Skip to content

logo

NFDI AAI Attributes#

Attributes are used to describe the user. They are meant to be used for the authorisation decision. Different sets of attributes are available at different layers in the infrastructure. This is somewhat logical, since for example services that are connected to eduGAIN can not see those attributes that are managed in the Community AAI.

More generally speaking, the set of attributes coming from “Home-IdPs” in eduGAIN is different to the one that is passed on by the Community AAIs. The set of attributes available from the Infrastructure Proxy will be very similar to those of the Community AAIs.

We make use of standardised attribute sets, both for the attributes expected from the Home-IdPs at the Community AAIs, as well as for those that are sent from the Community AAIs to underlying services.

Note

This page is intended for easily accessible documentation purposes. It should be in sync with the Infrastructure Attribute Profiles (IAP). The IAP has precedence over this webpage.

Attributes available from the Community AAIs#

These attributes are available to services connected below any Community AAI. I.e. to services connected to any Community AAI or to the Infrastructure Proxy.

We use the “Core Attribute Profile” and the “Extended Attribute Profile” as defined within the EOSC AAI, which is based on the AARC recommendations

Core Attribute Profile#

Attributes listed here are mandatory.

The table uses this convention:

  • bold entries in the table are the preferred and encourages attributes.
  • Normal (non-bold) entries are possible alternatives to the bold entries.
  • Whenever multiple options for attributes are available, content may be sent either in one of them, or in multiple attributes.
  • Receiving ends should prefer the bold ones, and may use the normal ones.
Identity Attribute Type SAML Attribute OpenID Connect Claim Comments
Non-reassignable,
persistent,
unique user identifier
Any of the following:
voPersonID [voPerson-2.0]
eduPersonUniqueId [eduPerson]
subject-id [SAML-SubjectID-v1.0]
pairwise-id [SAML-SubjectID-v1.0]
SAML Persistent NameID [SAML2Core]
Any of the following:
voperson_id [voPerson-2.0]
eduperson_unique_id [eduPerson]
sub (public)+iss [OIDC-Core]
sub (pairwise)+iss [OIDC-Core]
Created by the Community AAI
Name information displayName name [OIDC-Core] E.g.: John Doe
Email information Any of
- mail
- voPersonVerifiedEmail [voPerson-2.0]
Any of
- email [OIDC-Core]
- email_verified [OIDC-Core]
- voperson_verified_email [voPerson-2.0]
There is currently no way of indicating a preferred email address (e.g. when sending multiple emails). One workaround may be to use the first entry of the list as a preferred email address of the user. This MAY NOT work in all circumstances!!!
Home organisation information schacHomeOrganization [SCHAC-1.5] Either of
- org_domain + org_name
- schac_home_organization
The domain name of the users Home-Org.
Affiliation within the community eduPersonScopedAffiliation [eduPerson] eduperson_scoped_affiliation [eduPerson] A controlled vocabulary will be provided by NFDI-AAI (following EOSC/AARC conventions)
Affiliation at the Home-Org. voPersonExternalAffiliation [voPerson-2.0] voperson_external_affiliation [voPerson-2.0] Home-Org. Affiliation will be passed on “as is” in this attribute
Assurance eduPersonAssurance [eduPerson] ** eduperson_assurance [eduPerson]** As defined in [RAF], and detailed here.

Extended Attribute Profile#

Attributes listed here are optional.

Identity Attribute Type SAML Attribute OpenID Connect Claim Comment
Groups and roles eduPersonEntitlement [AARC-G002] One of the following:
- eduperson_entitlement [AARC-G002]
- entitlements [RFC9068, AARC-G069]
urn:geant:dfn.de:nfdi.de:group:example#authority.host.de (indicates a group membership)
Note: The authority part is optional. Still in NFDI-AAI we want to use it. A registry is operated at https://www.nfdi.de/persistent-identifiers.
Capabilities eduPersonEntitlement [AARC-G027] Any of the following:
- eduperson_entitlement [AARC-G027]
- entitlements [RFC9068, AARC-G027]
urn:geant:dfn.de:nfdi.de:res:example#authority.host.de (indicates a resource entitlement). A registry is operated at https://www.nfdi.de/persistent-identifiers.
Agreement to policies voPersonPolicyAgreement [voPerson-2.0] voperson_policy_agreement [voPerson-2.0] Allows services to skip local policy clicking, if e.g. done at Community-AAI
ORCID identifier eduPersonOrcid [eduPerson] orcid
Preferred email ? ? Unclear if this will be used, since EOSC/AARC directions are unclear at the moment.
Supplemental Name Information givenName + sn given_name + family_name
Authentication Profiles AuthenticationContextClassReference acr For indicating whether a 2nd factor was used
External Idenfifier voPersonExternalID voperson_external_id An explicitly scoped identifier for a person, typically as issued by an external authentication service. Could be used for ID linking.
SSH Keys sshPublicKey ssh_public_key A list of ssh keys

Attributes needed by the Community AAIs#

These attributes are required to be released by the Home-IdPs, so that users can reasonably use the services at the Community AAI. Precise requirements may differ between different Instances and Software Products used to implement a Community AAI.

Personalized#

https://refeds.org/category/personalized

Identity Attribute Type SAML Attribute OpenID Connect Claim
Organization schacHomeOrganization [SCHAC] schac_home_organization
user identifier subject-id [SAMLSubId] sub (shared) + iss
person name All of
- displayName [eduPerson]
- givenName [eduPerson]
- sn [eduPerson]
All of
- name
- given_name
- family_name
email address mail [eduPerson] email [OIDC-COre]
Affiliation eduPersonScopedAffiliation [eduPerson] eduperson_scoped_affiliation
Assurance eduPersonAssurance [eduPerson] One of
- eduperson_assurance
- asr

Pseudonomous#

https://refeds.org/category/pseudonymous

The REFEDS Pseydonymous profile may be acceptable, if the Community AAI provides a means to query the user for a Name (displayName, or givenName + sn), and a (verified!) email address.

Identity Attribute Type SAML Attribute OpenID Connect Claim
Organization schacHomeOrganization [SCHAC] schac_home_organization
pseudonymous pairwise user identifier pariwise-id [SAMLSubId] sub (pairwise) + iss
Affiliation eduPersonScopedAffiliation [eduPerson] eduperson_scoped_affiliation
Assurance eduPersonAssurance [eduPerson] One of
- eduperson_assurance
- asr

Anonymous: Not sufficient#

The anonymous profile https://refeds.org/category/anonymous does not provide a number of sufficient attributes. For specific combinations of Community-AAI and Community-Service, an exception may technically work. Please consult your Community-AAI contact.

Attributes in different protocols#

Attributes can be expressed in different protocols. We maintain a mapping for SAML, OIDC, LDAP and SCIM. The list is available upon request.

Last change: Nov 11, 2024 12:20:05