Erinevus lehekülje "Attributes" redaktsioonide vahel

Allikas: Eesti Hariduse ja Teaduse Andmesidevõrk
(Uus lehekülg: 'Attributes which are used in TAAT federation when communicating with eduGAIN services and home organizations. There are three types of attributes: *MUST - attributes which are r...')
(Erinevus puudub)

Viimane redaktsioon: 2. november 2017, kell 14:44

Attributes which are used in TAAT federation when communicating with eduGAIN services and home organizations.

There are three types of attributes:

  • MUST - attributes which are required for every user
  • OPTIONAL, which are optional and can be used as neccessary.
  • TAAT (as Federation Authority/Operator) attributes which are set automatically

Mandatory (MUST) attributes

sn - Last name

(Last name)
Multiple: NO

User last name (names) as a string.

cn - Common Name

(Common name)
Multiple: NO

User common name (full name).

eduPersonPrincipalName - User ID at the home organization

(User ID at the home organization)
Multiple: NO

Unique identifier at home organization within lifetime.

May be the same as user logon, but only if user logons are not reused. If there is not able to identify user throughout history some other identificator should be used.

Required form: identifier@domain.topdomain

mail - E-mail address

(Email address)

Users' e-mail address(es)

displayName - Display name

(Display name)

User preferred name: screen name/username/nickname/first name. If not available, first name may be used.

eduPersonAffiliation - Role in organization


Person role in home organization.

SPs should use this when person's status with Home Organization needs to be proven. If degree or structural unit is important eduPersonScopedAffiliation should be used.

Main roles:

  • student — an 'active' student
  • faculty — a member of the faculty at the institution
  • staff — a member of the technical-administrative staff at the institution
  • affiliate — a person related to the institution without being covered by a general set of rights
  • library-walk-in — a person who has access to a computer within the organisation
  • alum - a person who has graduated school

In addition IdP must provide roles if they apply to mix roles.

  • employee – mixed role from staff and faculty members;
  • member – mixed role from student, staff and faculty members

Roles are universal and meaning is the same troughout federations. Role names must be the same and they cannot be edited (nor added).

Optional (MAY) attributes

eduPersonScopedAffiliation - Role in group


User role in some group.

eduPersonScopedAffiliation is used: <role>@<group>.<namespace>, where:

  • role is eduPersonAffiliation role
  • group is meaningful within your namespace
  • namespace is semantic and is IdP or SP-specific or federation-wide. Namespace is presented domain-alike.

Throughout federation groups

Study level (studylevel)

Used only with "student" role.

Allowed variants: bak, mag, dok, int (integrated studies)

If bak and mag is used, both should be sent for accessing both resources.

Organizational Unit (ou)


Role in Organizational Unit. Can me multiple values, but everyone needs to have same formula.

If multiple values are used, right to left (greater to smaller) structure needs to be used. Every unit on the left is a sub-unit on it's right. Minimal most wide unit should be faculty or college.

Maximal can be course, but it means all units must be marked, which include this course. For example:

preferredLanguage - Preferred Language

(The user's preferred language)

User preferred language, as described in RFC2068-ga

schacPersonalUniqueID - National ID number

(National ID number)

Estonian ID number.

ID code is presented according to Estonian “EV ST 585-90” standard.

Example: urn:schac:personalUniqueID:<counrty-code>:<idType>:<idValue>, where

  • <country-code> is two-letter country code as described in ISO 3166;
  • <idType> allowed values must be registred in TERENA URN registry;
  • <idValue> is 11-digit Estonian ID number;

Example for Estonian ID number: urn:schac:personalUniqueID:ee:EID:37101010021
OID: urn:oid:

TAAT federation attributes

schacHomeOrganization - Home Organization

(Home organisation)

User's home organization domain name.

eduPersonTargetedID - TAAT pseudonym

(Pseudonymous user ID)

Uniqe TAAT username. Same user gets same ePTI in same SP, but different in different SPs.