...
Name | Display Name |
---|---|
Description | User’s name (firstname lastname). |
SAML Attribute(s) | urn:oid:2.16.840.1.113730.3.1.241 (displayName) |
OIDC claim(s) | name |
OIDC claim location | - |
OIDC scope | - |
Origin | Provided by the Identity Provider of the user |
Changes | Yes |
Multiplicity | Single-valued |
Availability | Optional |
Example | Jack Dougherty |
Notes |
Given Name
Name | Given Name |
---|---|
Description | Name strings that are the part of a person's name that is not their surname (see RFC4519). |
SAML Attribute(s) | urn:oid:2.5.4.42 (givenName) |
OIDC claim(s) | given_name |
OIDC claim location | The claim is available in: ☐ ID token ☑ Userinfo endpoint ☐ Introspection endpoint |
OIDC scope | - |
Origin | Provided by the Identity Provider of the user |
Changes | Yes |
Multiplicity | Multi-valued - SAML: The givenName attribute contains name strings that are the part of a person's name that is not their surname. Each string is one value of this multi-valued attribute [RFC4519] |
Availability | Optional |
Example | Jack |
Notes | In the specification of urn:oid:2.5.4.42 it is stated that the attribute supports multiple values, but the OIDC claim supports only a single value. The Service will release a single value to both SAML and OIDC relying parties |
Family Name
Name | Family Name |
---|---|
Description | Family name of the user |
SAML Attribute(s) | urn:oid:2.5.4.4 (sn) |
OIDC claim(s) | - |
OIDC claim location | - |
OIDC scope | - |
Origin | Provided by the Identity Provider of the user |
Changes | Yes |
Multiplicity | Multi-valued - SAML: The sn attribute contains name strings that are the part of a person's name that is not their surname. Each string is one value of this multi-valued attribute [RFC4519] |
Availability | Optional |
Example | Dougherty |
Notes | In the specification of urn:oid:2.5.4.4 it is stated that the attribute supports multiple values, but the OIDC claim supports only a single value. The Service will release a single value to both SAML and OIDC relying parties |
Email address
Name | Email address |
---|---|
Description | Email address of the user. Users may have multiple email addresses, some of which were verified. A verified email address means that the GEANT AAI Service or the user’s Home IdP has taken affirmative steps to ensure that this email address was controlled by the user at the time the verification was performed. The specific verification mechanism is not defined here, but is expected to meet industry best practices. |
SAML Attribute(s) |
|
OIDC claim(s) | - |
OIDC claim location | - |
OIDC scope | - |
Origin | Provided by the Identity Provider of the user or registered by the GEANT AAI Service after ownership of the email address has been verified. |
Changes | Yes |
Multiplicity | Single-valued |
Availability | Optional |
Example | jack.dougherty@example.com |
Notes |
...
Name | Groups (Legacy) |
---|---|
Description | |
SAML Attribute(s) |
|
OIDC claim(s) | - |
OIDC claim location | - |
OIDC scope | - |
Origin | Managed by the GEANT AAI Service |
Changes | Yes |
Multiplicity | Multi-valued |
Availability | Optional |
Example | Example of a user, who is member of Task 1 in WP5 of the GN5-1 project:
|
Notes |
Groups
Name | Groups |
---|---|
Description | The groups this user is a member of in their collaboration [AARC-G069]. |
SAML Attribute(s) | urn:oid:1.3.6.1.4.1.5923.1.1.1.7 (eduPersonEntitlement) |
OIDC claim(s) | - |
OIDC claim location | - |
OIDC scope | - |
Origin | Managed by the GEANT AAI Service |
Changes | Yes |
Multiplicity | Multi-valued |
Availability | Optional |
Example | Example of a user, who is member of Task 1 in WP5 of the GN5-1 project:
|
Notes |