Note
This document describes the SAML attributes and OIDC claims that are available to relying parties connected to MyAcademicID.
- Attributes - claims marked as Mandatory always have values
- Attributes - claims marked as Optional have values under certain circumstances. For example, some attributes - claims can be available only if the respective attributes - claims are released by the home Identity Provider of the user.
- Attributes - claims and values marked as Experimental might change or removed in the future, so relying parties should not rely on them, but use them only for experimental purposes.
List of Attributes - Claims
Community User Identifier
Name | Community User Identifier |
---|---|
Description | User’s Community Identifier is an opaque and non-revocable identifier (i.e. it cannot change over time) that follows the syntax of eduPersonUniqueId attribute of eduPerson. It consists of “uniqueID” part and fixed scope “erasmus.eduteams.org”, separated by at sign. The uniqueID part contains up to 64 hexadecimal digits (a-f, 0-9) |
SAML Attribute(s) | - urn:1.3.6.1.4.1.25178.4.1.6 (voPersonID) - 1.3.6.1.4.1.5923.1.1.1.13 (eduPersonUniqueId) - urn:oasis:names:tc:SAML:attribute:subject-id |
OIDC claim(s) | - sub (public) - voperson_id |
OIDC claim location | The claim is available in: ☑ ID token ☑ Userinfo endpoint ☑ Introspection endpoint |
OIDC scope | openid, aarc, voperson_id |
Origin | MyAcademicID assigns this attribute to a user when they register on the Service |
Changes | No |
Multiplicity | Single-valued |
Availability | Mandatory |
Example | 28c5353b8bb34984a8bd4169ba94c606@erasmus.eduteams.org 28c5353b8bb34984a8bd4169ba94c606@myacademicid.org |
Notes | eduPerson defines the comparison rule caseIgnoreMatch for eduPersonUniqueID. Relying services are encouraged to validate the scope of this attribute against the values permitted for MyAcademicID. MyAcademicID makes exclusive use of scopes eramus.eduteams.org and myacademicid.org. The identifiers and usernames "test@erasmus.eduteams.org" and “test@myacademicid.org” are test accounts reserved for testing and monitoring the proper functioning of the MyAcademicID Login. The Relying parties should not authorize it to access any valuable resources. |
Display Name
Name | Display Name |
---|---|
Description | User’s name (firstname lastname). |
SAML Attribute(s) | urn:oid:2.16.840.1.113730.3.1.241 (displayName) |
OIDC claim(s) | name |
OIDC claim location | The claim is available in: ☐ ID token ☑ Userinfo endpoint ☐ Introspection endpoint |
OIDC scope | profile |
Origin | Provided by the Identity Provider of the user. |
Changes | Yes |
Multiplicity | Single-valued |
Availability | Mandatory |
Example | Jack Dougherty |
Notes |
Given Name
Name | Given Name |
---|---|
Description | Name strings that are the part of a person's name that is not their surname (see RFC4519). |
SAML Attribute(s) | urn:oid:2.5.4.42 (givenName) |
OIDC claim(s) | given_name |
OIDC claim location | The claim is available in: ☐ ID token ☑ Userinfo endpoint ☐ Introspection endpoint |
OIDC scope | profile |
Origin | Provided by the Identity Provider of the user. |
Changes | Yes |
Multiplicity | Single-valued |
Availability | Mandatory |
Example | Jack |
Notes | In the specification of urn:oid:2.5.4.42 it is stated that the attribute supports multiple values, but the OIDC claim support only a single value. MyAcademicID will release a single value to both SAML and OIDC relying parties |
Family Name
Name | Family Name |
---|---|
Description | Name strings that are a person's surname (see RFC4519). |
SAML Attribute(s) | urn:oid:2.5.4.4 (surname) |
OIDC claim(s) | family_name |
OIDC claim location | The claim is available in: ☐ ID token ☑ Userinfo endpoint ☐ Introspection endpoint |
OIDC scope | profile |
Origin | Provided by the Identity Provider of the user. |
Changes | Yes |
Multiplicity | Single-valued |
Availability | Mandatory |
Example | Dougherty |
Notes | In the specification of urn:oid:2.5.4.4 it is stated that the attribute supports multiple values, but the OIDC claim support only a single value. MyAcademicID will release a single value to both SAML and OIDC relying parties |
Email address
Name | Email address |
---|---|
Description | Email address of the user. |
SAML Attribute(s) | urn:oid:0.9.2342.19200300.100.1.3 (email) |
OIDC claim(s) | |
OIDC claim location | The claim is available in: ☐ ID token ☑ Userinfo endpoint ☐ Introspection endpoint |
OIDC scope | |
Origin | Provided by the Identity Provider of the user or if that is not available the user will have to provided. User's can change the email address. When a user manually provides their email or changes the value of their email, they to verify their e-mail address before they are registered on MyAcademicID |
Changes | Yes |
Multiplicity | Single-valued |
Availability | Mandatory |
Example | jack.dougherty@example.com |
