Standard attributes in the OpenAthens federation
One of the major advantages of a federation is a standard set of attribute names can be defined so that both IdP and SP can use generic setups in most cases and do not need to maintain hundreds of separate configurations.
The following attributes are part of the recommended federation attribute set for the OpenAthens federation and can be used for authorization unless otherwise stated.
SAML 2
This is the default mode for IdPs in the OpenAthens federation.
urn:oid:1.3.6.1.4.1.5923.1.1.1.10
The targetedID of the user. This is a consistent user ID you can use to recognize individuals when you need to do so.
Example: "159qddg1761rh8d0uo48a2ko5q"
Should always be released by IdP members of the OpenAthens federation.
Single-valued. Unique to the user.
Will be retired once everyone has moved to using Pairwise-ID.
urn:oasis:names:tc:SAML:attribute:pairwise-id
The Pairwise-ID of the user. Similar to targetedID, this is a consistent user ID you can use to recognize individuals when you need to do so.
Example: "OWI3YCR14MOJA8OGKJEN5TGWN=@organization.org"
Should be released by IdPs in the OpenAthens federation who joined after November 2023. May be release by older IdPs.
Single valued. Unique to the user. Scoped.
See: About Pairwise-ID
urn:oid:1.3.6.1.4.1.5923.1.1.1.9
The user's role and organization (scope). Sometimes called scopedAffiliation.
Formed by combining a role and an organization's scope.
Example: "member@organization.com"
Standard values for role are:
affiliate
alum
employee
faculty
library-walk-in
member
staff
student
Should always be released by IdP members of the OpenAthens federation (where a value is present).
May be multi-valued.
A good choice for authorization decisions. Such decisions should usually be allow if X rather than deny if Y, as a user may have several roles, e.g. both “staff” and “student”. The exception would be “library-walk-in”.
Example pseudocode
# Any role from a known organization
WHEN VALUE OF
orn:oid:1.3.6.1.4.1.5923.1.1.9
MATCHES
*@organization.com
THEN
AllowAccess
---
# Any user with the 'member' role from subscribing organizations
WHEN VALUE OF
orn:oid:1.3.6.1.4.1.5923.1.1.9
MATCHES
member@{subscriber_scopes}
THEN
AllowAccessurn:oid:1.3.6.1.4.1.5923.1.1.1.7
Any entitlement value that may apply.
Examples: "dental" or "med"
Released by IdP members of the OpenAthens federation when a value applies to a relevant user / service provider combination.
May be multi-valued.
Use this for authorization where you need a greater level of granularity than role - e.g. the difference between regular students and medical students, or if they have a department level subscription. SPs can define the value they want released.
Legacy Shibboleth names
These are returned by OpenAthens IdPs in response to SAML 1.1 requests only, so are unlikely to come up in regular usage.
urn:mace:dir:attribute-def:eduPersonTargetedID
A unique identifier for the user that is also unique to the service provider. This attribute is scoped.
Example: "159qddg1761rh8d0uo48a2ko5q@organization.com"
urn:mace:dir:attribute-def:eduPersonScopedAffiliation
Role. This attribute is scoped.
Example: "member@organization.com"
urn:mace:dir:attribute-def:eduPersonEntitlement
Anything you need it to be.
Example: "urn:mace:dir:entitlement:common-lib-terms"
OpenAthens specific attributes
These will be retired in the future and are provided only to help you transition from older technologies. They must not be used for authorization or persistence.
organisationNum
urn:mace:eduserv.org.uk:athens:attribute-def:organisation:1.0:identifier
The OpenAthens organization ID to help SPs who are moving from old Athens software to federated access map organizations to scopes.
Example: "3032813"
Only released by older IdP members of the OpenAthens federation. Newer customers do not release it and you should use scopedAffiliation instead.