When a user logs in to a service provider, SURFconext sends a so-called SAML assertion to the service provider. This SAML assertion contains a number of statements about the user who is logging in to you service, including his identity, and possibly a number of additional attributes (see below). More information about SAML can be found on this page.
In general, SURFconext's SAML2 implementation adheres to the SAML2int standard.
On this page, we explain which attributes SURFconext and its identity providers can provide for the services. A guide for identity providers, explaining which attributes should be released to SURFconext, is found elsewhere.
The user's identity is transmitted in the form of the NameId element of the SAML statement. SPs should use the NameId (rather than email address, or other attributes that might change over time) to identify users. The NameId is guaranteed to be stable and never change for a fixed user (except in the case of transient identifiers, see below).
SURFconext can provide NameIds of three different types:
urn:collab:person:example.com:johndoe
. This form of the identifier is deprecated and is not available for newly connected services. The reason for this is that SURFconext wants to have fine-grained control over the released attributes. This is easier to manage if no personal information is disclosed in the NameId identifier. If the SP needs information that is contained in the legacy NameId format (for example, the user's home institution), they should use proper attributes (for example, schacHomeOrganisation, see below) as a source for this information.Persistent and transient identifiers typically have the form "bd09168cf0c2e675b2def0ade6f50b7d4bb4aaef
". However, this form may change in the future, and service providers MUST NOT rely on the fact that the NameId is a 40-character hexadecimal string.
The two supported NameId types, for respectively persistent and transient NameId
specifiers, are
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
which are specified in sections 8.3.7 and 8.3.8 of the SAML2 core specification.
The legacy format has the type urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
, as defined in the SAML 1.1 specification. Legacy identifiers in SURFconext have the form uid@example.org
. Although these might look like email addresses, they are not, and mail sent to such addresses might not (and mostly will not) be delivered.
By default, SURFconext offers the transient form of the NameId to services. Service providers who have a need for persistent identifiers can negotiate use of the persistent NameId format when their service is connected to SURFconext.
By default, the NameId is the only piece of information about the euthenticated user that SURFconext conveys to SPs. However, in many cases these services require more information about the user, such as a name or an email address.
Because of European privacy regulations, we cannot release such information to the SPs by default. In order to receive additional information, the user's home institution needs to give permission for each SP to receive its users' data. Typically, such permission will be arranged for during the initial SURFconext setup procedure.
Furthermore, when a user first logs in to a service, SURFconext informs them about the attributes and the information contained therein that is going to be sent to the service. If the user does not consent to his information being transmitted, they can still abort the login to the service.
SURFconext supports two atttributes schemas: the urn:oid
schema and the urn:mace
schema. Both of these can be used to convey the same information (except for the NameId, which is only available in the urn:oid
schema. By default SURFconext will provide attributes in both schemata as part of the assertion. It is not recommended to mix the use of these schemata.
SURFconext supported relaying of the following attributes:
Friendly name |
Attribute name |
Definition |
Data type |
Example |
|
---|---|---|---|---|---|
ID |
(NameId) |
UTF8 string |
bd09168cf0c2e675b2def0ade6f50b7d4bb4aae |
||
Surname |
UTF8 string |
Vermeegen |
|||
Given name |
UTF8 string |
Mërgim Lukáš |
|||
Common name |
UTF8 String |
Prof.dr. Mërgim Lukáš Vermeegen |
|||
Display name |
urn:mace:dir:attribute-def:displayName |
UTF8 String |
Prof.dr. Mërgim L. Vermeegen |
||
Email address |
urn:mace:dir:attribute-def:mail |
RFC-5322 address |
m.l.vermeegen@university.example.org |
]]></ac:plain-text-body></ac:structured-macro> |
|
Organization |
urn:mace:terena.org:attribute-def:schacHomeOrganization |
RFC-1035 domain string |
university.example.org |
||
Organization Type |
urn:mace:terena.org:attribute-def:schacHomeOrganizationType |
RFC-2141 URN |
urn:mace:terena.org:schac:homeOrganizationType:int:university |
||
Affiliation |
urn:mace:dir:attribute-def:eduPersonAffiliation |
Enum type (UTF8 String) |
faculty, student, staff, (alum, member, affiliate, employee, library-walk-in) |
||
Entitlement |
urn:mace:dir:attribute-def:eduPersonEntitlement |
RFC-2141 URN |
to be determined per service |
||
PrincipalName |
urn:mace:dir:attribute-def:eduPersonPrincipalName |
UTF8 String |
not.a@vålîd.émail.addreß |
||
isMemberOf |
urn:mace:dir:attribute-def:isMemberOf |
RFC-2141 URN |
urn:collab:org:surf.nl |
||
uid |
urn:mace:dir:attribute-def:uid |
UTF8 String |
s9603145 |
||
preferredLanguage |
urn:mace:dir:attribute-def:preferredLanguage |
List of BCP47 language tags |
nl |
Note that not all identity providers might make all attributes available.
