Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This document describes the SAML attributes and OIDC claims that are available to relying parties  connected to the GEANT SP ProxyAAI Service. Attribute  Attribute - claims marked as Mandatory will always be available to a relying party. Attribute - claims marked as Optional will be made available under certain circumstances. For example, some attributes - claims can be available only if the respective attributes - claims are released by the home Identity Provider of the user. Attributes - claims and values marked as Experimental might change or removed in the future, so relying parties should not rely on them, but use them only for experimental purposes.

...

NameUser Identifier
Description

The  User Identifier is an opaque and non-revocable identifier (i.e. it cannot change over time). The User Identifier has a limit of 255 characters

SAML Attribute(s)-
  • urn:oasis:names:tc:SAML:attribute:subject-id
  • urn:oid:1.3.6.1.4.1.25178.4.1.6 (voPersonID)
OIDC claim(s)
  • sub (public)
  • voperson_id
OIDC claim locationThe claim is available in:

ID token
Userinfo endpoint
Introspection endpoint
OIDC scope
  • openid (for the sub claim)
  • aarc (for the voperson_id claim)
OriginAssigned to the user by the GEANT SP ProxyAAI Service
ChangesNo
MultiplicitySingle-valued
AvailabilityMandatory
ExampleE413E5B2e413e5b2-1439-42DA-A7ED-23444DDD0E5B@aai-42da-a7ed-23444ddd0e5b@aai.geant.org
Notes

The User Identifier and Username “test@aai.geant.org” are test accounts reserved for testing and monitoring the proper functioning. The Relying parties should not authorise it to access any valuable resources.

Username

NameUsername
Description

The username is a human-readable, revocable identifier (i.e. the user can change it). It is intended to be used when a unique identifier needs to be displayed in the user interface (e.g. wikis or Unix accounts).

It has the syntax of eduPersonPrincipalName, which consists of “user” part and a fixed scope “aai.geant.org”, separated by at sign. The user part (syntax derived from Linux accounts) begins with a lowercase letter or an underscore, followed by lower case letters, digits, underscores, or dashes. In regular expression: [a-z_][a-z0-9_-]*?

The usernames beginning with an underscore are dedicated to service IDs.

SAML Attribute(s)

urn:oid:0.9.2342.19200300.100.1.1 (uid)

OIDC claim(s)preferred_username
OIDC claim locationThe claim is available in:

 ID token
Userinfo endpoint
☐ Introspection endpoint
OIDC scope

Any of:

  • aarc
  • profile
OriginSet when a user registers with the GEANT AAI Service
Changes

May be changed (revoked) over time (e.g. if a user changes their name). 

Revoked identifiers are NOT reassigned.

MultiplicitySingle-valued
AvailabilityMandatory
Examplefederated-user-999999999@aai.geant.org
Notes

The User Identifier and Username “test@aai.geant.org” are test accounts reserved for testing and monitoring the proper functioning. The Relying parties should not authorise it to access any valuable resources.

...

NameDisplay Name
Description

User’s name (firstname lastname).

SAML Attribute(s)

urn:oid:2.16.840.1.113730.3.1.241 (displayName)

OIDC claim(s)name
OIDC claim locationThe claim is available in:

 ID token
Userinfo endpoint
Introspection endpoint
OIDC scope

Any of:

  • profile
  • aarc
OriginProvided by the Identity Provider of the user
ChangesYes
MultiplicitySingle-valued
AvailabilityOptional
ExampleJack Dougherty
Notes


...

NameGiven Name
Description

Name strings that are the part of a person's name that is not their surname (see RFC4519).

SAML Attribute(s)

urn:oid:2.5.4.42 (givenName)

OIDC claim(s)given_name
OIDC claim locationThe claim is available in:

 ID token
Userinfo endpoint
Introspection endpoint
OIDC scope

Any of:

  • profile
  • aarc
OriginProvided by the Identity Provider of the user
ChangesYes
Multiplicity

Single-valued

Multi-valued

- SAML: The givenName attribute contains name strings that are the part of a person's name that is not their surname. Each string is one value of this multi-valued attribute [RFC4519]

- OIDC: The given_name claim can contain multiple given names with the names being separated by space characters [OIDC-CORE]

AvailabilityOptional
ExampleJack
Notes

In the specification of urn:oid:2.5.4.42 it is stated that the attribute supports multiple values, but the OIDC claim support supports only a single value. The Sevice Service will release a single value to both SAML and OIDC relying parties

...

NameFamily Name
Description

Family name of the user

SAML Attribute(s)

urn:oid:2.5.4.4 (surnamesn)

OIDC claim(s)family_name
OIDC claim locationThe claim is available in:

 ID token
Userinfo endpoint
Introspection endpoint
OIDC scope

Any of:

  • profile
  • aarc
OriginProvided by the Identity Provider of the user
ChangesYes
Multiplicity

Multi-valued

- SAML: The sn attribute contains name strings that are the part of a person's name that is not their surname. Each string is one value of this multi-valued attribute [RFC4519]

- OIDC: The family_name claim can contain multiple family names (or no family name) with the names being separated by space characters [OIDC-CORE]Single-valued

AvailabilityOptional
ExampleDougherty
Notes

In the specification of urn:oid:2.5.4.4 it is stated that the attribute supports multiple values, but the OIDC claim support supports only a single value. The Service will release a single value to both SAML and OIDC relying parties

...

