This document describes the SAML attributes and OIDC claims that are available to legacy services connected to the GEANT AAI Service. Attribute - claims marked as Mandatory will always be available to a relying party. Attribute - claims marked as Optional will be made available under certain circumstances. For example, some attributes - claims can be available only if the respective attributes - claims are released by the home Identity Provider of the user. Attributes - claims and values marked as Experimental might change or removed in the future, so relying parties should not rely on them, but use them only for experimental purposes.
List of Attributes
User Identifier
| Name | User Identifier |
|---|---|
| Description | The User Identifier is an opaque and non-revocable identifier (i.e. it cannot change over time). The User Identifier has a limit of 255 characters |
| SAML Attribute(s) |
|
| OIDC claim(s) | - |
| OIDC claim location | - |
| OIDC scope | - |
| Assigned to the user by the GEANT AAI Service | |
| Changes | No |
| Multiplicity | Single-valued |
| Availability | Mandatory |
| Example | e413e5b2-1439-42da-a7ed-23444ddd0e5b@aai.geant.org |
| Notes | The User Identifier and Username “test@aai.geant.org” are test accounts reserved for testing and monitoring the proper functioning. The Relying parties should not authorise it to access any valuable resources. |
Username
| Name | Username |
|---|---|
| Description | The username is a human-readable, revocable identifier (i.e. the user can change it). It is intended to be used when a unique identifier needs to be displayed in the user interface (e.g. wikis or Unix accounts). |
| SAML Attribute(s) | urn:oid:0.9.2342.19200300.100.1.1 (uid) |
| OIDC claim(s) | - |
| OIDC claim location | - |
| OIDC scope | - |
| Origin | Set when a user registers with the GEANT AAI Service |
| Changes | May be changed (revoked) over time (e.g. if a user changes their name). Revoked identifiers are NOT reassigned. |
| Multiplicity | Single-valued |
| Availability | Mandatory |
| Example | federated-user-999999999 |
| Notes | The User Identifier and Username “test@aai.geant.org” are test accounts reserved for testing and monitoring the proper functioning. The Relying parties should not authorise it to access any valuable resources. |
Display Name
| Name | Display Name |
|---|---|
| Description | User’s name (firstname lastname). |
| SAML Attribute(s) | urn:oid:2.16.840.1.113730.3.1.241 (displayName) |
| OIDC claim(s) | name |
| OIDC claim location | - |
| OIDC scope | - |
| Origin | Provided by the Identity Provider of the user |
| Changes | Yes |
| Multiplicity | Single-valued |
| Availability | Optional |
| Example | Jack Dougherty |
| Notes |
Given Name
| Name | Given Name |
|---|---|
| Description | Name strings that are the part of a person's name that is not their surname (see RFC4519). |
| SAML Attribute(s) | urn:oid:2.5.4.42 (givenName) |
| OIDC claim(s) | given_name |
| OIDC claim location | The claim is available in: ☐ ID token ☑ Userinfo endpoint ☐ Introspection endpoint |
| OIDC scope | - |
| Origin | Provided by the Identity Provider of the user |
| Changes | Yes |
| Multiplicity | Multi-valued - SAML: The givenName attribute contains name strings that are the part of a person's name that is not their surname. Each string is one value of this multi-valued attribute [RFC4519] |
| Availability | Optional |
| Example | Jack |
| Notes | In the specification of urn:oid:2.5.4.42 it is stated that the attribute supports multiple values, but the OIDC claim supports only a single value. The Service will release a single value to both SAML and OIDC relying parties |
Family Name
| Name | Family Name |
|---|---|
| Description | Family name of the user |
| SAML Attribute(s) | urn:oid:2.5.4.4 (sn) |
| OIDC claim(s) | - |
| OIDC claim location | - |
| OIDC scope | - |
| Origin | Provided by the Identity Provider of the user |
| Changes | Yes |
| Multiplicity | Multi-valued - SAML: The sn attribute contains name strings that are the part of a person's name that is not their surname. Each string is one value of this multi-valued attribute [RFC4519] |
| Availability | Optional |
| Example | Dougherty |
| Notes | In the specification of urn:oid:2.5.4.4 it is stated that the attribute supports multiple values, but the OIDC claim supports only a single value. The Service will release a single value to both SAML and OIDC relying parties |
Email address
| Name | Email address |
|---|---|
| Description | Email address of the user. Users may have multiple email addresses, some of which were verified. A verified email address means that the GEANT AAI Service or the user’s Home IdP has taken affirmative steps to ensure that this email address was controlled by the user at the time the verification was performed. The specific verification mechanism is not defined here, but is expected to meet industry best practices. |
| SAML Attribute(s) |
|
| OIDC claim(s) | - |
| OIDC claim location | - |
| OIDC scope | - |
| Origin | Provided by the Identity Provider of the user or registered by the GEANT AAI Service after ownership of the email address has been verified. |
| Changes | Yes |
| Multiplicity | Single-valued |
| Availability | Optional |
| Example | jack.dougherty@example.com |
| Notes |
Groups (Legacy)
| Name | Groups (Legacy) |
|---|---|
| Description | |
| SAML Attribute(s) |
|
| OIDC claim(s) | - |
| OIDC claim location | - |
| OIDC scope | - |
| Origin | Managed by the GEANT AAI Service |
| Changes | Yes |
| Multiplicity | Multi-valued |
| Availability | Optional |
| Example | Example of a user, who is member of Task 1 in WP5 of the GN5-1 project:
|
| Notes |
Groups
| Name | Groups |
|---|---|
| Description | The groups this user is a member of in their collaboration [AARC-G069]. |
| SAML Attribute(s) | urn:oid:1.3.6.1.4.1.5923.1.1.1.7 (eduPersonEntitlement) |
| OIDC claim(s) | - |
| OIDC claim location | - |
| OIDC scope | - |
| Origin | Managed by the GEANT AAI Service |
| Changes | Yes |
| Multiplicity | Multi-valued |
| Availability | Optional |
| Example | Example of a user, who is member of Task 1 in WP5 of the GN5-1 project:
|
| Notes |