See above.
urn:mace |
|
urn:oid |
|
Multiplicity |
single-valued |
Description |
The surname of a person (including any words such as "van", "de", "von" etc.) used for personalisation; this can be a combination of existing attributes. |
Notes |
|
urn:mace |
|
urn:oid |
|
Multiplicity |
single-valued |
Description |
Given name / "name known by"; combinations of title, initials, and "name known by" are possible. |
Notes |
|
urn:mace |
|
urn:oid |
|
Multiplicity |
multi-valued |
Description |
Full name. |
Notes |
For example, a typical name of a person in an English-speaking country comprises a personal title (e.g. Mr., Ms., Rd, Professor, Sir, Lord), a first name, middle name(s), last name, generation qualifier (if any, e.g. Jr.) and decorations and awards (if any, e.g. CBE). |
urn:mace |
|
urn:oid |
|
Multiplicity |
single-valued |
Description |
Name as displayed in applications |
Notes |
|
urn:mace |
|
urn:oid |
|
Multiplicity |
multi-valued |
Description |
e-mail address; syntax in accordance with RFC 5322 |
Notes |
|
urn:mace |
|
urn:oid |
|
Multiplicity |
single-valued |
Description |
The unique code for a person that is used as the login name within the institution. |
Notes |
|
urn:mace |
|
urn:oid |
|
Multiplicity |
single-valued |
Description |
The user's organisation using the organisation's domain name; syntax in accordance with RFC 1035. |
Notes |
|
urn:mace |
|
urn:oid |
|
Multiplicity |
single-value |
Description |
designation of the type of organisationhttp://www.terena.org/registry/terena.org/schac/homeOrganizationType |
Notes |
|
urn:mace |
|
urn:oid |
|
Multiplicity |
multi-valued |
Description |
Indicates the relationship between the user and his home organisation. The following values are permitted:
|
Notes |
Identity providers might internally use additional values for the affilication attribute, such as |
urn:mace |
|
urn:oid |
|
Multiplicity |
multi-value |
Description |
entitlement; custom URI (URL or URN) that indicates an entitlement to something. |
Notes |
|
urn:mace |
|
urn:oid |
|
Multiplicity |
single-valued |
Description |
Unique identifier for a user. |
Notes |
|
urn:mace |
|
urn:oid |
|
Multiplicity |
multi-valued |
Description |
Lists the collaborative organisations the user is a member of. |
Notes |
|
urn:mace |
|
urn:oid |
|
Multiplicity |
single-valued |
Description |
a two-letter abbreviation for the preferred language according to the ISO 639 language abbreviation code table; no subcodes. |
Notes |
Used to indicate an individual's preferred written or spoken language. This is useful for international correspondence or human-computer interaction. Values for this attribute type MUST conform to the definition of the Accept-Language header field defined in RFC 2068 with one exception: ?the value " |
urn:mace:dir:attribute-def:isMemberOf