Extended attributes in the OpenAthens federation

As well as the standard attributes, OpenAthens IdPs are capable of sending the following additional attributes for things like personalisation. The attribute names are:

forenames
- The first name of the account holder as recorded on the system.
surname
- The last name of the account holder as recorded on the system.
emailAddress
- The email address recorded on the account.

Whilst you can make use of these attributes if present you should neither expect nor require them because local data protection laws, policies, user objections or other restraints may prevent an IdP from releasing these to you. Consequently you must not use them for authorisation.

Example of these attributes within a SAML assertion

XML

<saml:AttributeStatement>
...
    <saml:Attribute Name="surname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
       <saml:AttributeValue>Picard</saml:AttributeValue></saml:Attribute>
    <saml:Attribute Name="forenames" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
       <saml:AttributeValue>Jean Luc</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="emailAddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
       <saml:AttributeValue>jeanluc.picard@starfleet.mil</saml:AttributeValue>
    </saml:Attribute>
...
 </saml:AttributeStatement>

Our customers can release additional attributes under almost any name that is mutually agreed, but as this kind of 1:1 agreement can get incredibly complex for all parties in a federated context it is best to use standard attributes.