...
Name | Community User Identifier |
---|---|
Description | User’s Community Identifier is an opaque and non-revocable identifier (i.e. it cannot change over time) that follows the syntax of eduPersonUniqueId attribute of eduPerson. It consists of “uniqueID” part and fixed scope “myaccessid.org”, separated by at sign. The uniqueID part contains up to 64 hexadecimal digits (a-f, 0-9) |
SAML Attribute(s) | - urn:oasis:names:tc:SAML:attribute:subject-id - 1.3.6.1.4.1.5923.1.1.1.13 (eduPersonUniqueId) |
OIDC claim(s) | sub (public) |
OIDC claim location | The claim is available in: ☑ ID token ☑ Userinfo endpoint ☐ Introspection endpoint |
OIDC scope | openid |
Origin | MyAccessID assigns this attribute to a user when they register on the Service |
Changes | No |
Multiplicity | Single-valued |
Availability | Mandatory |
Example | 28c5353b8bb34984a8bd4169ba94c606@MyAccessID.org |
Notes | eduPerson defines the comparison rule caseIgnoreMatch for eduPersonUniqueID. Relying services are encouraged to validate the scope of this attribute against the values permitted for MyAccessID. MyAccessID makes exclusive use of scope MyAccessID.org“. The MyAccessID identifier and username “test@MyAccessID.org” are test accounts reserved for testing and monitoring the proper functioning of the MyAccessID Login. The Relying parties should not authorise it to access any valuable resources. |
...
Name | Family Name |
---|---|
Description | Family NameContains name strings for the family names of a person. |
SAML Attribute(s) | urn:oid:2.5.4.4 (surname) |
OIDC claim(s) | family_name |
OIDC claim location | The claim is available in: ☐ ID token ☑ Userinfo endpoint ☐ Introspection endpoint |
OIDC scope | profile |
Origin | Entered by the user when they register on MyAccessID |
Changes | Yes |
Multiplicity | Single-valued |
Availability | Mandatory |
Example | Dougherty |
Notes | In the specification of urn:oid:2.5.4.4 it is stated that the attribute supports multiple values, but the OIDC claim support only a single value. MyAccessID will release a single value to both SAML and OIDC relying parties |
...
Name | Affiliation within Home Organization |
---|---|
Description | One or more home organisations (such as, universities, research institutions or private companies) this user is affiliated with. The syntax and semantics follows eduPersonScopedAffiliation attribute. Following values are recommended for use to the left of the “@” sign:
If a person has facultyor industry-researcher affiliation affiliation with a certain organisation, they have also the member affiliation. However, that does not apply in a reverse order. Furthermore, those persons who do not qualify to member have an affiliation of affiliate. |
SAML Attribute(s) | urn:oid:1.3.6.1.4.1.25178.4.1.11 (voPesonExternalAffiliation) |
OIDC claim(s) | voperson_external_affiliation |
OIDC claim location | The claim is available in: ☐ ID token ☑ Userinfo endpoint ☐ Introspection endpoint |
OIDC scope | voperson_external_affiliation |
Origin | To become a holder of the faculty, industry-researcher or or member attribute values in MyAccessID the user must have either
To become a holder of the affiliate value, the user must either
|
Changes | Yes |
Multiplicity | Multi-valued |
Availability | Optional |
Example | faculty@helsinki.fi industry-researcher@zeiss.com member@ebi.ac.uk |
Notes | The freshness of the attribute values is managed by asking users to refresh the value every 12 months using the procedure described above. MyAccessID asserts attribute values with different scopes. The Relying services are not supposed to do SAML scope check to this attribute. |
Groups
Name | Groups | |
---|---|---|
Description | This attribute describes the groups this user is a member of in MyAccessID [AARC-G002]. | |
SAML Attribute(s) | urn:oid:1.3.6.1.4.1.5923.1.1.1.7 (eduPersonEntitlement) | |
OIDC claim(s) | eduperson_entitlement | OIDC claim location | The claim is available in:
OIDC scope | eduperson_entitlement | |
Origin | Group memberships are managed by VO and group administrators in MyAccessID. | |
Changes | Yes | |
Multiplicity | Multi-valued | |
Availability | Mandatory | |
Example |
This is an example of user registered in MyAccessID, who is member of the Hollywood VO and she in the writers group and the movies movies subgroup within the writers group. | Notes
Assurance
Name | Assurance |
---|---|
Description | Assurance of the identity of the user, following REFEDS Assurance Framework (RAF). Following RAF values are qualified and automatically set for all MyAccessIDidentitiesMyAccessID identities:
Following RAF values are set if the currently used authentication provider asserts (or otherwise qualifies to) them:
Following compound profiles are asserted if the user qualifies to them - Experimental
Assurange of the identify of the user, following AARC-G021 - Experimental Users logging-in via non-institutional Identity Providers (e.g. Google, ORCID) will have the following assurance value:
Assurange of the identify of the user, MyAccessID specific - Experimental Users logging-in via non-institutional Identity Providers (e.g. Google, ORCID) will have the following assurance values:
|
SAML Attribute(s) | urn:oid:1.3.6.1.4.1.5923.1.1.1.11 (eduPersonAssurance) |
OIDC claim(s) | eduperson_assurance |
OIDC claim location | The claim is available in: ☐ ID token ☑ Userinfo endpoint ☐ Introspection endpoint |
OIDC scope | eduperson_assurance |
Origin | MyAccessID is the origin for values it has set (see description). The current authentication provider is the origin for the values it asserts (or otherwise qualifies to). |
Changes | Yes |
Multiplicity | Multi-valued |
Availability | Mandatory |
Example |
|
Notes | This attribute defines just the identity assurance. Authentication assurance is described using authentication contexts (SAML authentication context or OIDC acr claim). |
...
Name | SSH Public Key | |
---|---|---|
Description | SSH public key of the user | |
SAML Attribute(s) | urn:oid:1.3.6.1.4.1.24552.500.1.1.1.13 (sshPublicKey) | |
OIDC claim(s) | ssh_public_key | |
OIDC claim location | The claim is available in: ☐ ID token ☑ Userinfo endpoint ☐ Introspection endpoint | |
OIDC scope | ssh_public_key | |
Origin | Created and uploaded to MyAccessID by the user. | |
Changes | Yes | |
Multiplicity | Multi-valued | |
Availability | Optional | |
Example | ssh-ed25519 AAAAC3NqaC1lZDI1TTE5AAAAIJ4pfKk7hRdUVeMfrKdLYhxdKy92nVPuHDlVVvZMyqeP | |
Notes | This attribute is not deployed yet