Note

This document describes the SAML attributes and OIDC claims that are available to relying parties  connected to MyAcademicID.

  • Attributes - claims marked as Mandatory  always  have values
  • Attributes - claims marked as Optional have values under certain circumstances. For example, some attributes - claims can be available only if the respective attributes - claims are released by the home Identity Provider of the user.
  • Attributes - claims and values marked as Experimental might change or removed in the future, so relying parties should not rely on them, but use them only for experimental purposes.

List of Attributes - Claims

Community User Identifier

NameCommunity User Identifier
Description

User’s Community Identifier is an opaque and non-revocable identifier (i.e. it cannot change over time) that follows the syntax of eduPersonUniqueId  attribute of eduPerson.

It consists of “uniqueID” part and fixed scope “erasmus.eduteams.org”, separated by at sign. The uniqueID part contains up to 64 hexadecimal digits (a-f, 0-9)

SAML Attribute(s)

- urn:1.3.6.1.4.1.25178.4.1.6 (voPersonID)

- 1.3.6.1.4.1.5923.1.1.1.13 (eduPersonUniqueId)

- urn:oasis:names:tc:SAML:attribute:subject-id

OIDC claim(s)

- sub (public)

- voperson_id

OIDC claim locationThe claim is available in:

ID token
Userinfo endpoint
 Introspection endpoint
OIDC scopeopenid, aarc, voperson_id
OriginMyAcademicID assigns this attribute to a user when they register on the Service
ChangesNo
MultiplicitySingle-valued
AvailabilityMandatory
Example

28c5353b8bb34984a8bd4169ba94c606@erasmus.eduteams.org

28c5353b8bb34984a8bd4169ba94c606@myacademicid.org

Notes

eduPerson defines the comparison rule caseIgnoreMatch for eduPersonUniqueID. 

Relying services are encouraged to validate the scope of this attribute against the values permitted for MyAcademicID. MyAcademicID makes exclusive use of scopes eramus.eduteams.org and myacademicid.org. 

The identifiers and usernames "test@erasmus.eduteams.org" and “test@myacademicid.org” are test accounts reserved for testing and monitoring the proper functioning of the MyAcademicID Login. The Relying parties should not authorize it to access any valuable resources.

Display Name

NameDisplay Name
Description

User’s name (firstname lastname).

SAML Attribute(s)

urn:oid:2.16.840.1.113730.3.1.241 (displayName)

OIDC claim(s)name
OIDC claim locationThe claim is available in:

 ID token
Userinfo endpoint
Introspection endpoint
OIDC scopeprofile
OriginProvided by the Identity Provider of the user.
ChangesYes
MultiplicitySingle-valued
AvailabilityMandatory
ExampleJack Dougherty
Notes


Given Name

NameGiven Name
Description

Name strings that are the part of a person's name that is not their surname (see RFC4519).

SAML Attribute(s)

urn:oid:2.5.4.42 (givenName)

OIDC claim(s)given_name
OIDC claim locationThe claim is available in:

 ID token
Userinfo endpoint
Introspection endpoint
OIDC scopeprofile
OriginProvided by the Identity Provider of the user.
ChangesYes
Multiplicity

Single-valued

AvailabilityMandatory
ExampleJack
Notes

In the specification of urn:oid:2.5.4.42 it is stated that the attribute supports multiple values, but the OIDC claim support only a single value. MyAcademicID will release a single value to both SAML and OIDC relying parties

Family Name

NameFamily Name
Description

Name strings that are a person's surname (see RFC4519).

SAML Attribute(s)

urn:oid:2.5.4.4 (surname)

OIDC claim(s)family_name
OIDC claim locationThe claim is available in:

 ID token
Userinfo endpoint
Introspection endpoint
OIDC scopeprofile
OriginProvided by the Identity Provider of the user.
ChangesYes
Multiplicity

Single-valued

AvailabilityMandatory
ExampleDougherty
Notes

In the specification of urn:oid:2.5.4.4 it is stated that the attribute supports multiple values, but the OIDC claim support only a single value. MyAcademicID will release a single value to both SAML and OIDC relying parties

Email address

NameEmail address
Description

Email address of the user.

