Introduction

The following is a list of the core and conditional attributes available to Service Providers in the federation. Service Providers consume user attributes sent by Identity Providers to make authorisation decisions and to manage users' experiences with a service. 


Details

To receive user attributes, a Service Provider must have an AAF subscription or an affiliation to an organisation who is a subscriber. Service Providers should select only those attributes necessary to provide a service effectively. Identity Providers collect and generate attributes for their users. On user access to a Service Provider, the Service Provider may request some or all user attributes from a user's Identity Provider.  The Identity Provider will release user attributes to the Service Provider only with a user's consent. 


An organisation which offers a Service Provider may also host an Identity Provider which permits its members to use AAF services. The list of core attributes may evolve in response to the needs of AAF Subscribers. 


The AAF's reference definitions of core and optional attributes are accessible here https://validator.aaf.edu.au/documentation/categories.

These attributes form the standard vocabulary for the federation and the higher education and research sector. Subscribers may find it useful to explore these attributes to gain a better understanding of their purpose. Identity Providers are only required to support those attributes in the core list.


AAF Core Attributes (example)

Attribute
Example Value
Description
auEduPersonSharedToken
ZsiAvfxaIOXULgcz7QXknbGtfxk
A unique identifier enabling federation spanning services such as Grid and Repositories. 

Use of auEduPersonSharedToken is now restricted and release to service providers is controlled (see addendum).
displayName
Jack Liam DoughertyPreferred name of a person to be used when displaying entries.
eduPersonAffiliation
staff
member
Specifies the person’s relationship(s) to the institution in broad categories such as student, faculty, staff, alum, etc.
eduPersonEntitlement
urn:mace:washington.edu:confocalMicroscope

http://www.sirca.org.au/contract/GL123
URI (either URN or URL) that indicates a set of rights to specific resources.
eduPersonScopedAffiliation
staff@vho.aaf.edu.au 
member@vho.aaf.edu.au
Specifies the person’s affiliation within a particular security domain in broad categories such as student, faculty, staff, alum, etc.
eduPersonTargetedID
https://idp.arcs.org.au/idp/shibboleth! https://manager.aaf.edu.au/shibboleth! cmWc3mKualJlxjAwfFdu2mVgRxw=
A persistent, non-reassigned, privacy-preserving identifier for a user shared between an identity provider and service provider. An identity provider uses the appropriate value of this attribute when communicating with a particular service provider or group of service providers, and does not reveal that value to any other service provider except in limited circumstances.
AuthenticationMethod

urn:oasis:names:tc:SAML:2.0:ac:

classes:Password

URI that describes the method(s) used to verify the person's identity.
eduPersonAssurance
https://refeds.org/assurance/ATP/ePA-1d

https://refeds.org/assurance/ATP/ePA-1m

https://refeds.org/assurance/ID/eppn-unique-no-reassign

https://refeds.org/assurance/version/2

https://refeds.org/assurance


Set of URIs that assert compliance with specific standards for identity assurance.
o (or organizationName)
AAF Virtual Home
Standard name of the top-level organization (institution) with which this person is associated.
mailj.dougherty@aaf.edu.au

Email address, single value. User’s preferred outward facing email address with regard to the organisation.
sn (surname)
Dougherty The person's surname
givenNameJackPerson's given or first name.
homeOrgainsationaaf.edu.auSpecifies a person ́s home organization using the domain name of the organization.
homeOrganisationTypeType of Organization the user belongs too.
eduPersonPrincipalName
S8825490@aaf.edu.au
A scoped identifier for a person.


AAF Conditional Attribute

A set of Attributes selected by the Federation that all Identity Providers are required to support where they have implemented systems to support the Conditional Attributes.


AttributeExample ValueDescription
eduPersonOrcidhttps://orcid.org/0000-0002-1825-1097ORCID iDs are persistent digital identifiers for individual  researchers. Their primary purpose is to unambiguously and definitively  link them with their scholarly work products. ORCID iDs are assigned,  managed and maintained by the ORCID organization.

 

Other Attributes

Some identity providers support additional attributes which may be found in the AAF Optional Attributes. In general a service provider should NOT rely on an optional attribute being available from an IdP unless they have consulted with the IdP previously.


If you would like the federation to consider promoting an optional attribute to CORE status please contact AAF Support to discuss your requirements.


Selecting a Primary User Identifier

The AAF provides the following advice on the selection of a primary identifier for use by an application:

https://support.aaf.edu.au/support/solutions/articles/19000036107


Links

AAF Attribute Vocabularies https://validator.aaf.edu.au/documentation/categories

AAF Production Attribute Validator https://validator.aaf.edu.au/

Why Is AuEduPersonSharedToken No Longer Available? https://support.aaf.edu.au/support/solutions/articles/19000035966

AAF Test Attribute Validator https://validator.test.aaf.edu.au/

eduPerson Schema https://wiki.refeds.org/display/STAN/eduPerson

Selecting a Primary Identifier for Applications https://support.aaf.edu.au/support/solutions/articles/19000036107

SCHAC - SCHema for ACademia https://wiki.refeds.org/display/STAN/SCHAC