
|||
urn:mace:dir:attribute-def:eduPersonPrincipalName |
|
UTF8 String |
not.a@vålîd.émail.addreß |
|||
urn:mace:dir:attribute-def:isMemberOf |
|
RFC-2141 URN |
urn:collab:org:surf.nl |
|||
urn:mace:dir:attribute-def:uid |
|
UTF8 String |
s9603145 |
|||
urn:mace:dir:attribute-def:preferredLanguage |
|
List of BCP47 language tags |
nl |
|||
eduPersonTargetedID |
urn:mace:dir:attribute-def:eduPersonTargetedID |
|
UTF8 string |
24d66f51ac1c0b140e617af335b9abb4b8d88a5b |
Note that not all identity providers might make all attributes available.
See User identifiers\.
urn:mace |
|
urn:oid |
|
Multiplicity |
single-valued |
Description |
The surname of a person (including any words such as "van", "de", "von" etc.) used for personalisation; this can be a combination of existing attributes. |
Notes |
|
urn:mace |
|
urn:oid |
|
Multiplicity |
single-valued |
Description |
Given name / "name known by"; combinations of title, initials, and "name known by" are possible. |
Notes |
|
urn:mace |
|
urn:oid |
|
Multiplicity |
multi-valued |
Description |
Full name. |
Notes |
For example, a typical name of a person in an English-speaking country comprises a personal title (e.g. Mr., Ms., Rd, Professor, Sir, Lord), a first name, middle name(s), last name, generation qualifier (if any, e.g. Jr.) and decorations and awards (if any, e.g. CBE). |
urn:mace |
|
urn:oid |
|
Multiplicity |
single-valued |
Description |
Name as displayed in applications |
Notes |
|
urn:mace |
|
urn:oid |
|
Multiplicity |
multi-valued |
Description |
e-mail address; syntax in accordance with RFC 5322 |
Notes |
|
urn:mace |
|
urn:oid |
|
Multiplicity |
multi-valued |
Description |
The unique code for a person that is used as the login name within the institution. |
Notes |
|
urn:mace |
|
urn:oid |
|
Multiplicity |
single-valued |
Description |
The user's organisation using the organisation's domain name; syntax in accordance with RFC 1035. |
Notes |
|
urn:mace |
|
urn:oid |
|
Multiplicity |
single-value |
Description |
designation of the type of organisation as defined on http://www.terena.org/registry/terena.org/schac/homeOrganizationType |
Notes |
|
urn:mace |
|
urn:oid |
|
Multiplicity |
multi-valued |
Description |
Indicates the relationship between the user and his home organisation. The following values are permitted:
|
Notes |
Identity providers might internally use additional values for the affilication attribute, such as |
urn:mace |
|
urn:oid |
|
Multiplicity |
multi-value |
Description |
entitlement; custom URI (URL or URN) that indicates an entitlement to something. |
Notes |
|
urn:mace |
|
urn:oid |
|
Multiplicity |
single-valued |
Description |
Unique identifier for a user. |
Notes |
|
urn:mace |
|
urn:oid |
|
Multiplicity |
multi-valued |
Description |
Lists the collaborative organisations the user is a member of. |
Notes |
|
urn:mace |
|
urn:oid |
|
Multiplicity |
single-valued |
Description |
a two-letter abbreviation for the preferred language according to the ISO 639 language abbreviation code table; no subcodes. |
Notes |
Used to indicate an individual's preferred written or spoken language. This is useful for international correspondence or human-computer interaction. Values for this attribute type MUST conform to the definition of the Accept-Language header field defined in RFC 2068 with one exception: ?the value " |
urn:mace |
urn:mace:dir:attribute-def:eduPersonTargetedID |
urn:oid |
urn:oid:1.3.6.1.4.1.5923.1.1.1.10 |
Multiplicity |
single-valued |
Description |
Automatically generated (and overwritten) by SURFconext with a copy from Subject -> NameID |
Notes |
This attribute is specified because Subject -> NameID is not part of the SAML 2.0 response. |