Versions Compared

Old Version 5

changes.mady.by.user Christos Kanellopoulos

Saved on

compared with

New Version Current

changes.mady.by.user Michal Stava

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

NameUser Identifier
Description

The  User Identifier is an opaque and non-revocable identifier (i.e. it cannot change over time). The User Identifier has a limit of 255 characters

SAML Attribute(s)
  • urn:oasis:names:tc:SAML:attribute:subject-id
  • urn:oid:1.3.6.1.4.1.25178.4.1.6 (voPersonID)
OIDC claim(s)
  • sub (public)
  • voperson_id
OIDC claim locationThe claim is available in:

 ID token
 Userinfo endpoint
☑ Introspection endpoint
OIDC scope
  • openid (for the sub claim)
  • aarc (for the voperson_id claim)
OriginAssigned to the user by the GEANT AAI Service
ChangesNo
MultiplicitySingle-valued
AvailabilityMandatory
Examplee413e5b2-1439-42da-a7ed-23444ddd0e5b@aai.geant.org
Notes

The User Identifier and Username “test@aai.geant.org” are test accounts reserved for testing and monitoring the proper functioning. The Relying parties should not authorise it to access any valuable resources.

Username

NameUsername
Description

The username is a human-readable, revocable identifier (i.e. the user can change it). It is intended to be used when a unique identifier needs to be displayed in the user interface (e.g. wikis or Unix accounts).

It has the syntax of eduPersonPrincipalName, which consists of “user” part and a fixed scope “aai.geant.org”, separated by at sign. The user part (syntax derived from Linux accounts) begins with a lowercase letter or an underscore, followed by lower case letters, digits, underscores, or dashes. In regular expression: [a-z_][a-z0-9_-]*?

The usernames beginning with an underscore are dedicated to service IDs.

SAML Attribute(s)

urn:oid:0.9.2342.19200300.100.1.1 (uid)

OIDC claim(s)preferred_username
OIDC claim locationThe claim is available in:
☑ ID

 ID token
 Userinfo endpoint
Introspection endpoint
OIDC scope

Any of:

  • aarc
  • profile
  • preferred_username
    • OriginSet when a user registers with the GEANT AAI Service
    Changes

    May be changed (revoked) over time (e.g. if a user changes their name). 

    Revoked identifiers are NOT reassigned.

    MultiplicitySingle-valued
    AvailabilityMandatory
    Examplefederated-user-999999999@aai.geant.org
    Notes

    The User Identifier and Username “test@aai.geant.org” are test accounts reserved for testing and monitoring the proper functioning. The Relying parties should not authorise it to access any valuable resources.

    Display Name

    NameDisplay Name
    Description

    User’s name (firstname lastname).

    SAML Attribute(s)

    urn:oid:2.16.840.1.113730.3.1.241 (displayName)

    OIDC claim(s)name
    OIDC claim locationThe claim is available in:

     ID token
     Userinfo endpoint
     Introspection endpoint
    OIDC scope

    Any of:

    • profile
    • aarc
    OriginProvided by the Identity Provider of the user
    ChangesYes
    MultiplicitySingle-valued
    AvailabilityOptional
    ExampleJack Dougherty
    Notes


    ...

    NameEmail address
    Description

    Email address of the user. Users may have multiple email addresses, some of which were verified. A verified email address means that the GEANT AAI Service or the user’s Home IdP has taken affirmative steps to ensure that this email address was controlled by the user at the time the verification was performed. The specific verification mechanism is not defined here, but is expected to meet industry best practices.

    SAML Attribute(s)
    • urn:oid:0.9.2342.19200300.100.1.3 (emailmail)
    • urn:oid:1.3.6.1.4.1.25178.4.1.14 (voPersonVerifiedEmail)
    OIDC claim(s)
    • email
    • email_verified
    OIDC claim locationThe claim is available in:

     ID token
     Userinfo endpoint
     Introspection endpoint
    OIDC scope

    Any of:

    • email
    • aarc
    OriginProvided by the Identity Provider of the user or registered by the GEANT AAI Service after ownership of the email address has been verified.
    ChangesYes
    Multiplicity

    Single-valued

    AvailabilityOptional
    Examplejack.dougherty@example.com
    Notes


    ...

    NameAffiliation within Home Organization
    Description

    One or more home organisations (such as universities, research institutions or private companies) this user is affiliated with. The syntax and semantics follow the eduPersonScopedAffiliation attribute.

    The following values are recommended for use to the left of the “@” sign:

    • faculty

      The person is a researcher or teacher in their home organisation. 

      The exact interpretation is left to the home organisation, but the intention is that the primary focus of the person in their home organisation is in research and/or education. 


      Note      . This attribute value is for users in the academic sector

    • industry-researcher

      The person is a researcher or teacher in their home organisation. 

      The exact interpretation is left to the home organisation, but the intention is that the primary focus of the person in their home organisation is in research and/or education. 


      Note      . This attribute value is for users in the private sector.

    • member

      The member is intended to include faculty, industry-researcher, staff, student and other persons with a full set of basic privileges that go with membership in the home organisation, as defined in eduPerson. 

      In contrast to faculty, among other things, this covers positions with managerial and service focus, such as service management or IT support.

    • affiliate

      The affiliate value indicates that the holder has some definable affiliation to the home organisation NOT captured by any of faculty, industry-researcher, staff, student and/or member.

    • unknown

      If the origin does not provide any affiliation information, but the scope of the origin provider can be reliably determined, the affiliation is constructed by concatenating the string literal “unknown@” and the determined scope of the origin provider [AARC-G057]

    If a person has faculty or industry-researcher affiliation with a certain organisation, they have also the member affiliation. However, that does not apply in a reverse order. Furthermore, those persons who do not qualify as member have an affiliation of affiliate.

    SAML Attribute(s)

    urn:oid:1.3.6.1.4.1.25178.4.1.11 (voPesonExternalAffiliationvoPersonExternalAffiliation)

    OIDC claim(s)voperson_external_affiliation
    OIDC claim locationThe claim is available in:

     ID token
     Userinfo endpoint
    ☐ Introspection ☑ Introspection endpoint
    OIDC scope

    Any of:

    • voperson_external_affiliation
    • aarc
    OriginProvided by the Identity Provider of the user
    ChangesYes
    Multiplicity

    Multi-valued

    AvailabilityOptional
    Examplefaculty@helsinki.fi
    industry-researcher@zeiss.com
    member@ebi.ac.uk
    Notes

    The Connected Services are not supposed to do SAML scope checks on this attribute.

    ...

    Name

    Groups

    DescriptionThe groups this user is a member of in their collaboration [AARC-G069G069].
    SAML Attribute(s)

    urn:oid:1.3.6.1.4.1.5923.1.1.1.7 (eduPersonEntitlement)

    OIDC claim(s)entitlements
    OIDC claim locationThe claim is available in:

     ID token
     Userinfo endpoint
    ☑ Introspection endpoint
    OIDC scope

    entitlements

    OriginManaged by the GEANT AAI Service
    ChangesYes
    Multiplicity

    Multi-valued

    AvailabilityOptional
    Example

    Example of a user, who is member of Task 1 in WP5 of the GN5-1 project:

    • urn:geant:aai.geant.org:group:geant
    • urn:geant:aai.geant.org:group:geant:GN5-1
    • urn:geant:aai.geant.org:group:geant:GN5-1:WP5
    • urn:geant:aai.geant.org:group:geant:GN5-1:WP5:Task%201
    Notes

    ...