...
| Info |
|---|
This is a set of entity categories in use by SWAMID. Entity categories for SAML is defined by REFEDS in the RFC8409 specification. |
| Table of Contents | ||
|---|---|---|
|
For an example on how to consume and process this information in an Identity Provider look at the page Example of a standard attribute filter for Shibboleth IdP v3.4.0 and above. ADFS Toolkit support the use of entity categories.
...
| Anonymous Access | Pseudonymous Access | Personalized Access | Research and Scholarship (R&S) | |
|---|---|---|---|---|
| Organisation | eduPersonScopedAffiliation schacHomeOrganization | eduPersonScopedAffiliation schacHomeOrganization | eduPersonScopedAffiliation schacHomeOrganization | eduPersonScopedAffiliation (optional) |
| User identifier | samlPairwiseID | samlSubjectID | eduPersonPrincipalName (if non-reassigned) eduPersonPrincipalName + eduPersonTargetedID (not used within SWAMID) | |
| Assurance | eduPersonAssurance | eduPersonAssurance | eduPersonAssurance (only within SWAMID) | |
| Person name | displayName givenName sn | displayName or givenName + sn | ||
| Email address |
...
Expected attribute release from an Identity Provider
| Attribute(s) | SAML2 Attribute Identifier | Comment |
|---|---|---|
| eduPersonScopedAffiliation | urn:oid:1.3.6.1.4.1.5923.1.1.1.9 | |
| schacHomeOrganization | urn:oid:1.3.6.1.4.1.25178.1.2.9 |
Process for applying for tagging a service with entity category REFEDS Anonymous Access Entity Category
...
Expected attribute release from an Identity Provider
| Attribute(s) | SAML2 Attribute Identifier | Comment |
|---|---|---|
| samlPairwiseID | urn:oasis:names:tc:SAML:attribute:pairwise-id | |
| eduPersonAssurance | urn:oid:1.3.6.1.4.1.5923.1.1.1.11 | |
| eduPersonScopedAffiliation | urn:oid:1.3.6.1.4.1.5923.1.1.1.9 | |
| schacHomeOrganization | urn:oid:1.3.6.1.4.1.25178.1.2.9 |
Process for applying for tagging a service with entity category REFEDS Pseudonymous Access Entity Category
...
Expected attribute release from an Identity Provider
| Attribute(s) | SAML2 Attribute Identifier | Comment |
|---|---|---|
| samlSubjectID | urn:oasis:names:tc:SAML:attribute:subject-id | |
| urn:oid:0.9.2342.19200300.100.1.3 | Can be more than one address released but Identity Providers are recommended to release only one. | |
| displayName | urn:oid:2.16.840.1.113730.3.1.241 | |
| givenName | urn:oid:2.5.4.42 | |
| sn | urn:oid:2.5.4.4 | |
| eduPersonAssurance | urn:oid:1.3.6.1.4.1.5923.1.1.1.11 | |
| eduPersonScopedAffiliation | urn:oid:1.3.6.1.4.1.5923.1.1.1.9 | |
| schacHomeOrganization | urn:oid:1.3.6.1.4.1.25178.1.2.9 |
Process for applying for tagging a service with entity category REFEDS Personalized Access Entity Category
...
Expected attribute release from an Identity Provider
| Attribute(s) | SAML2 Attribute Identifier | Comment |
|---|---|---|
| eduPersonTargetedID | urn:oid:1.3.6.1.4.1.5923.1.1.1.10 | Should only be released by the Identity Provider if eduPersonPrincipalName is re-assignable to another user. Within SWAMID reassignment of the eduPersonPrincipalName is not allowed and therefore this attribute will not be released from Identity Providers within SWAMID. |
| eduPersonPrincipalName | urn:oid:1.3.6.1.4.1.5923.1.1.1.6 | |
| urn:oid:0.9.2342.19200300.100.1.3 | Can be more than one address released but Identity Providers are recommended to release only one. | |
| displayName and/or givenName and sn | urn:oid:2.16.840.1.113730.3.1.241 | A user's name can be released in different ways and it's expected that the Service Provider can handle this. |
| eduPersonAssurance | urn:oid:1.3.6.1.4.1.5923.1.1.1.11 | Local addon within SWAMID. Services shall only expect this attribute to be available from Identity Providers within SWAMID. |
| eduPersonScopedAffiliation | urn:oid:1.3.6.1.4.1.5923.1.1.1.9 |
Process for applying for tagging a service with entity category REFEDS Research and Scholarship
...
