Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


  • sub - a non-persistent user identifier.
  • realmName - the SAML entityID of the end-users' organisation - e.g. 
  • Issuer.errorURL - where present will be a URL a user can be sent to when you can't let them in because of something at their end. See: The errorURL attribute and what it is for

  • eduPersonTargetedID - a persistent user identifieridentifier 
  • eduPersonScopedAffiliation - a scoped role - e.g. 
  • derivedEduPersonAffiliation - just the role bit extracted from the thing above - e.g. member
  • derivedEduPersonScope - just the scope bit, etc - e.g. hogwarts.sch.ukuk 
  • pairwiseID - another persistent user identifier

There may be more, depending on what the identity provider is sending, but these should always show up.