Australian Access Federation Support Desk

AAF Core Attributes

by Elleina Filippi Follow

 The following is the list of core attributes used within the AAF. AAF Identity Providers need to collect or generate the core attributes regarding their end users. When an end user tries to access a service via the federation, the Service Provider may request some or all of these attributes about the end user from the Identity Provider. With end user permission, the Identity Provider may release the attributes to the Service Provider.

The attributes are used by the Service Provider to make authorisation decisions and to manage the user’s experience with the service. Service Providers should consider which attributes they need in order to provide the service effectively and only request those attributes that are needed. The list of core attributes may evolve over time in response to the needs of AAF Subscribers. 


Example Value


auEduPersonSharedToken ZsiAvfxa0BXULgcz7QXknbGtfxk A unique identifier enabling federation spanning services such as Grid and Repositories.
displayName Jack Liam Dougherty Preferred name of a person to be used when displaying entries.
eduPersonAffiliation faculty Specifies the person’s relationship(s) to the institution in broad categories such as student, faculty, staff, alum, etc.
eduPersonEntitlement URI (either URN or URL) that indicates a set of rights to specific resources.
eduPersonScopedAffiliation Specifies the person’s affiliation within a particular security domain in broad categories such as student, faculty, staff, alum, etc.
eduPersonTargetedID!! cmWc3mKualJlxjAwfFdu2mVgRxw= A persistent, non-reassigned, privacy-preserving identifier for a user shared between an identity provider and service provider. An identity provider uses the appropriate value of this attribute when communicating with a particular service provider or group of service providers, and does not reveal that value to any other service provider except in limited circumstances.
AuthenticationMethod Set of URIs that assert compliance with specific standards for authentication method.
eduPersonAssurance Set of URIs that assert compliance with specific standards for identity assurance.
cn Jack Dougherty User’s first name then surname.
o (or organizationName) The University of Queensland Standard name of the top-level organization (institution) with which this person is associated.
mail Email address, single value. User’s preferred outward facing email address with regard to the organisation.

[List of Core Attributes as documented in Appendix 1 of the Federation Rules for Participants]

We also recommend you implement the following attribute not currently in the Core list. It can assists in interacting with some federation services.

AAF Recommended Attributes 
 Attribute Name  Typical Source    Description  
 givenName    LDAP  A persons first name or preferred name 
 sn (surname)    LDAP  A persons surname  
 schacHomeOrganization   Static                   Specifies a person’s home organisation using the domain name of the organisation. 
 schacHomeOrganizationType  Static  Specifies a person’s home organisation's type. 
 organizationalUnit  LDAP  Specifies a person's unit within their home organisation.
 postalAddress  LDAP  Specifies a person's postal address.
 telephoneNumber  LDAP  Specifies a person's telephone number.
 mobileNumber  LDAP  Specifies a person's mobile telephone number.
 businessCategory  LDAP  Define the type of business in which organisation is involved.


 departmentNumber  LDAP  Specify a person’s department code within their organisation.
 division  LDAP  Specify a person’s division within their organisation.
eduPersonOrcid  LDAP  A persistent digital identifier that distinguishes the account holder from every other researcher.


Detailed information about these attributes can be found in the auEduPerson Definition and Attribute Vocabulary

Many other attributes are listed in this document in addition to the AAF core attributes.Together they form a standard attribute vocabulary for the sector and federation subscribers may find it useful to explore additional user attributes; however AAF Identity Providers are only required to support those attributes in the core list.

The LDAP Schema definitions (LDIFs) needed to extend your directory can be found at the follow links:

Further information about the responsibilities of AAF subscribers in managing user attributes can be found in the Federation Rules.

Note: the SCHAC schema contains only non-core (optional) AAF attributes.

Have more questions? Submit a request

Was this article helpful?
0 out of 0 found this helpful


Powered by Zendesk