Introduction

The following is a list of the core attributes available to Service Providers in the federation. Service Providers consume user attributes sent by Identity Providers to make authorisation decisions and to manage users' experiences with a service. 


Details

To receive user attributes, a Service Provider must have an AAF subscription or an affiliation to an organisation who is a subscriber. Service Providers should select only those attributes necessary to provide a service effectively. Identity Providers collect and generate attributes for their users. On user access to a Service Provider, the Service Provider may request some or all user attributes from a user's Identity Provider.  The Identity Provider will release user attributes to the Service Provider only with a user's consent. 


An organisation which offers a Service Provider may also host an Identity Provider which permits its members to use AAF services. The list of core attributes may evolve in response to the needs of AAF Subscribers. 


The AAF's reference definitions of core and optional attributes are accessible here https://validator.aaf.edu.au/documentation/categories.

These attributes form the standard vocabulary for the federation and the higher education and research sector. Subscribers may find it useful to explore these attributes to gain a better understanding of their purpose. Identity Providers are only required to support those attributes in the core list.


Attribute
Example Value
Description
auEduPersonSharedToken
ZsiAvfxa0BXULgcz7QXknbGtfxk
A unique identifier enabling federation spanning services such as Grid and Repositories.
displayName
Jack Liam Dougherty
Preferred name of a person to be used when displaying entries.
eduPersonAffiliation
faculty
Specifies the person’s relationship(s) to the institution in broad categories such as student, faculty, staff, alum, etc.
eduPersonEntitlement
urn:mace:washington.edu:confocalMicroscope http://www.sirca.org.au/contract/GL123
URI (either URN or URL) that indicates a set of rights to specific resources.
eduPersonScopedAffiliation
faculty@uq.edu.au
Specifies the person’s affiliation within a particular security domain in broad categories such as student, faculty, staff, alum, etc.
eduPersonTargetedID
https://idp.arcs.org.au/idp/shibboleth! https://manager.aaf.edu.au/shibboleth! cmWc3mKualJlxjAwfFdu2mVgRxw=
A persistent, non-reassigned, privacy-preserving identifier for a user shared between an identity provider and service provider. An identity provider uses the appropriate value of this attribute when communicating with a particular service provider or group of service providers, and does not reveal that value to any other service provider except in limited circumstances.
AuthenticationMethod
urn:mace:aaf.edu.au:iap:authn:1
URI that describes the method(s) used to verify the person's identity.
eduPersonAssurance
urn:mace:aaf.edu.au:iap:id:1
Set of URIs that assert compliance with specific standards for identity assurance.
eduPersonPrincipalName
jotty@uq.edu.au
A scoped identifier for a person.
o (or organizationName)
The University of Queensland
Standard name of the top-level organization (institution) with which this person is associated.
mail
j.dougherty@uq.edu.au
Email address, single value. User’s preferred outward facing email address with regard to the organisation.

 

Links

AAF Attribute Vocabularies https://validator.aaf.edu.au/documentation/categories

Production Attribute Validator https://validator.aaf.edu.au/

Test Attribute Validator https://validator.test.aaf.edu.au/

Internet2 LDAP definitions https://spaces.at.internet2.edu/display/macedir/LDIFs

TERENA SCHAC Schema https://www.terena.org/activities/tf-emc2/schacreleases.html