This document describes the SAML attributes and OIDC claims that are available to relying parties  connected to the GEANT AAI Service. Attribute - claims marked as Mandatory will always be available to a relying party. Attribute - claims marked as Optional will be made available under certain circumstances. For example, some attributes - claims can be available only if the respective attributes - claims are released by the home Identity Provider of the user. Attributes - claims and values marked as Experimental might change or removed in the future, so relying parties should not rely on them, but use them only for experimental purposes.

List of Attributes - Claims

User Identifier

NameUser Identifier
Description

The  User Identifier is an opaque and non-revocable identifier (i.e. it cannot change over time). The User Identifier has a limit of 255 characters

SAML Attribute(s)
  • urn:oasis:names:tc:SAML:attribute:subject-id
  • urn:oid:1.3.6.1.4.1.25178.4.1.6 (voPersonID)
OIDC claim(s)
  • sub (public)
  • voperson_id
OIDC claim locationThe claim is available in:

 ID token
 Userinfo endpoint
☑ Introspection endpoint
OIDC scope
  • openid (for the sub claim)
  • aarc (for the voperson_id claim)
OriginAssigned to the user by the GEANT AAI Service
ChangesNo
MultiplicitySingle-valued
AvailabilityMandatory
Examplee413e5b2-1439-42da-a7ed-23444ddd0e5b@aai.geant.org
Notes

The User Identifier and Username “test@aai.geant.org” are test accounts reserved for testing and monitoring the proper functioning. The Relying parties should not authorise it to access any valuable resources.

Username

NameUsername
Description

The username is a human-readable, revocable identifier (i.e. the user can change it). It is intended to be used when a unique identifier needs to be displayed in the user interface (e.g. wikis or Unix accounts).

It has the syntax of eduPersonPrincipalName, which consists of “user” part and a fixed scope “aai.geant.org”, separated by at sign. The user part (syntax derived from Linux accounts) begins with a lowercase letter or an underscore, followed by lower case letters, digits, underscores, or dashes. In regular expression: [a-z_][a-z0-9_-]*?

The usernames beginning with an underscore are dedicated to service IDs.

SAML Attribute(s)

urn:oid:0.9.2342.19200300.100.1.1 (uid)

OIDC claim(s)preferred_username
OIDC claim locationThe claim is available in:

 ID token
 Userinfo endpoint
☐ Introspection endpoint
OIDC scope

Any of:

  • aarc
  • profile
OriginSet when a user registers with the GEANT AAI Service
Changes

May be changed (revoked) over time (e.g. if a user changes their name). 

Revoked identifiers are NOT reassigned.

MultiplicitySingle-valued
AvailabilityMandatory
Examplefederated-user-999999999@aai.geant.org
Notes

The User Identifier and Username “test@aai.geant.org” are test accounts reserved for testing and monitoring the proper functioning. The Relying parties should not authorise it to access any valuable resources.

Display Name

NameDisplay Name
Description

User’s name (firstname lastname).

SAML Attribute(s)

urn:oid:2.16.840.1.113730.3.1.241 (displayName)

OIDC claim(s)name
OIDC claim locationThe claim is available in:

 ID token
 Userinfo endpoint
 Introspection endpoint
OIDC scope

Any of:

  • profile
  • aarc
OriginProvided by the Identity Provider of the user
ChangesYes
MultiplicitySingle-valued
AvailabilityOptional
ExampleJack Dougherty
Notes


Given Name

NameGiven Name
Description

Name strings that are the part of a person's name that is not their surname (see RFC4519).

SAML Attribute(s)

urn:oid:2.5.4.42 (givenName)

OIDC claim(s)given_name
OIDC claim locationThe claim is available in:

 ID token
 Userinfo endpoint
 Introspection endpoint
OIDC scope

Any of:

  • profile
  • aarc
OriginProvided by the Identity Provider of the user
ChangesYes
Multiplicity

Multi-valued

- SAML: The givenName attribute contains name strings that are the part of a person's name that is not their surname. Each string is one value of this multi-valued attribute [RFC4519]

- OIDC: The given_name claim can contain multiple given names with the names being separated by space characters [OIDC-CORE]

AvailabilityOptional
ExampleJack
Notes

In the specification of urn:oid:2.5.4.42 it is stated that the attribute supports multiple values, but the OIDC claim supports only a single value. The Service will release a single value to both SAML and OIDC relying parties

Family Name

NameFamily Name
Description

Family name of the user

SAML Attribute(s)

urn:oid:2.5.4.4 (sn)

OIDC claim(s)family_name
OIDC claim locationThe claim is available in:

 ID token
 Userinfo endpoint
 Introspection endpoint
OIDC scope

Any of:

  • profile
  • aarc
OriginProvided by the Identity Provider of the user
ChangesYes
Multiplicity

