Name	User Identifier
Description	The User Identifier is an opaque and non-revocable identifier (i.e. it cannot change over time). The User Identifier has a limit of 255 characters
SAML Attribute(s)	urn:oasis:names:tc:SAML:attribute:subject-id urn:1.3.6.1.4.1.25178.4.1.6 (voPersonID)
OIDC claim(s)	sub (public) voperson_id
OIDC claim location	The claim is available in: ☑ ID token ☑ Userinfo endpoint ☑ Introspection endpoint
OIDC scope	openid (for the sub claim) aarc (for the voperson_id claim)
Origin	Assigned to the user by the GEANT AAI Service
Changes	No
Multiplicity	Single-valued
Availability	Mandatory
Example	e413e5b2-1439-42da-a7ed-23444ddd0e5b@aai.geant.org
Notes	The User Identifier and Username “test@aai.geant.org” are test accounts reserved for testing and monitoring the proper functioning. The Relying parties should not authorise it to access any valuable resources.

Username

Name	Username
Description	The username is a human-readable, revocable identifier (i.e. the user can change it). It is intended to be used when a unique identifier needs to be displayed in the user interface (e.g. wikis or Unix accounts). It has the syntax of eduPersonPrincipalName, which consists of “user” part and a fixed scope “aai.geant.org”, separated by at sign. The user part (syntax derived from Linux accounts) begins with a lowercase letter or an underscore, followed by lower case letters, digits, underscores, or dashes. In regular expression: [a-z_][a-z0-9_-]*? The usernames beginning with an underscore are dedicated to service IDs.
SAML Attribute(s)	urn:oid:0.9.2342.19200300.100.1.1 (uid)
OIDC claim(s)	preferred_username
OIDC claim location	The claim is available in: ☑ ID token ☑ Userinfo endpoint ☑ Introspection endpoint
OIDC scope	Any of: profile preferred_username
Origin	Set when a user registers with the GEANT AAI Service
Changes	May be changed (revoked) over time (e.g. if a user changes their name). Revoked identifiers are NOT reassigned.
Multiplicity	Single-valued
Availability	Mandatory
Example	federated-user-999999999@aai.geant.org
Notes	The User Identifier and Username “test@aai.geant.org” are test accounts reserved for testing and monitoring the proper functioning. The Relying parties should not authorise it to access any valuable resources.

Display Name

Name	Display Name
Description	User’s name (firstname lastname).
SAML Attribute(s)	urn:oid:2.16.840.1.113730.3.1.241 (displayName)
OIDC claim(s)	name
OIDC claim location	The claim is available in: ☐ ID token ☑ Userinfo endpoint ☐ Introspection endpoint
OIDC scope	Any of: profile aarc
Origin	Provided by the Identity Provider of the user
Changes	Yes
Multiplicity	Single-valued
Availability	Optional
Example	Jack Dougherty
Notes

...

Name	Groups
Description	The groups this user is a member of in their collaboration [AARC-G069G069].
SAML Attribute(s)	urn:oid:1.3.6.1.4.1.5923.1.1.1.7 (eduPersonEntitlement)
OIDC claim(s)	entitlements
OIDC claim location	The claim is available in: ☐ ID token ☑ Userinfo endpoint ☑ Introspection endpoint
OIDC scope	entitlements
Origin	Managed by the GEANT AAI Service
Changes	Yes
Multiplicity	Multi-valued
Availability	Optional
Example	Example of a user, who is member of Task 1 in WP5 of the GN5-1 project: urn:geant:aai.geant.org:group:geant urn:geant:aai.geant.org:group:geant:GN5-1 urn:geant:aai.geant.org:group:geant:GN5-1:WP5 urn:geant:aai.geant.org:group:geant:GN5-1:WP5:Task%201
Notes

...