There are no mandatory attributes in SWAMID. Instead attributes are set on a case-by-case basis from the following schemas:
The most common attribute that are used today are listed below. SWAMID provides several mechanisms for making attribute-release scalable, including the use of entity categories. Please note that the correctness of released attributes is dependent on the user's level of assurance.
Apart from the attributes listed below, IdPs are often able to produce other attributes. Contact SWAMID operations and/or the IdP administrator. Note that custom attributes are often a significant obstacle to large-scale deployment.
Identity Provider administrators are encouraged to review the SAML IdP Best Current Practice and use 4.1 Entity Categories for Service Providers to release attributes. These recommendations include several provisions for increased interoperability around attributes.
Applications are not consistent in their choice of attribute for names and IdPs should release all of these attributes or none of them as the case may be.
EU data-protection makes no distinction between eptid and eppn because eptid is traceable through the IdP it still constitutes PII. The use of eptid vs eppn is mainly a question of risk management. Note that eptid is actually not an attribute as such but often represented as then SAML persistent NameID.
SWAMID has three defined levels of assurance, SWAMID AL1 (http://www.swamid.se/policy/assurance/al1), SWAMID AL2 (http://www.swamid.se/policy/assurance/al2) and SWAMID AL3 (http://www.swamid.se/policy/assurance/al3).
All SWAMID approved assurance levels for an Identity Provider are defined in the SAML metadata as a SAML extended attribute urn:oasis:names:tc:SAML:attribute:assurance-certification. The Identity Provider uses the attribute eduPersonAssurance to define the logged in user's assurance level. If a user is approved for SWAMID AL2 the Identity Provider should signal that it's approved for SWAMD AL1 and SWAMID AL2. Please observe that the Identity Provider shall not indicate any other assurance level than it's approved for. Please also note that SWAMID AL3 shall only be signaled for a user if and only if the user is approved for SWAMID AL3 and has logged in with a multi-factor authentication, otherwise only SWAMID AL1 and SWAMID AL2 shall be signalled.
A member organisation can be approved by SWAMID to assert users at
A claim at SWAMID Identity Assurance Level 1 (SWAMID AL1) implies roughly the following:
A claim at SWAMID Identity Assurance Level 2 (SWAMID AL2) implies roughly the following:
A claim at SWAMID Identity Assurance Level 3 (SWAMID AL3) implies roughly the following:
See Rätt semantik för eduPersonScopedAffiliation and the eduPerson schema for details about the contents of these attributes.
This multivalued attribute contains a list of URI identifiers (both URNs and URLs are commonly used for this) that indicate that the user in question has a certain entitlement described by the value. Note that this attribute is often generated per SP so that two SPs will often see different list of entitlements (although there is not requirement that this be the case). Entitlement values need to be defined in some way and may require implementation on the IdP.
See Rekommenderad release av statisk organisationsinformation for information about how to configure a IdP for these static attributes.
Swedish National Identity Numbers are considered sensitive information and are normally not released except to certain government agencies.
See Svenska personnummer och norEduPersonNIN for information about how to configure an IdP for norEduPersonNIN.
Date of birth is used together with name if a user don't have a Swedish National Identity Number or for services outside Sweden to do a risk based identity match.