NFDI AAI Attributes#
Attributes are used to describe the user. They are meant to be used for the authorisation decision. Different sets of attributes are available at different layers in the infrastructure. This is somewhat logical, since for example services that are connected to eduGAIN can not see those attributes that are managed in the Community AAI.
More generally speaking, the set of attributes coming from “Home-IdPs” in eduGAIN is different to the one that is passed on by the Community AAIs. The set of attributes available from the Infrastructure Proxy will be very similar to those of the Community AAIs.
We make use of standardised attribute sets, both for the attributes expected from the Home-IdPs at the Community AAIs, as well as for those that are sent from the Community AAIs to underlying services.
Note
This page is intended for easily accessible documentation purposes. It should be in sync with the Infrastructure Attribute Profiles (IAP). The IAP has precedence over this webpage.
Attributes available from the Community AAIs#
These attributes are available to services connected below any Community AAI. I.e. to services connected to any Community AAI or to the Infrastructure Proxy.
We use the “Core Attribute Profile” and the “Extended Attribute Profile” as defined within the EOSC AAI, which is based on the AARC recommendations
Core Attribute Profile#
Attributes listed here are mandatory.
The table uses this convention:
- bold entries in the table are the preferred and encourages attributes.
- Normal (non-bold) entries are possible alternatives to the bold entries.
- Whenever multiple options for attributes are available, content may be sent either in one of them, or in multiple attributes.
- Receiving ends should prefer the bold ones, and may use the normal ones.
Identity Attribute Type | SAML Attribute | OpenID Connect Claim | Comments |
---|---|---|---|
Non-reassignable, persistent, unique user identifier |
Any of the following: voPersonID [voPerson-2.0] eduPersonUniqueId [eduPerson] subject-id [SAML-SubjectID-v1.0] pairwise-id [SAML-SubjectID-v1.0] SAML Persistent NameID [SAML2Core] |
Any of the following: voperson_id [voPerson-2.0] eduperson_unique_id [eduPerson] sub (public)+iss [OIDC-Core] sub (pairwise)+iss [OIDC-Core] |
Created by the Community AAI |
Name information | displayName | name [OIDC-Core] | E.g.: John Doe |
Email information | Any of - voPersonVerifiedEmail [voPerson-2.0] |
Any of - email [OIDC-Core] - email_verified [OIDC-Core] - voperson_verified_email [voPerson-2.0] |
There is currently no way of indicating a preferred email address (e.g. when sending multiple emails). One workaround may be to use the first entry of the list as a preferred email address of the user. This MAY NOT work in all circumstances!!! |
Home organisation information | schacHomeOrganization [SCHAC-1.5] | Either of - org_domain + org_name - schac_home_organization |
The domain name of the users Home-Org. |
Affiliation within the community | eduPersonScopedAffiliation [eduPerson] | eduperson_scoped_affiliation [eduPerson] | A controlled vocabulary will be provided by NFDI-AAI (following EOSC/AARC conventions) |
Affiliation at the Home-Org. | voPersonExternalAffiliation [voPerson-2.0] | voperson_external_affiliation [voPerson-2.0] | Home-Org. Affiliation will be passed on “as is” in this attribute |
Assurance | eduPersonAssurance [eduPerson] | ** eduperson_assurance [eduPerson]** | As defined in [RAF], and detailed here. |
Extended Attribute Profile#
Attributes listed here are optional.
Identity Attribute Type | SAML Attribute | OpenID Connect Claim | Comment |
---|---|---|---|
Groups and roles | eduPersonEntitlement [AARC-G002] | One of the following: - eduperson_entitlement [AARC-G002] - entitlements [RFC9068, AARC-G069] |
urn:geant:dfn.de:nfdi.de:group:example#authority.host.de (indicates a group membership) Note: The authority part is optional. Still in NFDI-AAI we want to use it. A registry is operated at https://www.nfdi.de/persistent-identifiers. |
Capabilities | eduPersonEntitlement [AARC-G027] | Any of the following: - eduperson_entitlement [AARC-G027] - entitlements [RFC9068, AARC-G027] |
urn:geant:dfn.de:nfdi.de:res:example#authority.host.de (indicates a resource entitlement). A registry is operated at https://www.nfdi.de/persistent-identifiers. |
Agreement to policies | voPersonPolicyAgreement [voPerson-2.0] | voperson_policy_agreement [voPerson-2.0] | Allows services to skip local policy clicking, if e.g. done at Community-AAI |
ORCID identifier | eduPersonOrcid [eduPerson] | orcid | |
Preferred email | ? | ? | Unclear if this will be used, since EOSC/AARC directions are unclear at the moment. |
Supplemental Name Information | givenName + sn | given_name + family_name | |
Authentication Profiles | AuthenticationContextClassReference | acr | For indicating whether a 2nd factor was used |
External Idenfifier | voPersonExternalID | voperson_external_id | An explicitly scoped identifier for a person, typically as issued by an external authentication service. Could be used for ID linking. |
SSH Keys | sshPublicKey | ssh_public_key | A list of ssh keys |
Attributes needed by the Community AAIs#
These attributes are required to be released by the Home-IdPs, so that users can reasonably use the services at the Community AAI. Precise requirements may differ between different Instances and Software Products used to implement a Community AAI.
Personalized#
https://refeds.org/category/personalized
Identity Attribute Type | SAML Attribute | OpenID Connect Claim |
---|---|---|
Organization | schacHomeOrganization [SCHAC] | schac_home_organization |
user identifier | subject-id [SAMLSubId] | sub (shared) + iss |
person name | All of - displayName [eduPerson] - givenName [eduPerson] - sn [eduPerson] |
All of - name - given_name - family_name |
email address | mail [eduPerson] | email [OIDC-COre] |
Affiliation | eduPersonScopedAffiliation [eduPerson] | eduperson_scoped_affiliation |
Assurance | eduPersonAssurance [eduPerson] | One of - eduperson_assurance - asr |
Pseudonomous#
https://refeds.org/category/pseudonymous
The REFEDS Pseydonymous profile may be acceptable, if the Community AAI provides a means to query the user for a Name (displayName, or givenName + sn), and a (verified!) email address.
Identity Attribute Type | SAML Attribute | OpenID Connect Claim |
---|---|---|
Organization | schacHomeOrganization [SCHAC] | schac_home_organization |
pseudonymous pairwise user identifier | pariwise-id [SAMLSubId] | sub (pairwise) + iss |
Affiliation | eduPersonScopedAffiliation [eduPerson] | eduperson_scoped_affiliation |
Assurance | eduPersonAssurance [eduPerson] | One of - eduperson_assurance - asr |
Anonymous: Not sufficient#
The anonymous profile https://refeds.org/category/anonymous does not provide a number of sufficient attributes. For specific combinations of Community-AAI and Community-Service, an exception may technically work. Please consult your Community-AAI contact.
Attributes in different protocols#
Attributes can be expressed in different protocols. We maintain a mapping for SAML, OIDC, LDAP and SCIM. The list is available upon request.
Last change: Dec 19, 2024 14:40:40