Multi-valued

- SAML: The sn attribute contains name strings that are the part of a person's name that is not their surname. Each string is one value of this multi-valued attribute [RFC4519]

- OIDC: The family_name claim can contain multiple family names (or no family name) with the names being separated by space characters [OIDC-CORE]

AvailabilityOptional
ExampleDougherty
Notes

In the specification of urn:oid:2.5.4.4 it is stated that the attribute supports multiple values, but the OIDC claim supports only a single value. The Service will release a single value to both SAML and OIDC relying parties

Email address

NameEmail address
Description

Email address of the user. Users may have multiple email addresses, some of which were verified. A verified email address means that the GEANT AAI Service or the user’s Home IdP has taken affirmative steps to ensure that this email address was controlled by the user at the time the verification was performed. The specific verification mechanism is not defined here, but is expected to meet industry best practices.

SAML Attribute(s)
  • urn:oid:0.9.2342.19200300.100.1.3 (mail)
  • urn:oid:1.3.6.1.4.1.25178.4.1.14 (voPersonVerifiedEmail)
OIDC claim(s)
  • email
  • email_verified
OIDC claim locationThe claim is available in:

 ID token
 Userinfo endpoint
 Introspection endpoint
OIDC scope

Any of:

  • email
  • aarc
OriginProvided by the Identity Provider of the user or registered by the GEANT AAI Service after ownership of the email address has been verified.
ChangesYes
Multiplicity

Single-valued

AvailabilityOptional
Examplejack.dougherty@example.com
Notes


Affiliation within Home Organization

NameAffiliation within Home Organization
Description

One or more home organisations (such as universities, research institutions or private companies) this user is affiliated with. The syntax and semantics follow the eduPersonScopedAffiliation attribute.

The following values are recommended for use to the left of the “@” sign:

  • faculty

    The person is a researcher or teacher in their home organisation. 

    The exact interpretation is left to the home organisation, but the intention is that the primary focus of the person in their home organisation is in research and/or education. 


    Note    . This attribute value is for users in the academic sector

  • industry-researcher

    The person is a researcher or teacher in their home organisation. 

    The exact interpretation is left to the home organisation, but the intention is that the primary focus of the person in their home organisation is in research and/or education. 


    Note    . This attribute value is for users in the private sector.

  • member

    The member is intended to include faculty, industry-researcher, staff, student and other persons with a full set of basic privileges that go with membership in the home organisation, as defined in eduPerson. 

    In contrast to faculty, among other things, this covers positions with managerial and service focus, such as service management or IT support.

  • affiliate

    The affiliate value indicates that the holder has some definable affiliation to the home organisation NOT captured by any of faculty, industry-researcher, staff, student and/or member.

  • unknown

    If the origin does not provide any affiliation information, but the scope of the origin provider can be reliably determined, the affiliation is constructed by concatenating the string literal “unknown@” and the determined scope of the origin provider [AARC-G057]

If a person has faculty or industry-researcher affiliation with a certain organisation, they have also the member affiliation. However, that does not apply in a reverse order. Furthermore, those persons who do not qualify as member have an affiliation of affiliate.

SAML Attribute(s)

urn:oid:1.3.6.1.4.1.25178.4.1.11 (voPersonExternalAffiliation)

OIDC claim(s)voperson_external_affiliation
OIDC claim locationThe claim is available in:

 ID token
 Userinfo endpoint
☑ Introspection endpoint
OIDC scope

Any of:

  • voperson_external_affiliation
  • aarc
OriginProvided by the Identity Provider of the user
ChangesYes
Multiplicity

Multi-valued

AvailabilityOptional
Examplefaculty@helsinki.fi
industry-researcher@zeiss.com
member@ebi.ac.uk
Notes

The Connected Services are not supposed to do SAML scope checks on this attribute.

Groups

Name

Groups

DescriptionThe groups this user is a member of in their collaboration [AARC-G069].
SAML Attribute(s)

urn:oid:1.3.6.1.4.1.5923.1.1.1.7 (eduPersonEntitlement)

OIDC claim(s)entitlements
OIDC claim locationThe claim is available in:

 ID token
 Userinfo endpoint
☑ Introspection endpoint
OIDC scope

entitlements

OriginManaged by the GEANT AAI Service
ChangesYes
Multiplicity

Multi-valued

AvailabilityOptional
Example

Example of a user, who is member of Task 1 in WP5 of the GN5-1 project:

  • urn:geant:aai.geant.org:group:geant
  • urn:geant:aai.geant.org:group:geant:GN5-1
  • urn:geant:aai.geant.org:group:geant:GN5-1:WP5
  • urn:geant:aai.geant.org:group:geant:GN5-1:WP5:Task%201
Notes