Skip to main content
Skip table of contents

Extended attributes in the OpenAthens federation

As well as the standard attributes, OpenAthens IdPs are capable of sending the following additional attributes for things like personalisation. The attribute names are:

  • forenames
    • The first name of the account holder as recorded on the system.
  • surname
    • The last name of the account holder as recorded on the system.
  • emailAddress
    • The email address recorded on the account.

Whilst you can make use of these attributes if present you should neither expect nor require them because local data protection laws, policies, user objections or other restraints may prevent an IdP from releasing these to you. Consequently you must not use them for authorisation.

Example of these attributes within a SAML assertion

XML
<saml:AttributeStatement>
...
    <saml:Attribute Name="surname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
       <saml:AttributeValue>Picard</saml:AttributeValue></saml:Attribute>
    <saml:Attribute Name="forenames" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
       <saml:AttributeValue>Jean Luc</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="emailAddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
       <saml:AttributeValue>jeanluc.picard@starfleet.mil</saml:AttributeValue>
    </saml:Attribute>
...
 </saml:AttributeStatement>


Our customers can release additional attributes under almost any name that is mutually agreed, but as this kind of 1:1 agreement can get incredibly complex for all parties in a federated context it is best to use standard attributes.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.