Notes |
Affiliation within Home Organization
Name | Affiliation within Home Organization |
---|---|
Description | One or more home organisations (such as, universities, research institutions or private companies) this user is affiliated with. The syntax and semantics follows eduPersonScopedAffiliation attribute. Following values are recommended for use to the left of the “@” sign:
If a person has faculty or industry-researcher affiliation with a certain organisation, they have also the member affiliation. However, that does not apply in a reverse order. Furthermore, those persons who do not qualify to member have an affiliation of affiliate. |
SAML Attribute(s) | urn:oid:1.3.6.1.4.1.25178.4.1.11 (voPesonExternalAffiliation) |
OIDC claim(s) | voperson_external_affiliation |
OIDC claim location | The claim is available in: ☐ ID token ☑ Userinfo endpoint ☐ Introspection endpoint |
OIDC scope | voperson_external_affiliation |
Origin | To become a holder of the faculty, industry-researcher or member attribute values in MyAcademicID the user must have either
To become a holder of the affiliate value, the user must either
|
Changes | Yes |
Multiplicity | Multi-valued |
Availability | Optional |
Example | faculty@helsinki.fi industry-researcher@zeiss.com member@ebi.ac.uk |
Notes | The freshness of the attribute values is managed by asking users to refresh the value every 12 months using the procedure described above. MyAcademicID asserts attribute values with different scopes. The Relying services are not supposed to do SAML scope check to this attribute. |
Entitlements
Name | Entitlement |
---|---|
Description | This attribute describes the entitlements of this user: EWP Admin: The entitlement value has the following format: |
SAML Attribute(s) | urn:oid:1.3.6.1.4.1.5923.1.1.1.7 (eduPersonEntitlement) |
OIDC claim(s) | entitlement eduperson_entitlement |
OIDC claim location | The claim is available in: ☐ ID token ☑ Userinfo endpoint ☐ Introspection endpoint |
OIDC scope | entitlement eduperson_entitlement |
Origin | Entitlements are based either on VO and group membership in MyAcademicID or derived from entitlements provided by the user's Identity Provider. |
Changes | Yes |
Multiplicity | Multi-valued |
Availability | Optional |
Example |
|
Notes |
Organization
Name | Organization |
---|---|
Description | This attribute describes the organization of this user. |
SAML Attribute(s) | urn:oid:1.3.6.1.4.1.25178.1.2.9 (schacHomeOrganization) |
OIDC claim(s) | schac_home_organization |
OIDC claim location | The claim is available in: ☐ ID token ☑ Userinfo endpoint ☐ Introspection endpoint |
OIDC scope | schac_home_organization |
Origin | Provided by the user's Identity Provider. |
Changes | Yes |
Multiplicity | Single-valued |
Availability | Optional |
Example |
|
Notes |
European Student Identifier
Name | ESI |
---|---|
Description | The European Student Identifier of the user (see European Student Identifier) |
SAML Attribute(s) | urn:oid:1.3.6.1.4.1.25178.1.2.14 (schacPersonalUniqueCode) |
OIDC claim(s) | schac_personal_unique_code |
OIDC claim location | The claim is available in: ☐ ID token ☑ Userinfo endpoint ☐ Introspection endpoint |
OIDC scope | schac_personal_unique_code |
Origin | Provided by the user's Identity Provider. |
Changes | Yes |
Multiplicity | Multi-valued |
Availability | Optional |
Example |
|
Notes |
Assurance
Name | Assurance |
---|---|
Description | Assurance of the identity of the user, following REFEDS Assurance Framework (RAF). Following RAF values are qualified and automatically set for all MyAcademic identities:
Following RAF values are set if the currently used authentication provider asserts (or otherwise qualifies to) them:
Following compound profiles are asserted if the user qualifies to them - Experimental
Assurange of the identify of the user, following AARC-G021 - Experimental Users logging-in via non-institutional Identity Providers (e.g. Google, ORCID) will have the following assurance value:
Assurange of the identify of the user, MyAcademicID specific - Experimental Users logging-in via non-institutional Identity Providers (e.g. Google) will have the following assurance values:
|
SAML Attribute(s) | urn:oid:1.3.6.1.4.1.5923.1.1.1.11 (eduPersonAssurance) |
OIDC claim(s) | eduperson_assurance |
OIDC claim location | The claim is available in: ☐ ID token ☑ Userinfo endpoint ☐ Introspection endpoint |
OIDC scope | eduperson_assurance |
Origin | MyAcademicID is the origin for values it has set (see description). The current authentication provider is the origin for the values it asserts (or otherwise qualifies to). |
Changes | Yes |
Multiplicity | Multi-valued |
Availability | Mandatory |
Example |
|
Notes | This attribute defines just the identity assurance. Authentication assurance is described using authentication contexts (SAML authentication context or OIDC acr claim). |