You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »


AttributeRequirementExplanation
User Identifier

subject-id

Mandatory. At least one

The services requires to uniquely identify users for authorization purposes. Without some a unique identifier, it is impossible to distinguish two different users between each other.

As a service that meets the requirements for and supports the entity category of R&S, the MyAccessID IAM Service is expected to receive the R&S attribute bundle, which includes a user identifier.

As a service that meets the requirements for and supports the entity category of Code of Conduct, the MyAccessID IAM Service specifically declares the attributes required to use the service.

As a service that supports Sirtfi, it is required that it is able to uniquely identify users.

pairwise-id

eduPersonPrincipalName1

eduPersonTargetedID

eduPersonUniqueId

Level of AssuranceeduPersonAssuranceMandatory starting in 2022

Level of Assurance information will become mandatory in 2022

Access to services connected to PUHURI is allowed only with use of identities that fulfill certain identity assurance criteria.

To express the required assurance levels, the REFEDS Assurance suite https://wiki.refeds.org/display/ASS is used.

Requirements are defined for two aspects of identity assurance:

  • Identifier uniqueness to ensure unambiguous identification of users;
  • Identity proofing and credential issuance, renewal, and replacement to ensure that identity trustworthy represents right natural person.

Level of assurance for an identity issued to a user is expressed at the time of user authentication by the IdP sending eduPersonAssurance attribute with following values:


Name

cn

Mandatory. At least one

The service requires to uniquely and persistently identify the users who are members of virtual teams as they will be assigned membership roles and access rights to teams resources. When applying for membership to a team or a project, the manager needs to be able to recognise the applicant and the team services used for the collaboration, expect to provide personalised access.

As a service that meets the requirements for and supports the entity category of R&S, it is expected to receive the R&S attribute bundle, which includes cn, displayName, sn and givenName.

As a service that meets the requirements for and supports the entity category of Code of Conduct, the service specifically declares the attributes required to use the service

displayName


sn + givenName

Mail

mail

Mandatory

The service needs to be able to contact the user regarding the status of their account.

As a service that meets the requirements for and supports the entity category of R&S, it is expected to receive the R&S attribute bundle, which includes the mail.

As a service that meets the requirements for and supports the entity category of Code of Conduct, it specifically declares the attributes required to use the service. As a service that supports Sirtfi, it is required that it is able to contact users.

Affiliation

eduPersonScopedAffiliation

Mandatory

Access to many of the HPC resources connected through MyAccessID in the context of EuroHPC (and beyond) relies on authorising users based on the affiliation of their members in their home organisation.

As a service that meets the requirements for and supports the entity category of R&S, it is expected to receive the R&S attribute bundle, which includes the eduPersonScopedAffiliation.

As a service that meets the requirements for and supports the entity category of Code of Conduct, the service specifically declares the attributes required to use the service

OrganizationschacHomeOrganizationOptional

Access to many of the HPC resources connected through MyAccessID in the context of EuroHPC (and beyond) relies on authorising users based on their home organisation.

As a service that meets the requirements for and supports the entity category of Code of Conduct, the service specifically declares the attributes required to use the service.

Depending on which protocol the IdP is using, SAML or OIDC, attributes need to be released in the following format, respectively.

SAML Attribute Names

SAML Attributes MUST be sent using urn:oasis:names:tc:SAML:2.0:attrname-format:uri NameFormat. Below is the list of the canonical names of the SAML attributes:

SAML Attribute NameSAML Attribute Friendly Name
urn:oasis:names:tc:SAML:attribute:subject-idsubject-id
urn:oasis:names:tc:SAML:attribute:pairwise-idpairwise-id
urn:oid:0.9.2342.19200300.100.1.3 email
urn:oid:1.3.6.1.4.1.25178.1.2.9schacHomeOrganization
urn:oid:1.3.6.1.4.1.25178.4.1.6 voPersonID
urn:oid:1.3.6.1.4.1.25178.4.1.11 voPersonExternalAffiliation
urn:oid:1.3.6.1.4.1.5923.1.1.1.6eduPersonPrincipalName

urn:oid:1.3.6.1.4.1.5923.1.1.1.9

eduPersonScopedAffiliation

urn:oid:1.3.6.1.4.1.5923.1.1.1.10

eduPersonTargetedID

urn:oid:1.3.6.1.4.1.5923.1.1.1.11eduPersonAssurance
urn:oid:1.3.6.1.4.1.5923.1.1.1.13eduPersonUniqueId
urn:oid:2.5.4.3cn
urn:oid:2.5.4.4 surname
urn:oid:2.5.4.42givenName

OIDC Claim Names

OIDC ClaimScope
subject-idprofile
emailprofile
nameprofile
given_nameprofile
family_nameprofile
voperson_idaarc
eduperson_entitlementaarc

eduperson_scoped_affiliation

aarc
voperson_external_affiliationaarc
eduperson_assuranceaarc
schac_home_organization
  • No labels