This document describes the SAML attributes and OIDC claims that are available to relying parties connected to the GEANT AAI Service. Attribute - claims marked as Mandatory will always be available to a relying party. Attribute - claims marked as Optional will be made available under certain circumstances. For example, some attributes - claims can be available only if the respective attributes - claims are released by the home Identity Provider of the user. Attributes - claims and values marked as Experimental might change or removed in the future, so relying parties should not rely on them, but use them only for experimental purposes.
List of Attributes - Claims
User Identifier
Name | User Identifier |
---|---|
Description | The User Identifier is an opaque and non-revocable identifier (i.e. it cannot change over time). The User Identifier has a limit of 255 characters |
SAML Attribute(s) |
|
OIDC claim(s) |
|
OIDC claim location | The claim is available in: ☑ ID token ☑ Userinfo endpoint ☑ Introspection endpoint |
OIDC scope |
|
Origin | Assigned to the user by the GEANT AAI Service |
Changes | No |
Multiplicity | Single-valued |
Availability | Mandatory |
Example | e413e5b2-1439-42da-a7ed-23444ddd0e5b@aai.geant.org |
Notes | The User Identifier and Username “test@aai.geant.org” are test accounts reserved for testing and monitoring the proper functioning. The Relying parties should not authorise it to access any valuable resources. |
Username
Name | Username |
---|---|
Description | The username is a human-readable, revocable identifier (i.e. the user can change it). It is intended to be used when a unique identifier needs to be displayed in the user interface (e.g. wikis or Unix accounts). It has the syntax of eduPersonPrincipalName, which consists of “user” part and a fixed scope “aai.geant.org”, separated by at sign. The user part (syntax derived from Linux accounts) begins with a lowercase letter or an underscore, followed by lower case letters, digits, underscores, or dashes. In regular expression: [a-z_][a-z0-9_-]*? The usernames beginning with an underscore are dedicated to service IDs. |
SAML Attribute(s) | urn:oid:0.9.2342.19200300.100.1.1 (uid) |
OIDC claim(s) | preferred_username |
OIDC claim location | The claim is available in: ☐ ID token ☑ Userinfo endpoint ☐ Introspection endpoint |
OIDC scope | Any of:
|
Origin | Set when a user registers with the GEANT AAI Service |
Changes | May be changed (revoked) over time (e.g. if a user changes their name). Revoked identifiers are NOT reassigned. |
Multiplicity | Single-valued |
Availability | Mandatory |
Example | federated-user-999999999@aai.geant.org |
Notes | The User Identifier and Username “test@aai.geant.org” are test accounts reserved for testing and monitoring the proper functioning. The Relying parties should not authorise it to access any valuable resources. |
Display Name
Name | Display Name |
---|---|
Description | User’s name (firstname lastname). |
SAML Attribute(s) | urn:oid:2.16.840.1.113730.3.1.241 (displayName) |
OIDC claim(s) | name |
OIDC claim location | The claim is available in: ☐ ID token ☑ Userinfo endpoint ☐ Introspection endpoint |
OIDC scope | Any of:
|
Origin | Provided by the Identity Provider of the user |
Changes | Yes |
Multiplicity | Single-valued |
Availability | Optional |
Example | Jack Dougherty |
Notes |
Given Name
Name | Given Name |
---|---|
Description | Name strings that are the part of a person's name that is not their surname (see RFC4519). |
SAML Attribute(s) | urn:oid:2.5.4.42 (givenName) |
OIDC claim(s) | given_name |
OIDC claim location | The claim is available in: ☐ ID token ☑ Userinfo endpoint ☐ Introspection endpoint |
OIDC scope | Any of:
|
Origin | Provided by the Identity Provider of the user |
Changes | Yes |
Multiplicity | Multi-valued - SAML: The givenName attribute contains name strings that are the part of a person's name that is not their surname. Each string is one value of this multi-valued attribute [RFC4519] - OIDC: The given_name claim can contain multiple given names with the names being separated by space characters [OIDC-CORE] |
