urn:mace:dir:attribute-def:eduPersonEntitlement (urn:oid:1.3.6.1.4.1.5923.1.1.1.7) is a multivalued attribute that signifies access rights to a specific Service. According to spec \[coininfra:1\], eduPersonEntitlement must be filled with an URI (either URN or URL) that indicates a set of rights to specific resources.

Within SURFconext we want to standardize the values of this attribute, because:

• We want to scope the vale of the attribute, so it is clear who is authoritative for its value.
• We want to be able to filer this attribute in our ARP
• As it has to be a URI, we want to attach a namespace to the value so we can used a (as of yet to be) registered namespace
• We do not wat to create something new if in an international context a good alternative already exists.

To meet the above requirements I propose to adopt the following formatting specification for the value of the attribute:

National Attributes (with no international counterpart)

urn:x-surf:entitlement:[entitlementValue]

IdP initiated:

urn:x-surf:[schacHomeOrg]:entitlement:[entitlementValue]

e.g. urn:x-surf.nl:hva.nl:entitlement:O2

Where in this case O2 is a 'specific' department within HvA

SP Initiated:

urn:[SP namespace]:[servicename]:[entitlementValue]

e.g.: urn:mace:terena.org:tcs:personal-admin

if no SP namespace is available a FQDN should be used.

\[coininfra:1\] [http://middleware.internet2.edu/eduperson/docs/internet2-mace-dir-eduperson-200806.html#eduPersonEntitlement]