OpenAthens SP will make system attributes available as a capital normalised string in the format:
- "urn:oid:188.8.131.52.4.1.59184.108.40.206.9" as as OA_URN_OID_1_3_6_1_4_1_5923_1_1_1_9
Different federations may have different attributes but you can reasonably expect to see these generally standard names:
|targetedID||urn:mace:dir:attribute-def:eduPersonTargetedID||urn:oid:220.127.116.11.4.1.5918.104.22.168.10||This is the unique user identifier. It is consistent for the same user visiting the same service provider so long as neither end change their entityID|
|scopedAffiliation / role||urn:mace:dir:attribute-def:eduPersonScopedAffiliation||urn:oid:22.214.171.124.4.1.59126.96.36.199.9|
Looks like an email address (e.g.
The second part is the organisation's 'scope' and is the best thing to use as an organisation identifier for authorisation.
|Entitlement||urn:mace:dir:attribute-def:eduPersonEntitlement||urn:oid:188.8.131.52.4.1.59184.108.40.206.7||This is the 'anything else' attribute and could be used in situations where only one department of a University should be given access to certain content - e.g. could be used to identify physics or medical students, administration privileges, etc.|
It is these standard attributes that it is best to use for authorisation and user personalisation. Other attributes can be passed by Identity Providers by mutual agreement and could be supplied with almost any agreed name. There are . though
Specific attributes to use for authorisation and personalisation
The correct attribute to use for institutional authorisation is 'scope' which you should expect to extract from the role attribute (scopedAffiliation), usually expressed as urn:oid:220.127.116.11.4.1.5918.104.22.168.9. The scope will be everything following the '@'.
The correct attribute to use for personalisation is targetedID, usually expressed as urn:oid:22.214.171.124.4.1.59126.96.36.199.10