When a user logs in to a service provider, SURFconext sends a so-called SAML assertion to the service provider. This SAML assertion contains a number of statements about the user who is logging in to you service, including his identity, and possibly a number of additional attributes (see below).
SURFconext's SAML2 implementation adheres to the SAML2int standard. |
On this page we will show you which attributes SURFconext and their Identity Providers have to offer.
The user's identity is transmitted in the form of the NameID element of the SAML statement. Every Identity Provider must supply a NameID, but for privacy reasons SURFconext will generate a new one regardless. For convenience, this identifier is duplicated in the SAML attribute eduPersonTargetedID (see below).
Service Providers should use the NameID or eduPersonTargetedID (rather than email address, or other attributes that might change over time) to identify users. The NameId is guaranteed to be stable and never change for a fixed user (except in the case of transient identifiers, see below).
SURFconext can provide NameIDs of 2 different types:
Persistent and transient identifiers typically have the form 'bd09168cf0c2e675b2def0ade6f50b7d4bb4aaef
'. However, please do not rely on the identifier being a hexadecimal string, as the syntax may change in the future.
The two supported NameID types, for respectively persistent and transient NameID specifiers, are:
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
SURFconext supports two attributes schemas: a (SAML2.0 compliant) urn:oid
schema and a (SAML1.1) named urn
schema. Both of these can be used to convey the same information (except for the NameID, which is only available in the urn:oid
schema). By default SURFconext will provide attributes in both schemata as part of the assertion. It is not recommended to mix the use of these schemata, but for legacy reason SURFconext offers both.
SURFconext supported relaying of the following attributes:
Friendly name | Attribute name | Definition | Data type | Example |
---|---|---|---|---|
(NameID) | UTF8 string | bd09168cf0c2e675b2def0ade6f50b7d4bb4aae | ||
UTF8 string | Vermeegen | |||
UTF8 string | Mërgim Lukáš | |||
UTF8 String | Prof.dr. Mërgim Lukáš Vermeegen | |||
urn:mace:dir:attribute-def:displayName | UTF8 String | Prof.dr. Mërgim L. Vermeegen | ||
urn:mace:dir:attribute-def:mail | RFC-5322 address | m.l.vermeegen@university.example.org | ||
urn:mace:terena.org:attribute-def:schacHomeOrganization | RFC-1035 domain string | example.nl | ||
urn:mace:terena.org:attribute-def:schacHomeOrganizationType | RFC-2141 URN | urn:mace:terena.org:schac:homeOrganizationType:int:university | ||
Employee/student number | urn:schac:attribute-def:schacPersonalUniqueCode | Schac | RFC-2141 URN | urn:schac:personalUniqueCode:nl:local:example.edu:employeeid:x12-3456 urn:schac:personalUniqueCode:nl:local:example.nl:studentid:s1234567 |
urn:mace:dir:attribute-def:eduPersonAffiliation | Enum type (UTF8 String) | employee, student, staff, member (alum, affiliate, faculty, library-walk-in are not allowed) | ||
Scoped affiliation | urn:mace:dir:attribute-def:eduPersonScopedAffiliation urn:oid:1.3.6.1.4.1.1466.115.121.1.15 | eduPerson | UTF8 String user@domain | student@physics.uniharderwijk.nl |
urn:mace:dir:attribute-def:eduPersonEntitlement | RFC-2141 URN | to be determined per service (see Standardized values for eduPersonEntitlement) | ||
urn:mace:dir:attribute-def:eduPersonPrincipalName | UTF8 String | piet.jønsen@example.edu | ||
urn:mace:dir:attribute-def:isMemberOf | RFC-2141 URN | urn:collab:org:surf.nl | ||
urn:mace:dir:attribute-def:uid | UTF8 String | s9603145 | ||
urn:mace:dir:attribute-def:preferredLanguage | List of BCP47 language tags | nl |
Note that not all identity providers might make all attributes available.