Expected attribute availability from an Identity Provider for attributes required by indication in metadata
| Attribute(s) | SAML2 Attribute Identifier | Comment |
|---|---|---|
| samlPairwiseID | urn:oasis:names:tc:SAML:attribute:pairwise-id | |
| eduPersonTargetedID | urn:oid:1.3.6.1.4.1.5923.1.1.1.10 | This attribute is deprecated! |
| samlSubjectID | urn:oasis:names:tc:SAML:attribute:subject-id | |
| eduPersonPrincipalName | urn:oid:1.3.6.1.4.1.5923.1.1.1.6 | |
| eduPersonOrcid | urn:oid:1.3.6.1.4.1.5923.1.1.1.16 | |
| norEduPersonNIN | urn:oid:1.3.6.1.4.1.2428.90.1.5 | This attribute is for students systems that needs to be synchronised with the the student documentations system directly or indirectly. Within SWAMID norEduPersonNIN can besides Swedish Personal Numbers and Swedish Co-ordination Numbers also contain Interim Personal Numbers from the student documentation system Ladok and the Swedish national study enrolment system. SWAMID Identity Providers only release this attribute to services registered in SWAMID. |
| personalIdentityNumber | urn:oid:1.2.752.29.4.13 | Within SWAMID personalIdentityNumber only contain Swedish Personal Numbers or Swedish Co-ordination Numbers. SWAMID Identity Providers only release this attribute to services registered in SWAMID. |
| schacDateOfBirth | urn:oid:1.3.6.1.4.1.25178.1.2.3 | |
| displayName | urn:oid:2.16.840.1.113730.3.1.241 | |
| givenName | urn:oid:2.5.4.42 | |
| sn (aka surname) | urn:oid:2.5.4.4 | |
| norEduPersonLegalName | urn:oid:1.3.6.1.4.1.2428.90.1.10 | The full legal name from the population registry or from official travel documents defined in ICAO 9306, i.e. passports and European national identity cards. |
| cn (aka commonName) | urn:oid:2.5.4.3 | Due to that cn is use for different things in different identity management systems it's highly recommended to use the attribute displayName instead. |
| urn:oid:0.9.2342.19200300.100.1.3 | Can be more than one address released but Identity Providers are recommended to release only one. | |
| mailLocalAddress | urn:oid:2.16.840.1.113730.3.1.13 |
| For services that need to get all active mail aliases |
| for the user. For example to process mail invite flows correctly when the given mail address is not the primary for the user. mailLocalAddress is used as a multi-valued attribute with all active mail alises for the user. | ||
| eduPersonAssurance | urn:oid:1.3.6.1.4.1.5923.1.1.1.11 | Services shall only expect this attribute to be available from Identity Providers within SWAMID. |
| eduPersonScopedAffiliation | urn:oid:1.3.6.1.4.1.5923.1.1.1.9 | |
| eduPersonAffiliation | urn:oid:1.3.6.1.4.1.5923.1.1.1.1 | Due to eduPersonAffiliations non domain scoped nature it's highly recommended to use the attribute eduPersonScopedAffiliation instead. |
| o (aka organizationName) | urn:oid:2.5.4.10 | This attribute is also be available as an metadata attribute. |
| norEduOrgAcronym | urn:oid:1.3.6.1.4.1.2428.90.1.6 | |
| c (aka countryName) | urn:oid:2.5.4.6 | |
| co (aka friendlyCountryName) | urn:oid:0.9.2342.19200300.100.1.43 | |
| schacHomeOrganization | urn:oid:1.3.6.1.4.1.25178.1.2.9 | |
| schacHomeOrganizationType | urn:oid:1.3.6.1.4.1.25178.1.2.10 |
Multivalued attributes that have different values for different services shall not be requested via metadata, examples of such attributes are eduPersonEntitlement, norEduPersonLIN and schacPersonalUniqueCode. The reason for this is that an Identity Provider may unintensional release sensitive information to services that are not eligable for these values. SWAMID recommends member Identity Providers to not release this type of attributes based on reqeusted attributes in metadata.
...