Availability | Optional |
Example | Jack |
Notes | In the specification of urn:oid:2.5.4.42 it is stated that the attribute supports multiple values, but the OIDC claim supports only a single value. The Service will release a single value to both SAML and OIDC relying parties |
Family Name
Name | Family Name |
---|---|
Description | Family name of the user |
SAML Attribute(s) | urn:oid:2.5.4.4 (sn) |
OIDC claim(s) | family_name |
OIDC claim location | The claim is available in: ☐ ID token ☑ Userinfo endpoint ☐ Introspection endpoint |
OIDC scope | Any of:
|
Origin | Provided by the Identity Provider of the user |
Changes | Yes |
Multiplicity | Multi-valued - SAML: The sn attribute contains name strings that are the part of a person's name that is not their surname. Each string is one value of this multi-valued attribute [RFC4519] - OIDC: The family_name claim can contain multiple family names (or no family name) with the names being separated by space characters [OIDC-CORE] |
Availability | Optional |
Example | Dougherty |
Notes | In the specification of urn:oid:2.5.4.4 it is stated that the attribute supports multiple values, but the OIDC claim supports only a single value. The Service will release a single value to both SAML and OIDC relying parties |
Email address
Name | Email address |
---|---|
Description | Email address of the user. Users may have multiple email addresses, some of which were verified. A verified email address means that the GEANT AAI Service or the user’s Home IdP has taken affirmative steps to ensure that this email address was controlled by the user at the time the verification was performed. The specific verification mechanism is not defined here, but is expected to meet industry best practices. |
SAML Attribute(s) |
|
OIDC claim(s) |
|
OIDC claim location | The claim is available in: ☐ ID token ☑ Userinfo endpoint ☐ Introspection endpoint |
OIDC scope | Any of:
|
Origin | Provided by the Identity Provider of the user or registered by the GEANT AAI Service after ownership of the email address has been verified. |
Changes | Yes |
Multiplicity | Single-valued |
Availability | Optional |
Example | jack.dougherty@example.com |
Notes |
Affiliation within Home Organization
Name | Affiliation within Home Organization |
---|---|
Description | One or more home organisations (such as universities, research institutions or private companies) this user is affiliated with. The syntax and semantics follow the eduPersonScopedAffiliation attribute. The following values are recommended for use to the left of the “@” sign:
If a person has faculty or industry-researcher affiliation with a certain organisation, they have also the member affiliation. However, that does not apply in a reverse order. Furthermore, those persons who do not qualify as member have an affiliation of affiliate. |
SAML Attribute(s) | urn:oid:1.3.6.1.4.1.25178.4.1.11 (voPersonExternalAffiliation) |
OIDC claim(s) | voperson_external_affiliation |
OIDC claim location | The claim is available in: ☐ ID token ☑ Userinfo endpoint ☑ Introspection endpoint |
OIDC scope | Any of:
|
Origin | Provided by the Identity Provider of the user |
Changes | Yes |
Multiplicity | Multi-valued |
Availability | Optional |
Example | faculty@helsinki.fi industry-researcher@zeiss.com member@ebi.ac.uk |
Notes | The Connected Services are not supposed to do SAML scope checks on this attribute. |
Groups
Name | Groups |
---|---|
Description | The groups this user is a member of in their collaboration [AARC-G069]. |
SAML Attribute(s) | urn:oid:1.3.6.1.4.1.5923.1.1.1.7 (eduPersonEntitlement) |
OIDC claim(s) | entitlements |
OIDC claim location | The claim is available in: ☐ ID token ☑ Userinfo endpoint ☑ Introspection endpoint |
OIDC scope | entitlements |
Origin | Managed by the GEANT AAI Service |
Changes | Yes |
Multiplicity | Multi-valued |
Availability | Optional |
Example | Example of a user, who is member of Task 1 in WP5 of the GN5-1 project:
|
Notes |