The attribute eduPersonEntitlement indicates a set of rights to specific resources. You might require that a user has a specific value registered in eduPersonEntitlement to allow access to your service or parts of it. This attribute is typically used to assert privileges maintained centrally or remotely rather than within specific (local) application databases. eduPersonEntitlement is a multivalued attribute. Each value is a uniform resource identifier (URI) representing a license, permission, right and more to access a resource or service in a particular fashion. Entitlements represent an assertion of authorization to something, computed and asserted by the identity provider. Read the eduPerson Object Class Specification (201310) to get in depth information about the attribute.
Entitlements are always negotiated between an SP and IdP. It makes little to no sense for an SP to request an entitlement if an IdP is not able or willing to provide such a value. |
Within SURFconext we standardize the way the values of this attribute are expressed, because:
Technically, eduPersonEntitlement MUST be a URI, either URN (Uniform Resource Name) or URL (Uniform Resource Locator). In case a URN is used, URN namespacing conventions MUST be applied. For more information on URN namespaces read the documentation as found online and the official RFC will give you more understanding about this. We note that in general using and registering formal namespaces is rather cumbersome. To circumvent the registration problem, while still remaining compliant with RFC3406, we allow x-surfnet to be used within SURFconext as an accepted custom namespace. The namespace is then presented as follows [namespace] = 'x-surfnet:example.org'. Note the added colon ':' as part of [namespace].
To meet the requirements, values for eduPersonEntitlement for use within SURFconext MUST adopt the formatting specification as depicted.
urn:[namespace]:[servicename]:[entitlementValue] |
or:
urn:[namespace]:[servicename]:[entitlementName]:[entitlementValue] |
Example:
In this example 'x-surfnet:surf.nl' is the namespace, surfdrive the servicename, quota the entitlementName and 100 the entitlementValue.
Whether or not to include an entitlementName as part of the value is up to the parties involved.
In such a case it is the IdP that defines the entitlement value. In general this is not very convenient, as this means the SP will need to interpret each entitlement value on a per IdP basis.
urn:[IdP namespace]:[servicename]:{[entitlementName]}:[entitlementValue] |
Note that the IdP namespace needs to be formally registered, or a prefix of x-
needs to be used to signify a custom namespace.
e.g.:
urn:mace:exampleIdP.org:demoservice:demo-admin
urn:x-surfnet:surfnet.nl:sab:role:instellingscontactpersoon
The common scenario when using eduPersonEntitlement is that an SP defines the attribute values it needs for its service. Always check if a generic attribute is not already available (e.g. eduPersonAffiliation, UID). Note that even if the SP defines the attributes, the IdP is authoritative for the values being provided!
urn:[SP namespace]:[servicename]:{[entitlementName]}:[entitlementValue] |
Note that the SP namespace needs to be formally registered, or a prefix of x-
needs to be used to signify a custom namespace.
Examples:
urn:mace:example.terena.org:tcs:personal-user
urn:x-surfnet:surfdomeinen.nl:role:dnsadmin
urn:x-surfnet:surf.nl:surfdrive:quota:100