Page History

The  User Identifier is an opaque and non-revocable identifier (i.e. it cannot change over time). The User Identifier has a limit of 255 characters

• urn:oasis:names:tc:SAML:attribute:subject-id
• urn:oid:1.3.6.1.4.1.25178.4.1.6 (voPersonID)

• sub (public)
• voperson_id

• openid (for the sub claim)
• aarc (for the voperson_id claim)

The User Identifier and Username “test@aai.geant.org” are test accounts reserved for testing and monitoring the proper functioning. The Relying parties should not authorise it to access any valuable resources.

Email address of the user. Users may have multiple email addresses, some of which were verified. A verified email address means that the GEANT AAI Service or the user’s Home IdP has taken affirmative steps to ensure that this email address was controlled by the user at the time the verification was performed. The specific verification mechanism is not defined here, but is expected to meet industry best practices.

• urn:oid:0.9.2342.19200300.100.1.3 (emailmail)
  
• urn:oid:1.3.6.1.4.1.25178.4.1.14 (voPersonVerifiedEmail)

• email
• email_verified

Any of:

• email
• aarc

Single-valued

One or more home organisations (such as universities, research institutions or private companies) this user is affiliated with. The syntax and semantics follow the eduPersonScopedAffiliation attribute.

The following values are recommended for use to the left of the “@” sign:

• faculty

  The person is a researcher or teacher in their home organisation. 

  The exact interpretation is left to the home organisation, but the intention is that the primary focus of the person in their home organisation is in research and/or education. 

  
  Note. This attribute value is for users in the academic sector
  
  
• industry-researcher
  

  The person is a researcher or teacher in their home organisation. 

  The exact interpretation is left to the home organisation, but the intention is that the primary focus of the person in their home organisation is in research and/or education. 

  
  Note. This attribute value is for users in the private sector.
  
  
• member
  

  The member is intended to include faculty, industry-researcher, staff, student and other persons with a full set of basic privileges that go with membership in the home organisation, as defined in eduPerson. 
  
  

  In contrast to faculty, among other things, this covers positions with managerial and service focus, such as service management or IT support.
  
  
• affiliate
  
  The affiliate value indicates that the holder has some definable affiliation to the home organisation NOT captured by any of faculty, industry-researcher, staff, student and/or member.
  
  
• unknown
  
  If the origin does not provide any affiliation information, but the scope of the origin provider can be reliably determined, the affiliation is constructed by concatenating the string literal “unknown@” and the determined scope of the origin provider [AARC-G057]

If a person has faculty or industry-researcher affiliation with a certain organisation, they have also the member affiliation. However, that does not apply in a reverse order. Furthermore, those persons who do not qualify as member have an affiliation of affiliate.

urn:oid:1.3.6.1.4.1.25178.4.1.11 (voPesonExternalAffiliationvoPersonExternalAffiliation)

Any of:

• voperson_external_affiliation
• aarc

Multi-valued

The Connected Services are not supposed to do SAML scope checks on this attribute.

Groups

urn:oid:1.3.6.1.4.1.5923.1.1.1.7 (eduPersonEntitlement)

entitlements

Multi-valued

Example of a user, who is member of Task 1 in WP5 of the GN5-1 project:

• urn:geant:aai.geant.org:group:geant
• urn:geant:aai.geant.org:group:geant:GN5-1
• urn:geant:aai.geant.org:group:geant:GN5-1:WP5
• urn:geant:aai.geant.org:group:geant:GN5-1:WP5:Task%201