/
Attributes and scopes

Attributes and scopes

Owned by Veronika Borovská
Last updated: May 29, 2025 by Martin Kuba

This document defines the attributes available to relying services from E-INFRA AAI.

E-INFRA Identifier

  • Description: unique, unrecykled user´s identificator within E-INFRA AAI

  • SAML attribute(s): urn:oid:1.3.6.1.4.1.5923.1.1.1.13 (eduPersonUniqueId)

  • OIDC scope: openid

  • OIDC claim: sub

  • Multiplicity: No

  • Changes: No

  • Example value: 3e65bd2aa4c818bd3579023939b546b69e1b75ee@einfra.cesnet.cz

  • Note: The value in e-INFRA CZ AAI is implemented as SHA1 hash encoded in hexadecimal, so 40 characters, concatenated with the ‘@' character and the domain ‘einfra.cesnet.cz', thus 57 characters total. However the eduPersonUniqueId specification puts the limits 64 characters for uniqueID portion and 256 characters for the scope portion, thus the theoretical maximum is 321 characters.

E-INFRA username

  • Description: User´s login within E-INFRA AAI

  • SAML attribute(s): urn:oid:1.3.6.1.4.1.5923.1.1.1.6 (eduPersonPrincipalName)

  • OIDC scope: profile

  • OIDC claim: preferred_username (Without scope)

  • Multiplicity: Single-value

  • Changes: May be changed (revoked) over time (e.g. if a user changes their name). Revoked identifiers will not be reassigned.

  • Example value: josef@einfra.cesnet.cz

  • Note:

Affiliation with E-INFRA AAI

  • Description: Specifies the person's affiliation within the E-INFRA AAI. Fixed scope '@einfra.cesnet.cz' is used after the at sign. The default value affiliate@einfra.cesnet.cz is automatically assigned.

  • SAML attribute(s): urn:oid:1.3.6.1.4.1.5923.1.1.1.9 (eduPersonScopedAffiliation)

  • OIDC scope: -

  • OIDC claim: -

  • Multiplicity: Multi-valued

  • Changes: Can change

  • Example value: affiliate@einfra.cesnet.cz

  • Note: Same for all users: affiliate@einfra.cesnet.cz

Affiliation with home organization

  • Description: One or more home organisations (such as, universities, research institutions or private companies) this user is affiliated with. The syntax and semantics follows eduPersonScopedAffiliation attribute.

  • SAML attribute(s): urn:oid:1.3.6.1.4.1.34998.3.3.1.11

  • OIDC scope: voperson_external_affiliation

  • OIDC claim: voperson_external_affiliation

  • Multiplicity: Multi-valued

  • Changes: Can change

  • Example value: [affiliate@einfra.cesnet.cz, affiliate@google.extidp.cesnet.cz]

  •  

  • Note:

Entitlements

  • Description: A list of groups where a user is a member. It´s connected to a service and merged with a list of groups received from IdP.

  • SAML attribute(s): urn:oid:1.3.6.1.4.1.5923.1.1.1.7 (eduPersonEntitlement)

  • OIDC scope: eduperson_entitlement

  • OIDC claim: eduperson_entitlement

  • Multiplicity: Multi-valued

  • Changes: Can change

  • Example value: [urn:geant:cesnet.cz:group:einfra#Perun Identity and Management System - Maintenance , urn:geant:cesnet.cz:group:einfra:members#Perun Identity and Management System - Maintenance ]

  • Note:

    • More information can be found here .

User's identifiers

  • Description: A list of all user´s eduPersonPrincipalName (merging by all registered external identities)

  • SAML attribute(s): urn:oid:1.3.6.1.4.1.34998.3.3.1.5

  • OIDC scope: voperson_external_id

  • OIDC claim: voperson_external_id

  • Multiplicity: Multi-valued

  • Changes: Can change

  • Example value: [cesnetLogin@cesnet.cz, googleLogin@google.extidp.cesnet.cz]

  • Note:

loa

  • Description: Maximum value loa from all external identites

  • SAML attribute(s): urn:oid:1.3.6.1.4.1.8057.2.1

  • OIDC scope: -

  • OIDC claim: -

  • Multiplicity: Single-valued

  • Changes: Can change

  • Example value: 2

  • Note: DEPRECATED

Display Name

  • Description: User name

  • SAML attribute(s):

    • urn:oid:2.16.840.1.113730.3.1.241 (displayName)

    • urn:oid:2.5.4.3 (cn)

  • OIDC scope: profile

  • OIDC claim: name

  • Multiplicity: Single-valued

  • Changes: Can change

  • Example value: Josef Novák

  • Note:

sn

  • Description: User surname

  • SAML attribute(s): urn:oid:2.5.4.4

  • OIDC scope: profile

  • OIDC claim: family_name

  • Multiplicity: Single-valued

  • Changes: Can change

  • Example value: Novák

  • Note:

givenName

  • Description: User given name

  • SAML attribute(s): urn:oid:2.5.4.42 (givenName)

  • OIDC scope: profile

  • OIDC claim: given_name

  • Multiplicity: Single-valued

  • Changes: Can change

  • Example value: Josef

  • Note:

mail

  • Description: User Email

  • SAML attribute(s): urn:oid:0.9.2342.19200300.100.1.3 (mail)

  • OIDC scope: email

  • OIDC claim: email

  • Multiplicity: Single-valued

  • Changes: Can change

  • Example value: email@email.com

  • Note:

Ofline access

  • Description: Possibility to release refresh token

  • SAML attribute(s): -

  • OIDC scope: offline_access

  • OIDC claim: offline_access

  • Multiplicity: Single-valued

  • Changes: Can change

  • Example value: true

  • Note:

Access into Perun RPC API

  • Description: Possibility to access into Perun RPC API

  • SAML attribute(s): -

  • OIDC scope: perun_api

  • OIDC claim: perun_api

  • Multiplicity: Single-valued

  • Changes: Can change

  • Example value: TRUE

  • Note: The value is static.

Perun Admin access

  • Description: Information in user has Perun Admin access rights.

  • SAML attribute(s): -

  • OIDC scope: perun_admin

  • OIDC claim: perun_admin

  • Multiplicity: Single-valued

  • Changes: Can change

  • Example value: TRUE

  • Note: The value is static.

Support: perun@cesnet.cz