Overview

The attributes are used by the Service Provider to make authorisation decisions and to manage the user’s experience with the service. Service Providers should consider which attributes they need in order to provide the service effectively and only request those attributes that are needed. The list of core attributes may evolve over time in response to the needs of AAF Subscribers.


Prerequisites

Attributes are sent by institutions to third party applications and service providers to assess access levels to certain value added service which an organisation may subscribe. To obtain attributes that are sent to these third parties for authentication purposes, you must first be affiliated to an organisation or have an account within the Australian Access Federation Virtual Home Organisation. If you are unsure if you have an account appropriate for access to a service, please contact your institutional or identity provider administrator.


Details

The following is the list of core attributes used within the AAF. AAF Identity Providers need to collect or generate the core attributes regarding their end users. When an end user tries to access a service via the federation, the Service Provider may request some or all of these attributes about the end user from the Identity Provider or institution. With the end users permission, the Identity Provider may release these attributes to the Service Provider. Below is a list of core attributes which are required to use and authenticate to third party services:


Attribute
Example Value
Description
auEduPersonSharedToken
ZsiAvfxa0BXULgcz7QXknbGtfxk
A unique identifier enabling federation spanning services such as Grid and Repositories.
displayName
Jack Liam Dougherty
Preferred name of a person to be used when displaying entries.
eduPersonAffiliation
faculty
Specifies the person’s relationship(s) to the institution in broad categories such as student, faculty, staff, alum, etc.
eduPersonEntitlement
urn:mace:washington.edu:confocalMicroscope http://www.sirca.org.au/contract/GL123
URI (either URN or URL) that indicates a set of rights to specific resources.
eduPersonScopedAffiliation
faculty@uq.edu.au
Specifies the person’s affiliation within a particular security domain in broad categories such as student, faculty, staff, alum, etc.
eduPersonTargetedID
https://idp.arcs.org.au/idp/shibboleth! https://manager.aaf.edu.au/shibboleth! cmWc3mKualJlxjAwfFdu2mVgRxw=
A persistent, non-reassigned, privacy-preserving identifier for a user shared between an identity provider and service provider. An identity provider uses the appropriate value of this attribute when communicating with a particular service provider or group of service providers, and does not reveal that value to any other service provider except in limited circumstances.
AuthenticationMethod
urn:mace:aaf.edu.au:iap:authn:1
Set of URIs that assert compliance with specific standards for authentication method.
eduPersonAssurance
urn:mace:aaf.edu.au:iap:id:1
Set of URIs that assert compliance with specific standards for identity assurance.
cn
Jack Dougherty
User’s first name then surname.
o (or organizationName)
The University of Queensland
Standard name of the top-level organization (institution) with which this person is associated.
mail
j.dougherty@uq.edu.au
Email address, single value. User’s preferred outward facing email address with regard to the organisation.

There is a multitude of varying core and optional attributes which are used and recommended depending on the particular service that is being accessed. A full list of every attribute can be found in support and may give you a wider understanding of what attributes are, how they are used and the particular attributes that are used and needed in all authentication situations.   

Find all core attributes here

Find all optional attributes here

Together these attributes form a standard vocabulary for the sector and federation subscribers may find it useful to explore additional user attributes; however AAF Identity Providers are only required to support those attributes in the core list.

The LDAP Schema definitions (LDIFs) needed to extend your directory can be found at the follow links:


Links

Production Attribute Validator

Test Attribute Validator