Attributes and scopes
This document defines the attributes available to relying services from E-INFRA AAI.
E-INFRA Identifier
Description: unique, unrecykled user´s identificator within E-INFRA AAI
SAML attribute(s): urn:oid:1.3.6.1.4.1.5923.1.1.1.13 (eduPersonUniqueId)
OIDC scope: openid
OIDC claim: sub
Multiplicity: No
Changes: No
Example value: 3e65bd2aa4c818bd3579023939b546b69e1b75ee@einfra.cesnet.cz
Note:
E-INFRA username
Description: User´s login within E-INFRA AAI
SAML attribute(s): urn:oid:1.3.6.1.4.1.5923.1.1.1.6 (eduPersonPrincipalName)
OIDC scope: profile
OIDC claim: preferred_username (Without scope)
Multiplicity: Single-value
Changes: May be changed (revoked) over time (e.g. if a user changes their name). Revoked identifiers will not be reassigned.
Example value: josef@einfra.cesnet.cz
Note:
Affiliation with E-INFRA AAI
Description: Specifies the person's affiliation within the E-INFRA AAI. Fixed scope '@einfra.cesnet.cz' is used after the at sign. The default value affiliate@einfra.cesnet.cz is automatically assigned.
SAML attribute(s): urn:oid:1.3.6.1.4.1.5923.1.1.1.9 (eduPersonScopedAffiliation)
OIDC scope: -
OIDC claim: -
Multiplicity: Multi-valued
Changes: Can change
Example value: affiliate@einfra.cesnet.cz
Note: Same for all users: affiliate@einfra.cesnet.cz
Affiliation with home organization
Description: One or more home organisations (such as, universities, research institutions or private companies) this user is affiliated with. The syntax and semantics follows eduPersonScopedAffiliation attribute.
SAML attribute(s): urn:oid:1.3.6.1.4.1.34998.3.3.1.11
OIDC scope: voperson_external_affiliation
OIDC claim: voperson_external_affiliation
Multiplicity: Multi-valued
Changes: Can change
Example value: [affiliate@einfra.cesnet.cz, affiliate@google.extidp.cesnet.cz]
Note:
Entitlements
Description: A list of groups where a user is a member. It´s connected to a service and merged with a list of groups received from IdP.
SAML attribute(s): urn:oid:1.3.6.1.4.1.5923.1.1.1.7 (eduPersonEntitlement)
OIDC scope: eduperson_entitlement
OIDC claim: eduperson_entitlement
Multiplicity: Multi-valued
Changes: Can change
Example value: [urn:geant:cesnet.cz:group:einfra#Perun Identity and Management System - Maintenance , urn:geant:cesnet.cz:group:einfra:members#Perun Identity and Management System - Maintenance ]
Note:
More information can be found here .
User's identifiers
Description: A list of all user´s eduPersonPrincipalName (merging by all registered external identities)
SAML attribute(s): urn:oid:1.3.6.1.4.1.34998.3.3.1.5
OIDC scope: voperson_external_id
OIDC claim: voperson_external_id
Multiplicity: Multi-valued
Changes: Can change
Example value: [cesnetLogin@cesnet.cz, googleLogin@google.extidp.cesnet.cz]
Note:
loa
Description: Maximum value loa from all external identites
SAML attribute(s): urn:oid:1.3.6.1.4.1.8057.2.1
OIDC scope: -
OIDC claim: -
Multiplicity: Single-valued
Changes: Can change
Example value: 2
Note: DEPRECATED
Display Name
Description: User name
SAML attribute(s):
urn:oid:2.16.840.1.113730.3.1.241 (displayName)
urn:oid:2.5.4.3 (cn)
OIDC scope: profile
OIDC claim: name
Multiplicity: Single-valued
Changes: Can change
Example value: Josef Novák
Note:
sn
Description: User surname
SAML attribute(s): urn:oid:2.5.4.4
OIDC scope: profile
OIDC claim: family_name
Multiplicity: Single-valued
Changes: Can change
Example value: Novák
Note:
givenName
Description: User given name
SAML attribute(s): urn:oid:2.5.4.42 (givenName)
OIDC scope: profile
OIDC claim: given_name
Multiplicity: Single-valued
Changes: Can change
Example value: Josef
Note:
Description: User Email
SAML attribute(s): urn:oid:0.9.2342.19200300.100.1.3 (mail)
OIDC scope: email
OIDC claim: email
Multiplicity: Single-valued
Changes: Can change
Example value: email@email.com
Note:
Ofline access
Description: Possibility to release refresh token
SAML attribute(s): -
OIDC scope: offline_access
OIDC claim: offline_access
Multiplicity: Single-valued
Changes: Can change
Example value: true
Note:
Access into Perun RPC API
Description: Possibility to access into Perun RPC API
SAML attribute(s): -
OIDC scope: perun_api
OIDC claim: perun_api
Multiplicity: Single-valued
Changes: Can change
Example value: TRUE
Note: The value is static.
Perun Admin access
Description: Information in user has Perun Admin access rights.
SAML attribute(s): -
OIDC scope: perun_admin
OIDC claim: perun_admin
Multiplicity: Single-valued
Changes: Can change
Example value: TRUE
Note: The value is static.
Support: perun@cesnet.cz