SAML Attribute(s)

urn:oid:0.9.2342.19200300.100.1.3 (email)

OIDC claim(s)email
OIDC claim locationThe claim is available in:

 ID token
Userinfo endpoint
Introspection endpoint
OIDC scopeemail
Origin

Provided by the Identity Provider of the user or if that is not available the user will have to provided. User's can change the email address.

When a user manually provides their email or changes the value of their email, they to verify their e-mail address before they are registered on MyAcademicID

ChangesYes
Multiplicity

Single-valued

AvailabilityMandatory
Examplejack.dougherty@example.com
Notes


Affiliation within Home Organization

NameAffiliation within Home Organization
Description

One or more home organisations (such as, universities, research institutions or private companies) this user is affiliated with. The syntax and semantics follows eduPersonScopedAffiliation attribute.

Following values are recommended for use to the left of the “@” sign:

  • Faculty

    The person is a researcher or teacher in their home organisation. 

    The exact interpretation is left to the home organization, but the intention is that the primary focus of the person in their home organisation is in research and/or education. 

    Note. This attribute value is for users in the academic sector

  • Industry-researcher

    The person is a researcher or teacher in their home organisation. 

    The exact interpretation is left to the home organisation, but the intention is that the primary focus of the person in their home organisation is in research and/or education. 

    Note. This attribute value is for users in the private sector.

  • Member

    Member is intended to include faculty, industry-researcher, staff, student and other persons with a full set of basic privileges that go with membership in the home organisation, as defined in eduPerson. 

    In contrast to faculty, among other things, this covers positions with managerial and service focus, such as service management or IT support.

  • Affiliate

    The affiliate value indicates that the holder has some definable affiliation to the home organisation NOT captured by any of faculty, industry-researcher, staff, student and/or member.

If a person has faculty or industry-researcher affiliation with a certain organisation, they have also the member affiliation. However, that does not apply in a reverse order. Furthermore, those persons who do not qualify to member have an affiliation of affiliate.

SAML Attribute(s)

urn:oid:1.3.6.1.4.1.25178.4.1.11 (voPesonExternalAffiliation)

OIDC claim(s)voperson_external_affiliation
OIDC claim locationThe claim is available in:

 ID token
Userinfo endpoint
☐ Introspection endpoint
OIDC scopevoperson_external_affiliation
Origin

To become a holder of the faculty, industry-researcher or member attribute values in MyAcademicID the user must have either 

  • Performed federated login to MyAcademicID using their home organisation’s credentials, during which the home organisation releases the related eduPersonAffiliation or eduPersonScopedAffiliation attribute, or 
  • Be assigned that value manually in MyAcademicID by a dedicated person in their home organisation 

To become a holder of the affiliate value, the user must either 

  • Use either of the two alternatives above, or
  • Demonstrate they control an e-mail address that belongs to the home organisation
ChangesYes
Multiplicity

Multi-valued

AvailabilityOptional
Examplefaculty@helsinki.fi
industry-researcher@zeiss.com
member@ebi.ac.uk
Notes

The freshness of the attribute values is managed by asking users to refresh the value every 12 months using the procedure described above.

MyAcademicID asserts attribute values with different scopes. The Relying services are not supposed to do SAML scope check to this attribute.

