OpenAthens SP software end of life is approaching.
Keystone, Wayfinder and the OpenAthens federation are unaffected.

Search

Skip to end of metadata
Go to start of metadata

A list of the eduPerson attributes that might be encountered in federations around the world. The highlighted ones are generally common to all. The others are... unlikely to come up outside of a local context. The last column is only relevant if you are using the eduPerson mapping rule in OpenAthens Keystone.


SAML attributeWhat is it?Typical value where relevantClaim (assumes use of the preconfigured rulesets)
urn:oid:1.3.6.1.4.1.5923.1.1.1.1

Not used in the OpenAthens federation.

The role part of 'scopedAffiliation' of the user.

member
eduPersonAffiliation
urn:oid:1.3.6.1.4.1.5923.1.1.1.2

Not used in the OpenAthens federation.

A persons nickname or preferred form of address.

bob
eduPersonNickname
urn:oid:1.3.6.1.4.1.5923.1.1.1.3

Not used in the OpenAthens federation. Little reason to use in any federation.

The DN of the directory entry of the user's organisation.

DN=directory, CN=organisation, CN=org
eduPersonOrgDN
urn:oid:1.3.6.1.4.1.5923.1.1.1.4

Not used in the OpenAthens federation. Little reason to use in any federation.

The DN of the directory entry of the user's organisation unit.

OU=campus, DN=directory, CN=organisation, CN=org
eduPersonOrgUnitDN
urn:oid:1.3.6.1.4.1.5923.1.1.1.5

Not used in the OpenAthens federation. Little reason to use in any federation.

A version of eduPersonAffiliation limited to a single value.

organisation.org
eduPersonPrimaryAffiliation
urn:oid:1.3.6.1.4.1.5923.1.1.1.6

Not generally used in the OpenAthens federation.

The UPN of the user. Resembles an Email but should not be expected to be one.

string@organisation.org
eduPersonPrincipalName
urn:oid:1.3.6.1.4.1.5923.1.1.1.7

The 'Entitlement' value for a user. This one is technically in common usage, but few service providers ask for it.

Is used to do more granular groupings than roles - e.g. if a library service could not afford to buy access for all 20,000 students, but could for the 150 Geology staff and students, they could pass you an entitlement value for just the geologists, and you can make a sale.

You define the value that you want them to pass for the group of users.

geology
eduPersonEntitlement
urn:oid:1.3.6.1.4.1.5923.1.1.1.8

Not used in the OpenAthens federation. Little reason to use in any federation.

Essentially the same as eduPersonOrgUnitDN and just as useful.


eduPersonPrimaryOrgUnitDN
urn:oid:1.3.6.1.4.1.5923.1.1.1.9

The 'scopedAffiliation' of the user. A two part identifier consisting of a role and a federation_scope. This attribute may be multi-valued so if using any part of this for authorisation the condition should be inclusive rather than exclusive. This is generally released by default for any user in any federation.

Role values are defined by the federation. Most federations are academic, so roles are typically one or more of: member, staff, student, faculty, alum, library-walk-in, affiliate, employee.

The federation scope is the organisation identifier and can identify sub-organisations too - e.g. a group of hospitals might have a root federation scope of eng.nhs.uk, but an individual hospital might have the scope of holbycity.eng.nhs.uk. This facilitates activities such as selling access to the whole group by authorising on *.eng.nhs.uk, or supplying specific OUs in the group.

It is this the claim(s) based on this attribute that is it best to base authorisation on.

member@organisation.org

staff@organisation.org

eduPersonScopedAffiliation
urn:oid:1.3.6.1.4.1.5923.1.1.1.10

The 'targetedID' of the user. An opaque user ID that is provided by default for any OpenAthens federation user, and is in general use in all major federations.

It is persistent for a user so long as federation entityIDs do not change.

3d6qquvckr9vcauasrp3g13rur eduPersonTargetedID
urn:oid:1.3.6.1.4.1.5923.1.1.1.11

Not used in the OpenAthens federation.

Set of URIs that assert compliance with specific standards for identity assurance.

http://blah.organisation.org/compliance/1
http://blah.organisation.org/compliance/2
http://blah.federation.net/agreement 
eduPersonAssurance
urn:oid:1.3.6.1.4.1.5923.1.1.1.12

Not used in the OpenAthens federation.

Multi-valued set of previous eduPersonPrincipalNames the user may have had.

somthing@organisation.org
another@organisation.org 
eduPersonPrincipalNamePrior
urn:oid:1.3.6.1.4.1.5923.1.1.1.13

Not used in the OpenAthens federation.  

A persistent user identifier expected to be unique within a federation. Very unlikely to ever come up.  

oifh845oi8sd85o87a4hi8ai4ai8ah.federation
eduPersonUniqueId
urn:oid:1.3.6.1.4.1.5923.1.1.1.14

Could be used in the OpenAthens federation

ORCID iDs are persistent digital identifiers for individual researchers. Their primary purpose is to unambiguously and definitively link them with their scholarly work products. ORCID iDs are assigned, managed and maintained by the ORCID organisation: http://orcid.org/

http://orcid.org/1234-5678-1234-5678
eduPersonOrcid
  • No labels