Page History

The username is a human-readable, revocable identifier (i.e. the user can change it). It is intended to be used when a unique identifier needs to be displayed in the user interface (e.g. wikis or Unix accounts).

It has the syntax of eduPersonPrincipalName, which consists of “user” part and a fixed scope “aai.geant.org”, separated by at sign. The user part (syntax derived from Linux accounts) begins with a lowercase letter or an underscore, followed by lower case letters, digits, underscores, or dashes. In regular expression: [a-z_][a-z0-9_-]*?

The usernames beginning with an underscore are dedicated to service IDs.

urn:oid:0.9.2342.19200300.100.1.1 (uid)

Any of:

• aarc
• profile
• preferred_username

May be changed (revoked) over time (e.g. if a user changes their name). 

Revoked identifiers are NOT reassigned.

The User Identifier and Username “test@aai.geant.org” are test accounts reserved for testing and monitoring the proper functioning. The Relying parties should not authorise it to access any valuable resources.

One or more home organisations (such as universities, research institutions or private companies) this user is affiliated with. The syntax and semantics follow the eduPersonScopedAffiliation attribute.

The following values are recommended for use to the left of the “@” sign:

• faculty

  The person is a researcher or teacher in their home organisation. 

  The exact interpretation is left to the home organisation, but the intention is that the primary focus of the person in their home organisation is in research and/or education. 

  
  Note. This attribute value is for users in the academic sector
  
  
• industry-researcher
  

  The person is a researcher or teacher in their home organisation. 

  The exact interpretation is left to the home organisation, but the intention is that the primary focus of the person in their home organisation is in research and/or education. 

  
  Note. This attribute value is for users in the private sector.
  
  
• member
  

  The member is intended to include faculty, industry-researcher, staff, student and other persons with a full set of basic privileges that go with membership in the home organisation, as defined in eduPerson. 
  
  

  In contrast to faculty, among other things, this covers positions with managerial and service focus, such as service management or IT support.
  
  
• affiliate
  
  The affiliate value indicates that the holder has some definable affiliation to the home organisation NOT captured by any of faculty, industry-researcher, staff, student and/or member.
  
  
• unknown
  
  If the origin does not provide any affiliation information, but the scope of the origin provider can be reliably determined, the affiliation is constructed by concatenating the string literal “unknown@” and the determined scope of the origin provider [AARC-G057]

If a person has faculty or industry-researcher affiliation with a certain organisation, they have also the member affiliation. However, that does not apply in a reverse order. Furthermore, those persons who do not qualify as member have an affiliation of affiliate.

urn:oid:1.3.6.1.4.1.25178.4.1.11 (voPesonExternalAffiliation)

Any of:

• voperson_external_affiliation
• aarc

Multi-valued

The Connected Services are not supposed to do SAML scope checks on this attribute.

Groups

urn:oid:1.3.6.1.4.1.5923.1.1.1.7 (eduPersonEntitlement)

Any of:

• entitlements
• aarc

Multi-valued

Example of a user, who is member of Task 1 in WP5 of the GN5-1 project:

• urn:geant:aai.geant.org:group:geant
• urn:geant:aai.geant.org:group:geant:GN5-1
• urn:geant:aai.geant.org:group:geant:GN5-1:WP5
• urn:geant:aai.geant.org:group:geant:GN5-1:WP5:Task%201