Entitlements

NameEntitlement
Description

This attribute describes the entitlements of this user:

EWP Admin: The entitlement value has the following format: urn:geant:myacademicid.org:ewp:<sHO>:admin where <sHO> is the schacHomeOrganization value of they Higher Education Institution

SAML Attribute(s)

urn:oid:1.3.6.1.4.1.5923.1.1.1.7 (eduPersonEntitlement)

OIDC claim(s)

entitlement

eduperson_entitlement

OIDC claim locationThe claim is available in:

 ID token
Userinfo endpoint
☐ Introspection endpoint
OIDC scope

entitlement

eduperson_entitlement

OriginEntitlements are based either on VO and group membership in MyAcademicID or derived from entitlements provided by the user's Identity Provider.
ChangesYes
Multiplicity

Multi-valued

AvailabilityOptional
Example

geant:myacademicid.org:ewp:geant.org:admin This is an example of user registered in MyAcademidID and who is an EWP Admin for geant.org

Notes

Organization

NameOrganization
DescriptionThis attribute describes the organization of this user.
SAML Attribute(s)urn:oid:1.3.6.1.4.1.25178.1.2.9 (schacHomeOrganization)
OIDC claim(s)schac_home_organization
OIDC claim locationThe claim is available in:

 ID token
Userinfo endpoint
☐ Introspection endpoint
OIDC scopeschac_home_organization
OriginProvided by the user's Identity Provider.
ChangesYes
Multiplicity

Single-valued

AvailabilityOptional
Example

geant.org

Notes

European Student Identifier

NameESI
DescriptionThe European Student Identifier of the user (see European Student Identifier)
SAML Attribute(s)urn:oid:1.3.6.1.4.1.25178.1.2.14 (schacPersonalUniqueCode)
OIDC claim(s)schac_personal_unique_code
OIDC claim locationThe claim is available in:

 ID token
Userinfo endpoint
☐ Introspection endpoint
OIDC scopeschac_personal_unique_code
OriginProvided by the user's Identity Provider.
ChangesYes
Multiplicity

Multi-valued

AvailabilityOptional
Example

urn:schac:personalUniqueCode:int:esi:HR:xxxxxxxxxx

urn:schac:personalUniqueCode:int:esi:example.edu:xxxxxxxxxx

Notes

Assurance

Name

Assurance

Description

Assurance of the identity of the user, following REFEDS Assurance Framework (RAF).

Following RAF values are qualified and automatically set for all MyAcademic identities:

  • https://refeds
  • https://refeds/ID/unique
  • https://refeds/ID/eppn-unique-no-reassign
  • https://refeds/IAP/low

Following RAF values are set if the currently used authentication provider asserts (or otherwise qualifies to) them:

  • https://refeds/IAP/medium
  • https://refeds/IAP/high

Following compound profiles are asserted if the user qualifies to them - Experimental

  • https://refeds/profile/cappuccino
  • https://refeds/profile/espresso

Assurange of the identify of the user, following AARC-G021 - Experimental

Users logging-in via non-institutional Identity Providers (e.g. Google, ORCID) will have the following assurance value:

  • https://aarc-project.eu/policy/authn-assurance/assam

Assurange of the identify of the user, MyAcademicID specific - Experimental

Users logging-in via non-institutional Identity Providers (e.g. Google) will have the following assurance values:

  • https://eduteams.org/assurance/IDP/rs-sirtfi

  • http://refeds.org/category/research-and-scholarship

  • https://refeds.org/sirtfi

SAML Attribute(s)

urn:oid:1.3.6.1.4.1.5923.1.1.1.11 (eduPersonAssurance)

OIDC claim(s)eduperson_assurance
OIDC claim locationThe claim is available in:

 ID token
Userinfo endpoint
☐ Introspection endpoint
OIDC scopeeduperson_assurance
Origin

MyAcademicID is the origin for values it has set (see description).

The current authentication provider is the origin for the values it asserts (or otherwise qualifies to).

ChangesYes
Multiplicity

Multi-valued

AvailabilityMandatory
Example
  • https://refeds
  • https://refeds/ID/unique
  • https://refeds/ID/eppn-unique-no-reassign
  • https://refeds/IAP/low
  • https://refeds$/ATP/ePA-1m
  • https://refeds/ATP/ePA-1d
NotesThis attribute defines just the identity assurance. Authentication assurance is described using authentication contexts (SAML authentication context or OIDC acr claim).
  • No labels