...
| Tip | ||
|---|---|---|
| ||
As a service that meets the requirements for and supports the entity category of Code of Conduct, the service specifically declares the attributes required to use the service. |
| Attribute Type | Attribute | Requirement | Explanation |
|---|---|---|---|
| User Identifier |
| Mandatory. At least one | The services requires to uniquely identify users for authorization purposes. Without some a unique identifier, it is impossible to distinguish two different users between each other. As a service that supports Sirtfi, it is required that it is able to uniquely identify users. |
| |||
| |||
| |||
| |||
| Level of Assurance | eduPersonAssurance | Optional | Access to the resources connected through MyAccessID will be dominantly supported by identites coming from the IdPs from the R&E sector and eduGAIN. Best-fit and natural is to use the Assurance Framework that originated as collaborative work of R&E federations - the REFEDS Assurance suite https://wiki.refeds.org/display/ASS. To insure identifier uniqueness: To insure sufficient identity proofing and credential issuance, renewal, and replacement: Level of Assurance information is planned to become mandatory in 2022 |
Name |
| Mandatory. At least one | MyAccessID and the services connected through MyAccessID expect to receive the name of the user. For example, when a user applies for a new project or for membership membership to an existing project, the managers need to be able to recognise who the applicant is. |
| displayName | |||
| |||
| Mandatory | MyAccessID needs to be able to contact the user regarding the status of their account. In addition, many of the services connected through MyAccessID expect the email of the user in order to be able contact the user about service related matters. | |
| Affiliation |
| Mandatory | Access to many of the resources connected through MyAccessID relies on authorising users based on the affiliation of their members with their home organisation. |
| Organization | schacHomeOrganization | Optional | Access to many of the service connected through MyAccessID relies on authorising users based on their home organisation. |
1 The eduPersonPrincipalName can be used only if one of the following conditions are met: i) the IdP supports the R&S Enitity Category, ii) the eduPersonAssurance attribute is also released and it has a value of https://refeds.org/assurance/ID/eppn-unique-no-reassign, iii) the federation in which the IdP has registered has a policy that prohibits the reassignment of the value of the eduPersonPrincipalName attribute
...
| SAML Attribute Name | SAML Attribute Friendly Name |
|---|---|
urn:oasis:names:tc:SAML:attribute:subject-id | subject-id |
urn:oasis:names:tc:SAML:attribute:pairwise-id | pairwise-id |
urn:oid:0.9.2342.19200300.100.1.3 | |
urn:oid:1.3.6.1.4.1.25178.1.2.9 | schacHomeOrganization |
urn:oid:1.3.6.1.4.1.25178.4.1.6 | voPersonID |
urn:oid:1.3.6.1.4.1.25178.4.1.11 | voPersonExternalAffiliation |
urn:oid:1.3.6.1.4.1.5923.1.1.1.6 | eduPersonPrincipalName |
| eduPersonScopedAffiliation |
urn:oid:1.3.6.1.4.1.5923.1.1.1.10 | eduPersonTargetedID |
urn:oid:1.3.6.1.4.1.5923.1.1.1.11 | eduPersonAssurance |
urn:oid:1.3.6.1.4.1.5923.1.1.1.13 | eduPersonUniqueId |
urn:oid:2.5.4.3 | cn |
urn:oid:2.5.4.4 | surname |
urn:oid:2.5.4.42 | givenName |
OIDC Claim Names
| OIDC Claim | Scope |
|---|---|
| subject-id | profile |
| profile | |
| name | profile |
| given_name | profile |
| family_name | profile |
| voperson_id | aarc |
| eduperson_entitlement | aarc |
eduperson_scoped_affiliation | aarc |
| voperson_external_affiliation | aarc |
| eduperson_assurance | aarc |
| schac_home_organization |