Expected attribute availability from an Identity Provider for attributes required by indication in metadata
| Attribute(s) | SAML2 Attribute Identifier | Comment |
|---|---|---|
| samlPairwiseID | urn:oasis:names:tc:SAML:attribute:pairwise-id | |
| eduPersonTargetedID | urn:oid:1.3.6.1.4.1.5923.1.1.1.10 | This attribute is deprecated! |
| samlSubjectID | urn:oasis:names:tc:SAML:attribute:subject-id | |
| eduPersonPrincipalName | urn:oid:1.3.6.1.4.1.5923.1.1.1.6 | |
| eduPersonOrcid | urn:oid:1.3.6.1.4.1.5923.1.1.1.16 | |
| norEduPersonNIN | urn:oid:1.3.6.1.4.1.2428.90.1.5 | This attribute is for students systems that needs to be synchronised with the the student documentations system directly or indirectly. Within SWAMID norEduPersonNIN can besides Swedish Personal Numbers and Swedish Co-ordination Numbers also contain Interim Personal Numbers from the student documentation system Ladok and the Swedish national study enrolment system. SWAMID Identity Providers only release this attribute to services registered in SWAMID. |
| personalIdentityNumber | urn:oid:1.2.752.29.4.13 | Within SWAMID personalIdentityNumber only contain Swedish Personal Numbers or Swedish Co-ordination Numbers. SWAMID Identity Providers only release this attribute to services registered in SWAMID. |
| schacDateOfBirth | urn:oid:1.3.6.1.4.1.25178.1.2.3 | |
| displayName | urn:oid:2.16.840.1.113730.3.1.241 | |
| givenName | urn:oid:2.5.4.42 | |
| sn (aka surname) | urn:oid:2.5.4.4 | |
| norEduPersonLegalName | urn:oid:1.3.6.1.4.1.2428.90.1.10 | The full legal name from the population registry or from official travel documents defined in ICAO 9306, i.e. passports and European national identity cards. |
| cn (aka commonName) | urn:oid:2.5.4.3 | Due to that cn is use for different things in different identity management systems it's highly recommended to use the attribute displayName instead. |
| urn:oid:0.9.2342.19200300.100.1.3 | Can be more than one address released but Identity Providers are recommended to release only one. | |
| mailLocalAddress | urn:oid:2.16.840.1.113730.3.1.13 |
| For services that need to get all active mail aliases |
| for the user. For example to process mail invite flows correctly when the given mail address is not the primary for the user. mailLocalAddress is used as a multi-valued attribute with all active mail alises for the user. | ||
| eduPersonAssurance | urn:oid:1.3.6.1.4.1.5923.1.1.1.11 | Services shall only expect this attribute to be available from Identity Providers within SWAMID. |
| eduPersonScopedAffiliation | urn:oid:1.3.6.1.4.1.5923.1.1.1.9 | |
| eduPersonAffiliation | urn:oid:1.3.6.1.4.1.5923.1.1.1.1 | Due to eduPersonAffiliations non domain scoped nature it's highly recommended to use the attribute eduPersonScopedAffiliation instead. |
| o (aka organizationName) | urn:oid:2.5.4.10 | This attribute is also be available as an metadata attribute. |
| norEduOrgAcronym | urn:oid:1.3.6.1.4.1.2428.90.1.6 | |
| c (aka countryName) | urn:oid:2.5.4.6 | |
| co (aka friendlyCountryName) | urn:oid:0.9.2342.19200300.100.1.43 | |
| schacHomeOrganization | urn:oid:1.3.6.1.4.1.25178.1.2.9 | |
| schacHomeOrganizationType | urn:oid:1.3.6.1.4.1.25178.1.2.10 |
Multivalued attributes that have different values for different services shall not be requested via metadata, examples of such attributes are eduPersonEntitlement, norEduPersonLIN and schacPersonalUniqueCode. The reason for this is that an Identity Provider may unintensional release sensitive information to services that are not eligable for these values. SWAMID recommends member Identity Providers to not release this type of attributes based on reqeusted attributes in metadata.
...
Expected attribute release from an Identity Provider
| Attribute(s) | SAML2 Attribute Identifier | Comment |
|---|---|---|
| schacPersonalUniqueCode | urn:oid:1.3.6.1.4.1.25178.1.2.14 | This attribute is a multi-valued attribute but the expected behaviour is that the Identity Provider only releases the ESI value |
| to the service if no other values are released by bilateral agreement. |
Process for applying for tagging a service with entity category European Student Identifier Entity Category
...