This space contains the old OpenAthens SP documentation and is no longer maintained.
OpenAthens SP software is already out of support and reached end of life in May 2020.

Check out OpenAthens Keystone instead. It's supercool and makes dealing with SAML much easier.


Skip to end of metadata
Go to start of metadata

OpenAthens SP will make system attributes available as a capital normalised string in the format:

"Attribute.Name" as OA_ATTRIBUTE_NAME. E.g:

Different federations may have different attributes but you can reasonably expect to see these generally standard names:

Friendly nameSAML1SAML2Notes
targetedIDurn:mace:dir:attribute-def:eduPersonTargetedIDurn:oid: is the unique user identifier. It is consistent for the same user visiting the same service provider so long as neither end change their entityID
scopedAffiliation / roleurn:mace:dir:attribute-def:eduPersonScopedAffiliationurn:oid:

Looks like an email address (e.g. member@domain.tld).

The second part is the organisation's 'scope' and is the best thing to use as an organisation identifier for authorisation.

Entitlementurn:mace:dir:attribute-def:eduPersonEntitlementurn:oid: is the 'anything else' attribute and could be used in situations where only one department of a University should be given access to certain content - e.g. could be used to identify physics or medical students, administration privileges, etc.


It is these standard attributes that it is best to use for authorisation and user personalisation. Other attributes can be passed by Identity Providers by mutual agreement and could be supplied with almost any agreed name. There are some standard ones used in the OpenAthens federation though.

Specific attributes to use for authorisation and personalisation

The correct attribute to use for institutional authorisation is 'scope' which you should expect to extract from the role attribute (scopedAffiliation), usually expressed as urn:oid: The scope will be everything following the '@'.

The correct attribute to use for personalisation is targetedID, usually expressed as urn:oid:

  • No labels