eduPerson attributes
A list of the eduPerson attributes that might be encountered in federations around the world. The highlighted ones are generally common to all. The others are... unlikely to come up outside of a local context. The last column is only relevant if you are using the eduPerson mapping rule in OpenAthens Keystone.
There is a button above the table to expand it.
| SAML attribute | What is it? | Typical value where relevant | Claim (assumes use of the preconfigured rulesets) |
|---|---|---|---|
urn:oid:1.3.6.1.4.1.5923.1.1.1.1 | Not generally used in the OpenAthens federation. The role part of 'scopedAffiliation' of the user. | member | eduPersonAffiliation |
urn:oid:1.3.6.1.4.1.5923.1.1.1.2 | Not generally used in the OpenAthens federation. A persons nickname or preferred form of address. | bob | eduPersonNickname |
urn:oid:1.3.6.1.4.1.5923.1.1.1.3 | Not used in the OpenAthens federation. Little reason to use in any federation. The DN of the directory entry of the user's organisation. | DN=directory, CN=organisation, CN=org | eduPersonOrgDN |
urn:oid:1.3.6.1.4.1.5923.1.1.1.4 | Not used in the OpenAthens federation. Little reason to use in any federation. The DN of the directory entry of the user's organisation unit. | OU=campus, DN=directory, CN=organisation, CN=org | eduPersonOrgUnitDN |
urn:oid:1.3.6.1.4.1.5923.1.1.1.5 | Not generally used in the OpenAthens federation. Little reason to use in any federation. A version of eduPersonAffiliation limited to a single value. | organisation.org | eduPersonPrimaryAffiliation |
urn:oid:1.3.6.1.4.1.5923.1.1.1.6 | Not generally used in the OpenAthens federation. The UPN of the user. Resembles an Email but should not be expected to be one. | string@organisation.org | eduPersonPrincipalName |
urn:oid:1.3.6.1.4.1.5923.1.1.1.7 | The 'Entitlement' value for a user. This one is technically in common usage, but few service providers ask for it. Is used to do more granular groupings than roles - e.g. if a library service could not afford to buy access for all 20,000 students, but could for the 150 Geology staff and students, they could pass you an entitlement value for just the geologists, and you can make a sale. You define the value that you want them to pass for the group of users. | geology | eduPersonEntitlement |
urn:oid:1.3.6.1.4.1.5923.1.1.1.8 | Not used in the OpenAthens federation. Little reason to use in any federation. Essentially the same as eduPersonOrgUnitDN and just as useful. | eduPersonPrimaryOrgUnitDN | |
urn:oid:1.3.6.1.4.1.5923.1.1.1.9 | The 'scopedAffiliation' of the user. A two part identifier consisting of a role and a federation_scope. This attribute may be multi-valued so if using any part of this for authorisation the condition should be inclusive rather than exclusive. This is generally released by default for any user in any federation. Role values are defined by the federation. Most federations are academic, so roles are typically one or more of: member, staff, student, faculty, alum, library-walk-in, affiliate, employee. The federation scope is the organisation identifier and can identify sub-organisations too - e.g. a group of hospitals might have a root federation scope of It is this the claim(s) based on this attribute that is it best to base authorisation on. |
| eduPersonScopedAffiliation |
urn:oid:1.3.6.1.4.1.5923.1.1.1.10 | The 'targetedID' of the user. An opaque user ID that is provided by default for any OpenAthens federation user, and is in general use in all major federations. It is persistent for a user so long as federation entityIDs do not change. It is being depreciated in favour of Pairwise-ID | 3d6qquvckr9vcauasrp3g13rur | eduPersonTargetedID |
urn:oid:1.3.6.1.4.1.5923.1.1.1.11 | Not generally used in the OpenAthens federation. Set of URIs that assert compliance with specific standards for identity assurance. | http://blah.organisation.org/compliance/1http://blah.organisation.org/compliance/2http://blah.federation.net/agreement | eduPersonAssurance |
urn:oid:1.3.6.1.4.1.5923.1.1.1.12 | Not used in the OpenAthens federation. Multi-valued set of previous eduPersonPrincipalNames the user may have had. | somthing@organisation.org another@organisation.org | eduPersonPrincipalNamePrior |
urn:oid:1.3.6.1.4.1.5923.1.1.1.13 | Not generally used in the OpenAthens federation. A persistent user identifier expected to be unique within a federation. Very unlikely to ever come up. | oifh845oi8sd85o87a4hi8ai4ai8ah.federation | eduPersonUniqueId |
| Could be used in the OpenAthens federation. ORCID iDs are persistent digital identifiers for individual researchers. Their primary purpose is to unambiguously and definitively link them with their scholarly work products. ORCID iDs are assigned, managed and maintained by the ORCID organisation: http://orcid.org/ | http://orcid.org/1234-5678-1234-5678 | eduPersonOrcid |
| A unique identifier designed to replace eduPersonTargetedID. Will be increasingly used in all federations. See: About Pairwise-ID | OWI3YCR14MOJA8OGKJEN5TGWN=@organisation.org | pairwiseID |