Page History

User’s Community Identifier is an opaque and non-revocable identifier (i.e. it cannot change over time) that follows the syntax of eduPersonUniqueId  attribute of eduPerson.

It consists of “uniqueID” part and fixed scope “myaccessid.org”, separated by at sign. The uniqueID part contains up to 64 hexadecimal digits (a-f, 0-9)

- urn:oasis:names:tc:SAML:attribute:subject-id

- 1.3.6.1.4.1.5923.1.1.1.13 (eduPersonUniqueId)
- urn:oasis:names:tc:SAML:attribute:subject-id- Legacy - to be deprecated

eduPerson defines the comparison rule caseIgnoreMatch for eduPersonUniqueID. 

Relying services are encouraged to validate the scope of this attribute against the values permitted for MyAccessID. MyAccessID makes exclusive use of scope MyAccessID.org“. 

The MyAccessID identifier and username “test@MyAccessID.org” are test accounts reserved for testing and monitoring the proper functioning of the MyAccessID Login. The Relying parties should not authorise it to access any valuable resources.

One or more home organisations (such as, universities, research institutions or private companies) this user is affiliated with. The syntax and semantics follows eduPersonScopedAffiliation attribute.

Following values are recommended for use to the left of the “@” sign:

• Faculty

  The person is a researcher or teacher in their home organisation. 

  The exact interpretation is left to the home organization, but the intention is that the primary focus of the person in their home organisation is in research and/or education. 

  Note. This attribute value is for users in the academic sector
  
  
• Member
  

  Member is intended to include faculty, industry-researcher, staff, student and other persons with a full set of basic privileges that go with membership in the home organisation, as defined in eduPerson. 
  
  

  In contrast to faculty, among other things, this covers positions with managerial and service focus, such as service management or IT support.
  
  
• Affiliate
  
  The affiliate value indicates that the holder has some definable affiliation to the home organisation NOT captured by any of faculty, industry-researcher, staff, student and/or member.

If a person has facultyor industry-researcher affiliation  affiliation with a certain organisation, they have also the member affiliation. However, that does not apply in a reverse order. Furthermore, those persons who do not qualify to member have an affiliation of affiliate.

urn:oid:1.3.6.1.4.1.25178.4.1.11 (voPesonExternalAffiliation)

To become a holder of the faculty, industry-researcher or  or member attribute values in MyAccessID the user must have either 

• Performed federated login to MyAccessID using their home organisation’s credentials, during which the home organisation releases the related eduPersonAffiliation or eduPersonScopedAffiliation attribute, or 
• Be assigned that value manually in MyAccessID by a dedicated person in their home organisation 

To become a holder of the affiliate value, the user must either 

• Use either of the two alternatives above, or
• Demonstrate they control an e-mail address that belongs to the home organisation

Multi-valued

The freshness of the attribute values is managed by asking users to refresh the value every 12 months using the procedure described above.

MyAccessID asserts attribute values with different scopes. The Relying services are not supposed to do SAML scope check to this attribute.

Assurance

Assurance of the identity of the user, following REFEDS Assurance Framework (RAF).

Following RAF values are qualified and automatically set for all MyAccessIDidentitiesMyAccessID identities:

• https://refeds
• https://refeds/ID/unique
• https://refeds/ID/eppn-unique-no-reassign
• https://refeds/IAP/low
• https://refeds$/ATP/ePA-1m
• https://refeds/ATP/ePA-1d
  

Following RAF values are set if the currently used authentication provider asserts (or otherwise qualifies to) them:

• https://refeds/IAP/medium
• https://refeds/IAP/high

Following compound profiles are asserted if the user qualifies to them - Experimental

• https://refeds/profile/cappuccino
• https://refeds/profile/espresso

Assurange of the identify of the user, following AARC-G021 - Experimental

Users logging-in via non-institutional Identity Providers (e.g. Google, ORCID) will have the following assurance value:

• https://aarc-project.eu/policy/authn-assurance/assam

Assurange of the identify of the user, MyAccessID specific - Experimental

Users logging-in via non-institutional Identity Providers (e.g. Google, ORCID) will have the following assurance values:

• https://MyAccessID.org/assurance/IDP/rs-sirtfi

• http://refeds.org/category/research-and-scholarship

• https://refeds.org/sirtfi

urn:oid:1.3.6.1.4.1.5923.1.1.1.11 (eduPersonAssurance)

MyAccessID is the origin for values it has set (see description).

The current authentication provider is the origin for the values it asserts (or otherwise qualifies to).

Multi-valued

• https://refeds
• https://refeds/ID/unique
• https://refeds/ID/eppn-unique-no-reassign
• https://refeds/IAP/low
• https://refeds$/ATP/ePA-1m
• https://refeds/ATP/ePA-1d