See User identifiers.
urn:mace | urn:mace:dir:attribute-def:sn |
urn:oid | urn:oid:2.5.4.4 |
Multiplicity | single-valued |
Data type | UTF8 string (unbounded) |
Description | The surname of a person (including any words such as “van”, “de”, “von” etc.) used for personalisation; this can be a combination of existing attributes. |
Examples | Vermeegen 孝慈 |
Notes |
|
urn:mace | urn:mace:dir:attribute-def:givenName |
urn:oid | urn:oid:2.5.4.42 |
Multiplicity | single-valued |
Data type | UTF8 string (unbounded) |
Description | Given name / “name known by”; combinations of title, initials, and “name known by” are possible. |
Examples | Jan Klaassen |
Notes |
|
urn:mace | urn:mace:dir:attribute-def:cn |
urn:oid | urn:oid:2.5.4.3 |
Multiplicity | multi-valued |
Data type | UTF8 string (unbounded) |
Description | Full name. |
Examples | Prof.dr. Mërgim Lukáš Vermeegen 加来 千代, PhD. |
Notes | For example, a typical name of a person in an English-speaking country comprises a personal title (e.g. Mr., Ms., Rd, Professor, Sir, Lord), a first name, middle name(s), last name, generation qualifier (if any, e.g. Jr.) and decorations and awards (if any, e.g. CBE). |
urn:mace | urn:mace:dir:attribute-def:displayName |
urn:oid | urn:oid:2.16.840.1.113730.3.1.241 |
Multiplicity | single-valued |
Data type | UTF8 string (unbounded) |
Description | Name as displayed in applications |
Examples | Prof.dr. Mërgim Lukáš Vermeegen 加来 千代, PhD. |
Notes |
|
urn:mace | urn:mace:dir:attribute-def:mail |
urn:oid | urn:oid:0.9.2342.19200300.100.1.3 |
Multiplicity | multi-valued |
Data type | RFC-5322 address (max 256 chars) |
Description | e-mail address; syntax in accordance with RFC 5322 |
Examples | m.l.vermeegen@university.example.org "very.unusual.@.unusual.com"@example.com mlv@[IPv6:2001:db8::1234:4321] |
Notes |
|
urn:mace | urn:mace:dir:attribute-def:uid |
urn:oid | urn:oid:0.9.2342.19200300.100.1.1 |
Multiplicity | multi-valued |
Data type | UTF8 String (max 256 chars); use of spaces and @ -characters is discouraged. |
Description | The unique code for a person that is used as the login name within the institution. |
Examples | s9603145 |
Notes |
|
urn:mace | urn:mace:terena.org:attribute-def:schacHomeOrganization |
urn:oid | urn:oid:1.3.6.1.4.1.25178.1.2.9 |
Multiplicity | single-valued |
Data type | RFC-1035 domain string. The domain MUST be a secondary-level domain that is under control by the institution. Preferably, the institution's main domain name should be used. |
Description | The user's organisation using the organisation’s domain name; syntax in accordance with RFC 1035. |
Examples | uniharderwijk.nl |
Notes |
|
urn:mace | urn:mace:terena.org:attribute-def:schacHomeOrganizationType |
urn:oid | urn:oid:1.3.6.1.4.1.25178.1.2.10 |
Multiplicity | single-value |
Data type | RFC-2141 URN (see Schac standard) |
Description | designation of the type of organisation as defined on http://www.terena.org/registry/terena.org/schac/homeOrganizationType |
Examples | urn:mace:terena.org:schac:homeOrganizationType:int:university urn:mace:terena.org:schac:homeOrganizationType:es:opi |
Notes |
|
urn:schac:attribute-def:schacPersonalUniqueCode | |
urn:oid:1.3.6.1.4.1.25178.1.2.14 | |
Multiplicity | multi-value |
Data type | RFC-2141 URN (see SURFnet registry) |
Description | The user's student, employee, and/or member id as used in the university's internal systems |
