Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

NameDisplay Name
Description

User’s name (firstname lastname).

SAML Attribute(s)

urn:oid:2.16.840.1.113730.3.1.241 (displayName)

OIDC claim(s)name
OIDC claim location-
OIDC scope

-

OriginProvided by the Identity Provider of the user
ChangesYes
MultiplicitySingle-valued
AvailabilityOptional
ExampleJack Dougherty
Notes


Given Name

NameGiven Name
Description

Name strings that are the part of a person's name that is not their surname (see RFC4519).

SAML Attribute(s)

urn:oid:2.5.4.42 (givenName)

OIDC claim(s)given_name
OIDC claim locationThe claim is available in:

 ID token
Userinfo endpoint
Introspection endpoint
OIDC scope

-

OriginProvided by the Identity Provider of the user
ChangesYes
Multiplicity

Multi-valued

- SAML: The givenName attribute contains name strings that are the part of a person's name that is not their surname. Each string is one value of this multi-valued attribute [RFC4519]

AvailabilityOptional
ExampleJack
Notes

In the specification of urn:oid:2.5.4.42 it is stated that the attribute supports multiple values, but the OIDC claim supports only a single value. The Service will release a single value to both SAML and OIDC relying parties

Family Name

NameFamily Name
Description

Family name of the user

SAML Attribute(s)

urn:oid:2.5.4.4 (sn)

OIDC claim(s)-
OIDC claim location-
OIDC scope

-

OriginProvided by the Identity Provider of the user
ChangesYes
Multiplicity

Multi-valued

- SAML: The sn attribute contains name strings that are the part of a person's name that is not their surname. Each string is one value of this multi-valued attribute [RFC4519]

AvailabilityOptional
ExampleDougherty
Notes

In the specification of urn:oid:2.5.4.4 it is stated that the attribute supports multiple values, but the OIDC claim supports only a single value. The Service will release a single value to both SAML and OIDC relying parties

Email address

NameEmail address
Description

Email address of the user. Users may have multiple email addresses, some of which were verified. A verified email address means that the GEANT AAI Service or the user’s Home IdP has taken affirmative steps to ensure that this email address was controlled by the user at the time the verification was performed. The specific verification mechanism is not defined here, but is expected to meet industry best practices.

SAML Attribute(s)
  • urn:oid:0.9.2342.19200300.100.1.3 (email)
  • urn:oid:1.3.6.1.4.1.25178.4.1.14 (voPersonVerifiedEmail)
OIDC claim(s)

-

OIDC claim location-
OIDC scope

-

OriginProvided by the Identity Provider of the user or registered by the GEANT AAI Service after ownership of the email address has been verified.
ChangesYes
Multiplicity

Single-valued

AvailabilityOptional
Examplejack.dougherty@example.com
Notes


...

Name

Groups (Legacy)

Description
SAML Attribute(s)

urn:oid:1.3.6.1.4.1.5923.1.5.1.1 (isMemberOf)

OIDC claim(s)-
OIDC claim location-
OIDC scope-
OriginManaged by the GEANT AAI Service
ChangesYes
Multiplicity

Multi-valued

AvailabilityOptional
Example

Example of a user, who is member of Task 1 in WP5 of the GN5-1 project:

  • GN5-1
  • GN5-1:WP5
  • GN5-1:WP5:Task 01
Notes


Groups

Name

Groups

DescriptionThe groups this user is a member of in their collaboration [AARC-G069].
SAML Attribute(s)

urn:oid:1.3.6.1.4.1.5923.1.1.1.7 (eduPersonEntitlement)

OIDC claim(s)-
OIDC claim location-
OIDC scope-
OriginManaged by the GEANT AAI Service
ChangesYes
Multiplicity

Multi-valued

AvailabilityOptional
Example

Example of a user, who is member of Task 1 in WP5 of the GN5-1 project:

  • urn:geant:aai.geant.org:group:geant
  • urn:geant:aai.geant.org:group:geant:GN5-1
  • urn:geant:aai.geant.org:group:geant:GN5-1:WP5
  • urn:geant:aai.geant.org:group:geant:GN5-1:WP5:Task%201
Notes