Erinevus lehekülje "Attributes" redaktsioonide vahel
(Uus lehekülg: 'Attributes which are used in TAAT federation when communicating with eduGAIN services and home organizations. There are three types of attributes: *MUST - attributes which are r...')
Viimane redaktsioon: 2. november 2017, kell 14:44
Attributes which are used in TAAT federation when communicating with eduGAIN services and home organizations.
There are three types of attributes:
- MUST - attributes which are required for every user
- OPTIONAL, which are optional and can be used as neccessary.
- TAAT (as Federation Authority/Operator) attributes which are set automatically
- 1 Mandatory (MUST) attributes
- 2 Optional (MAY) attributes
- 3 TAAT federation attributes
Mandatory (MUST) attributes
sn - Last name
User last name (names) as a string.
cn - Common Name
User common name (full name).
eduPersonPrincipalName - User ID at the home organization
(User ID at the home organization)
Unique identifier at home organization within lifetime.
May be the same as user logon, but only if user logons are not reused. If there is not able to identify user throughout history some other identificator should be used.
Required form: firstname.lastname@example.org
mail - E-mail address
Users' e-mail address(es)
displayName - Display name
User preferred name: screen name/username/nickname/first name. If not available, first name may be used.
eduPersonAffiliation - Role in organization
Person role in home organization.
SPs should use this when person's status with Home Organization needs to be proven. If degree or structural unit is important eduPersonScopedAffiliation should be used.
- student — an 'active' student
- faculty — a member of the faculty at the institution
- staff — a member of the technical-administrative staff at the institution
- affiliate — a person related to the institution without being covered by a general set of rights
- library-walk-in — a person who has access to a computer within the organisation
- alum - a person who has graduated school
In addition IdP must provide roles if they apply to mix roles.
- employee – mixed role from staff and faculty members;
- member – mixed role from student, staff and faculty members
Roles are universal and meaning is the same troughout federations. Role names must be the same and they cannot be edited (nor added).
Optional (MAY) attributes
eduPersonScopedAffiliation - Role in group
User role in some group.
eduPersonScopedAffiliation is used: <role>@<group>.<namespace>, where:
- role is eduPersonAffiliation role
- group is meaningful within your namespace
- namespace is semantic and is IdP or SP-specific or federation-wide. Namespace is presented domain-alike.
Throughout federation groups
Study level (studylevel)
Used only with "student" role.
Allowed variants: bak, mag, dok, int (integrated studies)
If bak and mag is used, both should be sent for accessing both resources.
Organizational Unit (ou)
Role in Organizational Unit. Can me multiple values, but everyone needs to have same formula.
If multiple values are used, right to left (greater to smaller) structure needs to be used. Every unit on the left is a sub-unit on it's right. Minimal most wide unit should be faculty or college.
Maximal can be course, but it means all units must be marked, which include this course. For example: email@example.com
preferredLanguage - Preferred Language
(The user's preferred language)
User preferred language, as described in RFC2068-ga
schacPersonalUniqueID - National ID number
(National ID number)
Estonian ID number.
ID code is presented according to Estonian “EV ST 585-90” standard.
Example: urn:schac:personalUniqueID:<counrty-code>:<idType>:<idValue>, where
- <country-code> is two-letter country code as described in ISO 3166;
- <idType> allowed values must be registred in TERENA URN registry;
- <idValue> is 11-digit Estonian ID number;
Example for Estonian ID number: urn:schac:personalUniqueID:ee:EID:37101010021
TAAT federation attributes
schacHomeOrganization - Home Organization
User's home organization domain name.
eduPersonTargetedID - TAAT pseudonym
(Pseudonymous user ID)
Uniqe TAAT username. Same user gets same ePTI in same SP, but different in different SPs.