Recommended Best Practices for the use of attributes in DFN-AAI
(back to the Overview (de))
You can find configuration samples for attribute resolver, attribute filter, and relying party configuration on this page.
| 1. Name Identifier and attributes with similar functions (also see SAML2int Profile V2.0, section “3.1.3. Subject Identification”) |
|
| 1.1 Omni-directional, non-targeted | |
|---|---|
urn:oasis:names:tc:SAML:attribute:subject-id docs (de) | recommended |
eduPersonUniqueId docs (de) | deprecated - the value in front of the scope should - if ever possible - be identical to the value of the subject-id |
eduPersonPrincipalName | do not use! |
mail | do not use as identifier! |
| 1.2 Pairwise / targeted | |
urn:oasis:names:tc:SAML:attribute:pairwise-id docs (de) | recommended - stored Id! (plus scope) |
eduPersonTargetedID docs(de) | deprecated - value should - if ever possible - be identical to the pairwise-id (the part in front of the scope) |
persistent Id (SAML2 Name ID) | deprecated - value should - if ever possible - be identical to the pairwise-id (the part in front of the scope) |
| 1.3 Others | |
transient Id ( SAML2 Name ID) | recommended (required for Logout) |
| 2. Person names | |
displayName docs (de) | recommended |
| 3. Email address(es) - do not use as identifier! | |
mail docs (de) | recommended (ideally a single value) |
| 4. Name of the home organization | |
schacHomeOrganization and o Documentation about o (de) und schacHomeOrganization (de) | recommended |
| 5. Other attributes that have to be defined (Attribute Resolver) | |
eduPersonAssurance docs (de) | see REFEDS Assurance Framework and configuration examples for IdPs |
eduPersonEntitlement docs (de) |
|
eduPersonOrcid docs (de) | possibly empty |
eduPersonScopedAffiliation docs (de) |
|
schacUserStatus docs (de) | for the deprovisioning of user accounts on SP side (de) |