This document describes the SAML attributes and OIDC claims that are available to relying parties connected to the GEANT SP Proxy. Attribute - claims marked as Mandatory will always be available to a relying party. Attribute - claims marked as Optional will be made available under certain circumstances. For example, some attributes - claims can be available only if the respective attributes - claims are released by the home Identity Provider of the user. Attributes - claims and values marked as Experimental might change or removed in the future, so relying parties should not rely on them, but use them only for experimental purposes.

List of Attributes - Claims

User Identifier

Name	User Identifier
Description	The User Identifier is an opaque and non-revocable identifier (i.e. it cannot change over time). The User Identifier has a limit of 255 characters
SAML Attribute(s)	- urn:oasis:names:tc:SAML:attribute:subject-id
OIDC claim(s)	sub (public)
OIDC claim location	The claim is available in: ☑ ID token ☑ Userinfo endpoint ☐ Introspection endpoint
OIDC scope	openid
Origin	Assigned to the user by the GEANT SP Proxy
Changes	No
Multiplicity	Single-valued
Availability	Mandatory
Example	E413E5B2-1439-42DA-A7ED-23444DDD0E5B@aai.geant.org
Notes	The User Identifier and Username “test@aai.geant.org” are test accounts reserved for testing and monitoring the proper functioning. The Relying parties should not authorise it to access any valuable resources.

Display Name

Name	Display Name
Description	User’s name (firstname lastname).
SAML Attribute(s)	urn:oid:2.16.840.1.113730.3.1.241 (displayName)
OIDC claim(s)	name
OIDC claim location	The claim is available in: ☐ ID token ☑ Userinfo endpoint ☐ Introspection endpoint
OIDC scope	profile
Origin	Provided by the Identity Provider of the user
Changes	Yes
Multiplicity	Single-valued
Availability	Optional
Example	Jack Dougherty
Notes

Given Name

Name	Given Name
Description	Name strings that are the part of a person's name that is not their surname (see RFC4519).
SAML Attribute(s)	urn:oid:2.5.4.42 (givenName)
OIDC claim(s)	given_name
OIDC claim location	The claim is available in: ☐ ID token ☑ Userinfo endpoint ☐ Introspection endpoint
OIDC scope	profile
Origin	Provided by the Identity Provider of the user
Changes	Yes
Multiplicity	Single-valued
Availability	Optional
Example	Jack
Notes	In the specification of urn:oid:2.5.4.42 it is stated that the attribute supports multiple values, but the OIDC claim supports only a single value. The Service will release a single value to both SAML and OIDC relying parties

Family Name

Name	Family Name
Description	Family name of the user
SAML Attribute(s)	urn:oid:2.5.4.4 (surname)
OIDC claim(s)	family_name
OIDC claim location	The claim is available in: ☐ ID token ☑ Userinfo endpoint ☐ Introspection endpoint
OIDC scope	profile
Origin	Provided by the Identity Provider of the user
Changes	Yes
Multiplicity	Single-valued
Availability	Optional
Example	Dougherty
Notes	In the specification of urn:oid:2.5.4.4 it is stated that the attribute supports multiple values, but the OIDC claim supports only a single value. The Service will release a single value to both SAML and OIDC relying parties

Email address

Name	Email address
Description	Email address of the user.
SAML Attribute(s)	urn:oid:0.9.2342.19200300.100.1.3 (email)
OIDC claim(s)	email
OIDC claim location	The claim is available in: ☐ ID token ☑ Userinfo endpoint ☐ Introspection endpoint
OIDC scope	email
Origin	Provided by the Identity Provider of the user
Changes	Yes
Multiplicity	Single-valued
Availability	Optional
Example	jack.dougherty@example.com
Notes

Affiliation within Home Organization

Name	Affiliation within Home Organization
Description	One or more home organisations (such as universities, research institutions or private companies) this user is affiliated with. The syntax and semantics follow the eduPersonScopedAffiliation attribute. The following values are recommended for use to the left of the “@” sign: Faculty The person is a researcher or teacher in their home organisation. The exact interpretation is left to the home organisation, but the intention is that the primary focus of the person in their home organisation is in research and/or education. Note. This attribute value is for users in the academic sector Industry-researcher The person is a researcher or teacher in their home organisation. The exact interpretation is left to the home organisation, but the intention is that the primary focus of the person in their home organisation is in research and/or education. Note. This attribute value is for users in the private sector. Member The member is intended to include faculty, industry-researcher, staff, student and other persons with a full set of basic privileges that go with membership in the home organisation, as defined in eduPerson. In contrast to faculty, among other things, this covers positions with managerial and service focus, such as service management or IT support. Affiliate The affiliate value indicates that the holder has some definable affiliation to the home organisation NOT captured by any of faculty, industry-researcher, staff, student and/or member. If a person has faculty or industry-researcher affiliation with a certain organisation, they have also the member affiliation. However, that does not apply in a reverse order. Furthermore, those persons who do not qualify as member have an affiliation of affiliate.
SAML Attribute(s)	urn:oid:1.3.6.1.4.1.25178.4.1.11 (voPesonExternalAffiliation)
OIDC claim(s)	voperson_external_affiliation
OIDC claim location	The claim is available in: ☐ ID token ☑ Userinfo endpoint ☐ Introspection endpoint
OIDC scope	voperson_external_affiliation
Origin	Provided by the Identity Provider of the user
Changes	Yes
Multiplicity	Multi-valued
Availability	Optional
Example	faculty@helsinki.fi industry-researcher@zeiss.com member@ebi.ac.uk
Notes	The Connected Services are not supposed to do SAML scope checks on this attribute.

Affiliation with Research Communities

Groups

Name	Groups
Description	The groups this user is a member of in their collaboration [AARC-G002].
SAML Attribute(s)	urn:oid:1.3.6.1.4.1.5923.1.1.1.7 (eduPersonEntitlement)
OIDC claim(s)	eduperson_entitlement
OIDC claim location	The claim is available in: ☐ ID token ☑ Userinfo endpoint ☐ Introspection endpoint
OIDC scope	eduperson_entitlement
Origin	Provided by the Identity Provider of the user
Changes	Yes
Multiplicity	Multi-valued
Availability	Optional
Example	urn:geant:eduteams.org:service:eduteams:group:eduTEAMS#eduteams.org urn:geant:eduteams.org:service:eduteams:group:Hollywood#eduteams.org urn:geant:eduteams.org:service:eduteams:group:Hollywood:writers#eduteams.org urn:geant:eduteams.org:service:eduteams:group:Hollywood:writers:movies#eduteams.org This is an example of a user registered in eduTEAMS, who is member of the Hollywood VO and is in the writers group and the movies movies subgroup within the writers group.
Notes

Page tree

Attributes available to Connected Services