| Tip |
|---|
| title | Research and Scholarship Entity Category |
|---|
|
The MyAccessID IAM Service supports the Research and Scholarship (R&S) Entity Category. As such, MyAccessID expects to receive the R&S attribute bundle from IdPs in eduGAIN supporting the R&S Entity Category.
|
| Tip |
|---|
| title | Code of Conduct Entity Category |
|---|
|
As a service that meets the requirements for and supports the entity category of Code of Conduct, the service specifically declares the attributes it requires. |
| Attribute Type | Attribute | Requirement | Explanation |
|---|
| User Identifier | | Mandatory (at least one) | MyAccessID and the services connected through MyAccessID require to uniquely identify users. Without a unique identifier, it is not possible to distinguish two different users between each other. As a service that supports Sirtfi, it is required that it is able to uniquely identify users. 1 The eduPersonPrincipalName can be used only if one of the following conditions are met: i) the IdP supports the R&S Enitity Category, ii) the eduPersonAssurance attribute is also released and it has a value of https://refeds.org/assurance/ID/eppn-unique-no-reassign, iii) the federation in which the IdP has registered has a policy that prohibits the reassignment of the value of the eduPersonPrincipalName attribute |
pairwise-id
|
eduPersonPrincipalName1
|
eduPersonTargetedID
|
eduPersonUniqueId
|
| Level of Assurance | eduPersonAssurance | Will become mandatory (date TBD) | Access to the services connected through MyAccessID will be dominantly supported by identities coming from the IdPs from the R&E sector and eduGAIN. See Level of Assurance Requirements for more information. |
Name | cn
| Mandatory (at least one) | MyAccessID and the services connected through MyAccessID expect to receive the name of the user.
For example, when a user applies for a new project or for membership membership to an existing project, the managers need to be able to recognise who the applicant is. |
displayName |
sn + givenName
|
| Mail | mail
| Mandatory | MyAccessID needs to be able to contact the user regarding the status of their account. In addition, many of the services connected through MyAccessID expect the email of the user in order to be able contact the user about service related matters.
|
| Affiliation | eduPersonScopedAffiliation
| Mandatory | Access to many of the services connected through MyAccessID relies on authorising their member users based on affiliation with their home organisation. |
| Organization | schacHomeOrganization | Optional | Access to many of the services connected through MyAccessID relies on authorising users based on their home organisation. |
Depending on which protocol the IdP is using, SAML or OIDC, attributes need to be released in the following format, respectively.:
SAML Attributes MUST be sent using urn:oasis:names:tc:SAML:2.0:attrname-format:uri NameFormat. Below is the list of the canonical names of the SAML attributes:
...
| SAML Attribute Name | SAML Attribute Friendly Name |
|---|
Subject ID | urn:oasis:names:tc:SAML:attribute:subject-id | subject-id |
Pairwise ID |
urn:oasis:names:tc:SAML:attribute:pairwise-id | pairwise-id |
Community Identifierurn:oid:0.9.2342.19200300.100.1.3 | email |
urn:oid:1.3.6.1.4.1.25178. |
416 voPersonID | Email| schacHomeOrganization |
urn:oid: |
092342192003001003 email | | Common Name | urn:oid:2.5.4.3 | cn |
Given NamegivenName | | Family Name | urn:oid:2.5.4.4 | surname |
Affiliation | 5923.1.1.1.6 | eduPersonPrincipalName |
urn:oid:
|
2.5.4.421.3.6.1.4.1.5923.1.1.1.9
| eduPersonScopedAffiliation |
urn:oid:1.3.6.1.4.1.5923.1.1.1. |
910 | eduPersonTargetedID |
urn:oid:1.3.6.1.4.1.5923. |
251784eduPersonScopedAffiliation voPersonExternalAffiliation | Home Organization | | eduPersonAssurance |
urn:oid:1.3.6.1.4.1. |
2517829schacHomeOrganization | Assurance| eduPersonUniqueId |
urn:oid:1.3.6.1.4.1.5923.1.1.1.
|
11eduPersonAssurance | OIDC Claim Names
...
16
| eduPersonOrcid |
urn:oid:2.5.4.3 | cn |
urn:oid:2.5.4.4 | surname |
urn:oid:2.5.4.42 | givenName |
Subject ID| Community Identifier | voperson_id |
EmailDisplay NameGiven NameFamily NamefamiltyAffiliation | profile |
| voperson_id | aarc |
| eduperson_entitlement | aarc |
eduperson_scoped_affiliation | aarc |
| voperson_external_affiliation |
Home Organization | aarc |
| eduperson_assurance | aarc |
| schac_home_organization |
Assurance | eduperson_assurance
