The following is a list of the core attributes available to Service Providers in the federation. Service Providers consume user attributes sent by Identity Providers to make authorisation decisions and to manage users' experiences with a service.
To receive user attributes, a Service Provider must have an AAF subscription or an affiliation to an organisation who is a subscriber. Service Providers should select only those attributes necessary to provide a service effectively. Identity Providers collect and generate attributes for their users. On user access to a Service Provider, the Service Provider may request some or all user attributes from a user's Identity Provider. The Identity Provider will release user attributes to the Service Provider only with a user's consent.
An organisation which offers a Service Provider may also host an Identity Provider which permits its members to use AAF services. The list of core attributes may evolve in response to the needs of AAF Subscribers.
The AAF's reference definitions of core and optional attributes are accessible here https://validator.aaf.edu.au/documentation/categories.
|auEduPersonSharedToken||ZsiAvfxa0BXULgcz7QXknbGtfxk||A unique identifier enabling federation spanning services such as Grid and Repositories.|
|displayName||Jack Liam Dougherty||Preferred name of a person to be used when displaying entries.|
|eduPersonAffiliation||faculty||Specifies the person’s relationship(s) to the institution in broad categories such as student, faculty, staff, alum, etc.|
|eduPersonEntitlement||urn:mace:washington.edu:confocalMicroscope http://www.sirca.org.au/contract/GL123||URI (either URN or URL) that indicates a set of rights to specific resources.|
|eduPersonScopedAffiliationfirstname.lastname@example.org||Specifies the person’s affiliation within a particular security domain in broad categories such as student, faculty, staff, alum, etc.|
|eduPersonTargetedID||https://idp.arcs.org.au/idp/shibboleth! https://manager.aaf.edu.au/shibboleth! cmWc3mKualJlxjAwfFdu2mVgRxw=||A persistent, non-reassigned, privacy-preserving identifier for a user shared between an identity provider and service provider. An identity provider uses the appropriate value of this attribute when communicating with a particular service provider or group of service providers, and does not reveal that value to any other service provider except in limited circumstances.|
|AuthenticationMethod||urn:mace:aaf.edu.au:iap:authn:1||URI that describes the method(s) used to verify the person's identity.|
|eduPersonAssurance||urn:mace:aaf.edu.au:iap:id:1||Set of URIs that assert compliance with specific standards for identity assurance.|
|eduPersonPrincipalNameemail@example.com||A scoped identifier for a person.|
|o (or organizationName)||The University of Queensland||Standard name of the top-level organization (institution) with which this person is associated.|
|firstname.lastname@example.org||Email address, single value. User’s preferred outward facing email address with regard to the organisation.|
AAF Attribute Vocabularies https://validator.aaf.edu.au/documentation/categories
Production Attribute Validator https://validator.aaf.edu.au/
Test Attribute Validator https://validator.test.aaf.edu.au/
Internet2 LDAP definitions https://spaces.at.internet2.edu/display/macedir/LDIFs
TERENA SCHAC Schema https://www.terena.org/activities/tf-emc2/schacreleases.html