One of the major advantages of a federation is a standard set of attribute names can be defined so that both IdP and SP can use generic set-ups in most cases and do not need to maintain hundreds of separate configurations.
The following attributes are part of the recommended federation attribute set for the OpenAthens federation and can be used for authorisation unless otherwise stated.
This is the default mode for IdPs in the OpenAthens federation.
The targetedID of the user. This is a consistent user ID you can use to recognise individuals when you need to do so.
Always released by IdP members of the OpenAthens federation.
Single-valued. Unique to the user.
The user's role and organisation (scope). Sometimes called scopedAffiliation.
Formed by combining a role and an organisation's scope.
Standard values for role are:
Always released by IdP members of the OpenAthens federation (where a value is present).
May be multi-valued.
Authorisation decisions should usually be whitelist as a user may have several roles, e.g. both 'staff' and 'student'. The exception would be 'library-walk-in'.
Any entitlement value that may apply.
Examples: "dental" or "med"
Released by IdP members of the OpenAthens federation when a value applies to a relevant user / service provider combination.
May be multi-valued
Use this for authorisation where you need a greater level of granularity than role - e.g. the difference between regular students and medical students, or if they have a department level subscription.
Legacy shibboleth names
These are returned by OpenAthens IdPs in response to SAML 1.1 requests only so are unlikely to come up in regular usage.
A unique identifier for the user that is also unique to the service provider. This attribute is scoped.
Role. This attribute is scoped.
Anything you need it to be.
OpenAthens specific attributes
These will be retired in the future and are provided only to help you transition from older technologies. They must not be used for authorisation or persistence:
The OpenAthens organisation ID to help SPs who are moving from old Athens software to federated access map organisations to scopes.
Currently releasable by IdP members of the OpenAthens federation. Newer customers do not release it.
For service providers moving to federated access from the older 'Athens Agent' or 'OpenAthens SP1.x' software there will be differences in the user attributes that are available. Updates to your customer records may be necessary, but as this also makes it simple to interact with other federations it is really a benefit.