NameEmail address
Description

Email address of the user. Users may have multiple email addresses, some of which were verified. A verified email address means that the GEANT AAI Service or the user’s Home IdP has taken affirmative steps to ensure that this email address was controlled by the user at the time the verification was performed. The specific verification mechanism is not defined here, but is expected to meet industry best practices.

SAML Attribute(s)
  • urn:oid:0.9.2342.19200300.100.1.3 (
email
  • mail)
  • urn:oid:1.3.6.1.4.1.25178.4.1.14 (voPersonVerifiedEmail)
OIDC claim(s)
  • email
  • email_verified
OIDC claim locationThe claim is available in:

 ID token
Userinfo endpoint
Introspection endpoint
OIDC scope

Any of:

  • email
  • aarc
OriginProvided by the Identity Provider of the user or registered by the GEANT AAI Service after ownership of the email address has been verified.
ChangesYes
Multiplicity

Single-valued

AvailabilityOptional
Examplejack.dougherty@example.com
Notes


Affiliation within Home Organization

NameAffiliation within Home Organization
Description

One or more home organisations (such as , universities, research institutions or private companies) this user is affiliated with. The syntax and semantics follows follow the eduPersonScopedAffiliation attribute.

Following The following values are recommended for use to the left of the “@” sign:

  • facultyFaculty

    The person is a researcher or teacher in their home organisation. 

    The exact interpretation is left to the home organizationorganisation, but the intention is that the primary focus of the person in their home organisation is in research and/or education. 


    Note
    . This attribute value is for users in the academic sector

  • Industryindustry-researcher

    The person is a researcher or teacher in their home organisation. 

    The exact interpretation is left to the home organisation, but the intention is that the primary focus of the person in their home organisation is in research and/or education. 


    Note
    . This attribute value is for users in the private sector.
    Member
  • member

    Member The member is intended to include faculty, industry-researcher, staff, student and other persons with a full set of basic privileges that go with membership in the home organisation, as defined in eduPerson. 

    In contrast to faculty, among other things, this covers positions with managerial and service focus, such as service management or IT support.
    Affiliate
  • affiliate

    The affiliate value indicates that the holder has some definable affiliation to the home organisation NOT captured by any of faculty, industry-researcher, staff, student and/or member.

  • unknown

    If the origin does not provide any affiliation information, but the scope of the origin provider can be reliably determined, the affiliation is constructed by concatenating the string literal “unknown@” and the determined scope of the origin provider [AARC-G057]

If a person has faculty or industry-researcher affiliation with a certain organisation, they have also the member affiliation. However, that does not apply in a reverse order. Furthermore, those persons who do not qualify to as member have an affiliation of affiliate.

SAML Attribute(s)

urn:oid:1.3.6.1.4.1.25178.4.1.11 (voPesonExternalAffiliationvoPersonExternalAffiliation)

OIDC claim(s)voperson_external_affiliation
OIDC claim locationThe claim is available in:

 ID token
Userinfo endpoint
☐ Introspection ☑ Introspection endpoint
OIDC scope

Any of:

  • voperson_external_affiliation
  • aarc
OriginProvided by the Identity Provider of the user
ChangesYes
Multiplicity

Multi-valued

AvailabilityOptional
Examplefaculty@helsinki.fi
industry-researcher@zeiss.com
member@ebi.ac.uk
Notes

The Connected Services are not supposed to do SAML scope check to checks on this attribute.

...

Groups

Name

Groups

DescriptionThis attribute describes the The groups this user is a member of in their collaboration [AARC-G002G069].
SAML Attribute(s)

urn:oid:1.3.6.1.4.1.5923.1.1.1.7 (eduPersonEntitlement)

OIDC claim(s)eduperson_entitlemententitlements
OIDC claim locationThe claim is available in:

 ID token
Userinfo endpoint
☐ Introspection ☑ Introspection endpoint
OIDC scopeeduperson_entitlement

entitlements

OriginProvided Managed by the Identity Provider of the userGEANT AAI Service
ChangesYes
Multiplicity

Multi-valued

AvailabilityOptional
Example

Example of a user, who is member of Task 1 in WP5 of the GN5-1 project:

  • urn:geant:eduteamsaai.geant.org:service:eduteams:group:eduTEAMS#eduteams.orggeant
  • urn:geant:eduteamsaai.geant.org:servicegroup:eduteams:group:Hollywood#eduteams.orggeant:GN5-1
  • urn:geant:eduteamsaai.geant.org:servicegroup:eduteamsgeant:group:Hollywood:writers#eduteams.orgGN5-1:WP5
  • urn:geant:eduteamsaai.geant.org:servicegroup:eduteamsgeant:groupGN5-1:Hollywood:writers:movies#eduteams.org
This is an example of user registered in eduTEAMS, who is member of the Hollywood VO and she in the writers group and the movies movies subgroup within the writers group.
  • WP5:Task%201
Notes