====== Recommended Best Practices for the use of attributes in DFN-AAI ======
(back to the [[de:attributes|Overview]] (de))

You can find configuration samples for attribute resolver, attribute filter, and relying party configuration [[de:shibidp:config-attributes-aaiplus|on this page]].

| **1. Name Identifier and attributes with similar functions** \\ (also see [[https://saml2int.org/|SAML2int Profile V2.0]], section "3.1.3. Subject Identification") ||
^ 1.1 Omni-directional, non-targeted  ^^
| ''urn:oasis:names:tc:SAML:attribute:subject-id'' [[de:common_attributes#a16|docs]] (de)| recommended |
| ''eduPersonUniqueId'' [[de:common_attributes#a12|docs]] (de) | deprecated - the value in front of the scope should - if ever possible - be identical to the value of the subject-id |
| <del>''eduPersonPrincipalName''</del> | do not use!  |
| <del>''mail''</del> | do not use as identifier! |
^ 1.2 Pairwise / targeted ^^
| ''urn:oasis:names:tc:SAML:attribute:pairwise-id'' [[de:common_attributes#a17|docs]] (de) | recommended - stored Id! (plus scope)|
| ''eduPersonTargetedID'' [[de:common_attributes#a11|docs]](de) | deprecated - value should - if ever possible - be identical to the pairwise-id (the part in front of the scope) |
| ''persistent Id'' (SAML2 Name ID) | deprecated - value should - if ever possible - be identical to the pairwise-id (the part in front of the scope) |
^ 1.3 Others ^^
| ''transient Id'' ( SAML2 Name ID) | recommended (required for Logout) |
^ 2. Person names ^^
| ''displayName'' [[de:common_attributes#a02|docs]] (de) | recommended |
^ 3. Email address(es) - do not use as identifier! ^^
| ''mail'' [[de:common_attributes#a05|docs]] (de) | recommended (ideally a single value) |
^ 4. Name of the home organization ^^
| ''schacHomeOrganization'' **and** ''o'' Documentation about [[de:common_attributes#a06|o]] (de) und [[de:common_attributes#a18|schacHomeOrganization]] (de)| recommended |
^ 5. Other attributes that have to be defined (Attribute Resolver) ^^
| ''eduPersonAssurance'' [[de:common_attributes#a14|docs]] (de) | see [[https://refeds.org/assurance|REFEDS Assurance Framework]] and [[de:aai:assurance_idp|configuration examples for IdPs]] |
| ''eduPersonEntitlement'' [[de:common_attributes#a10|docs]] (de) ||
| ''eduPersonOrcid'' [[de:common_attributes#a13|docs]] (de) | possibly empty |
| ''eduPersonScopedAffiliation'' [[de:common_attributes#a09|docs]] (de) ||
| ''schacUserStatus'' [[de:common_attributes#a15|docs]] (de) | for the [[de:shibidp:config-deprovisionierung|deprovisioning of user accounts on SP side]] (de)|

{{tag>subjectIdentifierAttributes aaiplus attribute}}