Examples | urn:schac:personalUniqueCode:nl:local:example.edu:employeeid:x12-3456 urn:schac:personalUniqueCode:nl:local:example.nl:studentid:s1234567 |
Notes |
|
urn:mace | urn:mace:dir:attribute-def:eduPersonAffiliation |
urn:oid | urn:oid:1.3.6.1.4.1.5923.1.1.1.1 |
Multiplicity | multi-valued |
Data type | UTF8 String (only the values enumerated below are allowed) |
Description | Indicates the relationship between the user and his home organisation. The following values are permitted:
|
Examples | see above |
Notes |
|
urn:mace:dir:attribute-def:eduPersonScopedAffiliation | |
urn:oid:1.3.6.1.4.1.1466.115.121.1.15 | |
Multiplicity | multi-valued |
Data type | UTF8 String of the form affiliation@subdomain (see below) |
Description | Indicates the relationship between the user and a specific (security) domain with his home organisation. The values consist of an affiliation and a security domain, concatenated with a @-sign, i.e. The
The domain-part of this attribute must be subdomain of the user's schacHomeOrganization. This subdomain does not necessarily need to exist in DNS. For example, if the user's institution uses the schacHomeOrganization |
Examples | see above |
Notes |
|
urn:mace | urn:mace:dir:attribute-def:eduPersonEntitlement |
urn:oid | urn:oid:1.3.6.1.4.1.5923.1.1.1.7 |
Multiplicity | multi-value |
Data type | RFC-2141 URN |
Description | entitlement; custom URI (URL or URN) that indicates an entitlement to something. |
Examples |
|
Notes |
|
urn:mace | urn:mace:dir:attribute-def:eduPersonPrincipalName |
urn:oid | urn:oid:1.3.6.1.4.1.5923.1.1.1.6 |
Multiplicity | single-valued |
Data type | UTF8 String of the form user@domain . The domain MUST be equal to or a be a subdomain of the scacHomeOrganization. |
Description | Unique identifier for a user. |
Examples | piet.jønsen@example.edu not.a@vålîd.émail.addreß |
Notes |
|
urn:mace | urn:mace:dir:attribute-def:isMemberOf |
urn:oid | urn:oid:1.3.6.1.4.1.5923.1.5.1.1 |
Multiplicity | multi-valued |
Data type | RFC-2141 URN |
Description | Lists the collaborative organisations the user is a member of. |
Examples | urn:collab:org:surf.nl |
Notes |
|
urn:mace | urn:mace:dir:attribute-def:preferredLanguage |
urn:oid | urn:oid:2.16.840.1.113730.3.1.39 |
Multiplicity | single-valued |
Data type | RFC2798 BCP47 |
Description | a two-letter abbreviation for the preferred language according to the ISO 639 language abbreviation code table; no subcodes. |
Examples | nl |
Notes | Used to indicate an individual's preferred written or spoken language. This is useful for international correspondence or human-computer interaction. Values for this attribute type MUST conform to the definition of the Accept-Language header field defined in RFC 2068 with one exception: ?the value " |
urn:mace:dir:attribute-def:eduPersonTargetedID | |
urn:oid:1.3.6.1.4.1.5923.1.1.1.10 | |
Multiplicity | single-valued |
Data type | UTF8 string (unbounded) |
Description | The attribute eduPersonTargetedID is a copy of the Subject -> NameID which is generated by SURFconext itself. When an Identity Provider provides the eduPersonTargetedID itself, it is always overwritten by SURFconext. |
Examples | bd09168cf0c2e675b2def0ade6f50b7d4bb4aae |
Notes | This attribute is created because the Subject -> NameID itself is not part of the SAML v2.0 response and therefore only is available for application if the local SAML implementation explicitly support this. Within SURFconext the Subject -> NameID is explicitly copied into the |