About eduPerson attributes
Since most federations around the world are aimed at the education and research communities, the eduPerson schema is prevalent when it comes to attribute names. Here's what all the attributes are and what they mean. The highlighted ones are the main ones used in most federations.
| SAML attribute (SAML 2) | What is it? | Typical value where relevant | 'Friendly' name |
|---|---|---|---|
urn:oid:1.3.6.1.4.1.5923.1.1.1.1 | Not generally used in the OpenAthens federation. The role part of 'scopedAffiliation' of the user. | member | eduPersonAffiliation |
urn:oid:1.3.6.1.4.1.5923.1.1.1.2 | Not generally used in the OpenAthens federation. A persons nickname or preferred form of address. | bob | eduPersonNickname |
urn:oid:1.3.6.1.4.1.5923.1.1.1.3 | Not used in the OpenAthens federation. Little reason to use in any federation. The DN of the directory entry of the user's organisation. | DN=directory, CN=organisation, CN=org | eduPersonOrgDN |
urn:oid:1.3.6.1.4.1.5923.1.1.1.4 | Not used in the OpenAthens federation. Little reason to use in any federation. The DN of the directory entry of the user's organisation unit. | OU=campus, DN=directory, CN=organisation, CN=org | eduPersonOrgUnitDN |
urn:oid:1.3.6.1.4.1.5923.1.1.1.5 | Not generally used in the OpenAthens federation. A version of eduPersonAffiliation limited to a single value. | organisation.org | eduPersonPrimaryAffiliation |
urn:oid:1.3.6.1.4.1.5923.1.1.1.6 | Occasionally used in the OpenAthens federation. The UPN of the user. Resembles an Email, but is unlikely to be an actual email. If you release this, OpenAthens will add your scope, so make sure you only populate the 'string' part of this (before the @). | string@organisation.org | eduPersonPrincipalName |
urn:oid:1.3.6.1.4.1.5923.1.1.1.7 | The 'Entitlement' value for a user. This one is technically in common usage, but few service providers ask for it. Is used to do more granular groupings than roles - e.g. if a library service could not afford to buy access for all 20,000 students, but could for the 150 Geology staff and students, they might arrange with the publisher to pass an entitlement value for just the geologists. Set these on permission sets. | geology | eduPersonEntitlement |
urn:oid:1.3.6.1.4.1.5923.1.1.1.8 | Not used in the OpenAthens federation. Little reason to use in any federation. Essentially the same as eduPersonOrgUnitDN and just as useful. | eduPersonPrimaryOrgUnitDN | |
urn:oid:1.3.6.1.4.1.5923.1.1.1.9 | The 'scopedAffiliation' of the user. A two part identifier consisting of a role and a federation_scope. Since most federations are academic, roles are typically one or more of: member, staff, student, faculty, alum, library-walk-in, affiliate, employee. The federation scope is the organisation identifier and can identify sub-organisations too - e.g. a group of hospitals might have a root federation scope of Set these on permission sets. Users can have multiple values assigned. |
| eduPersonScopedAffiliation |
urn:oid:1.3.6.1.4.1.5923.1.1.1.10 | The 'targetedID' of the user. An opaque user ID that is provided by default for any OpenAthens federation user, and is in general use in all major federations. It is persistent for a user so long as federation entityIDs do not change, however each publisher sees a different value. If OpenAthens gets a SAML1 request the returned attribute is scoped, but not for SAML 2. Will be replaced by PairwiseID in the future | 3d6qquvckr9vcauasrp3g13rur | eduPersonTargetedID |
urn:oid:1.3.6.1.4.1.5923.1.1.1.11 | Not generally used in the OpenAthens federation. Set of URIs that assert compliance with specific standards for identity assurance. These days entity categories are more likely to be used (See: https://wiki.refeds.org/display/ENT/Entity-Categories+Home). | http://blah.organisation.org/compliance/1http://blah.organisation.org/compliance/2 http://blah.federation.net/agreement | eduPersonAssurance |
urn:oid:1.3.6.1.4.1.5923.1.1.1.12 | Not generally used in the OpenAthens federation. Multi-valued set of previous eduPersonPrincipalNames the user may have had. | somthing@organisation.org another@organisation.org | eduPersonPrincipalNamePrior |
urn:oid:1.3.6.1.4.1.5923.1.1.1.13 | A persistent user identifier that is expected to be unique within a single federation. | oifh845oi8sd85o87a4h@organisation.org | eduPersonUniqueId |
urn:oid:1.3.6.1.4.1.5923.1.1.1.14 | Could be used in the OpenAthens federation ORCID iDs are persistent digital identifiers for individual researchers. Their primary purpose is to unambiguously and definitively link them with their scholarly work products. ORCID iDs are assigned, managed and maintained by the ORCID organisation: http://orcid.org/ | http://orcid.org/1234-5678-1234-5678 | eduPersonOrcid |
| urn:oasis:names:tc:SAML:attribute:pairwise-id | A replacement for eduPersonTargetedID. Can be sent by all OpenAtthens IdPs but is only sent by default for customers who joined in 2024 or later. |
| PairwiseID |
Whilst only the SAML 2 attributes are listed (SAML 2 superseded SAML 1 in 2005) a SAML 1 request from a publisher will get a SAML 1 response in the relevant namespace (e.g. urn:mace:attribute-def:edupersonTargetedID)