Versions Compared

Old Version 5

changes.mady.by.user Christos Kanellopoulos

Saved on

compared with

New Version Current

changes.mady.by.user Michal Stava

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Attributes Requested From IdPs in eduGAIN

Tip
titleResearch and Scholarship Entity Category

The MyAccessID IAM Service supports the Research and Scholarship (R&S) Entity Category. As such, MyAccessID expectes expects to receive the R&S attribute bundle from IdP support IdPs in eduGAIN supporting the R&S Entity Category.


Tip
titleCode of Conduct Entity Category

As a service that meets the requirements for and supports the entity category of Code of Conduct, the service specifically declares the attributes required to use the serviceit requires.


Attribute TypeAttributeRequirementExplanation
User Identifier

subject-id

Mandatory . At (at least one)

The services requires MyAccessID and the services connected through MyAccessID require to uniquely identify users for authorization purposes. Without some a unique identifier, it is impossible not possible to distinguish two different users between each other.

As a service that supports Sirtfi, it is required that it is able to uniquely identify users.

1 The eduPersonPrincipalName can be used only if one of the following conditions are met:

i) the IdP supports the R&S Enitity Category,

ii) the eduPersonAssurance attribute is also released and it has a value of https://refeds.org/assurance/ID/eppn-unique-no-reassign,

iii) the federation in which the IdP has registered has a policy that prohibits the reassignment of the value of the eduPersonPrincipalName attribute

pairwise-id

eduPersonPrincipalName1

eduPersonTargetedID

eduPersonUniqueId

Level of AssuranceeduPersonAssuranceOptionalWill become mandatory (date TBD)

Access to the resources services connected through MyAccessID will be dominantly supported by identites identities coming from the IdPs from the R&E sector and eduGAIN.

Best-fit and natural is to use the Assurance Framework that originated as collaborative work of R&E federations - the REFEDS Assurance suite https://wiki.refeds.org/display/ASS.

To insure identifier uniqueness:

To insure sufficient identity proofing and credential issuance, renewal, and replacement:

Level of Assurance information is planned to become mandatory in 2022See Level of Assurance Requirements for more information.


Name

cn

Mandatory. At Mandatory  (at least one)

MyAccessID and the services connected through MyAccessID expect to receive the name of the user.

For example, when a user applies for a new project or for membership membership to an existing project, the managers need to be able to recognise who the applicant is.

displayName


sn + givenName

Mail

mail

Mandatory

MyAccessID needs to be able to contact the user regarding the status of their account. In addition, many of the services connected through MyAccessID expect the email of the user in order to be able contact the user about service related matters.

Affiliation

eduPersonScopedAffiliation

Mandatory

Access to many of the resources services connected through MyAccessID relies on authorising their member users based on the affiliation of their members with their home organisation.

OrganizationschacHomeOrganizationOptional

Access to many of the service services connected through MyAccessID relies on authorising users based on their home organisation.

1 The eduPersonPrincipalName can be used only if one of the following conditions are met: i) the IdP supports the R&S Enitity Category, ii) the eduPersonAssurance attribute is also released and it has a value of https://refeds.org/assurance/ID/eppn-unique-no-reassign, iii) the federation in which the IdP has registered has a policy that prohibits the reassignment of the value of the eduPersonPrincipalName attribute


Depending on which protocol the IdP is using, SAML or OIDC, attributes need to be released in the following format, respectively.:

  • SAML Attribute Names

SAML Attributes MUST be sent using urn:oasis:names:tc:SAML:2.0:attrname-format:uri NameFormat. Below is the list of the canonical names of the SAML attributes:

SAML Attribute NameSAML Attribute Friendly Name
urn:oasis:names:tc:SAML:attribute:subject-idsubject-id
urn:oasis:names:tc:SAML:attribute:pairwise-idpairwise-id
urn:oid:0.9.2342.19200300.100.1.3 email
urn:oid:1.3.6.1.4.1.25178.1.2.9schacHomeOrganization
urn:oid:1.3.6.1.4.1.
25178
5923.
4
1.1.
6 voPersonIDurn:oid:
1
.3
.6
.1.4.1.25178.4.1.11 voPersonExternalAffiliation
eduPersonPrincipalName

urn:oid:1.3.6.1.4.1.5923.1.1.1.

6

9

eduPersonPrincipalName

eduPersonScopedAffiliation

urn:oid:1.3.6.1.4.1.5923.1.1.1.
9
10
eduPersonScopedAffiliation

eduPersonTargetedID

urn:oid:1.3.6.1.4.1.5923.1.1.1.
10
11
eduPersonTargetedID
eduPersonAssurance
urn:oid:1.3.6.1.4.1.5923.1.1.1.
11
13
eduPersonAssurance
eduPersonUniqueId
urn:oid:1.3.6.1.4.1.5923.1.1.1.
13
16
eduPersonUniqueId
eduPersonOrcid
urn:oid:2.5.4.3cn
urn:oid:2.5.4.4 surname
urn:oid:2.5.4.42givenName


  • OIDC Claims and Scopes
OIDC ClaimScope
subject-id
profile
openid
email
profile
email
nameprofile
given_nameprofile
family_nameprofile
voperson_idaarc
eduperson_entitlementaarc

eduperson_scoped_affiliation

aarc
voperson_external_affiliationaarc
eduperson_assuranceaarc
schac_home_organization