Recommended Best Practices for the use of attributes in DFN-AAI

(back to the Overview (de))

You can find configuration samples for attribute resolver, attribute filter, and relying party configuration on this page.

1. Name Identifier and attributes with similar functions
(also see SAML2int Profile V2.0, section “3.1.3. Subject Identification”)
1.1 Omni-directional, non-targeted
urn:oasis:names:tc:SAML:attribute:subject-id docs (de) recommended
eduPersonUniqueId docs (de) deprecated - the value in front of the scope should - if ever possible - be identical to the value of the subject-id
eduPersonPrincipalName do not use!
mail do not use as identifier!
1.2 Pairwise / targeted
urn:oasis:names:tc:SAML:attribute:pairwise-id docs (de) recommended - stored Id! (plus scope)
eduPersonTargetedID docs(de) deprecated - value should - if ever possible - be identical to the pairwise-id (the part in front of the scope)
persistent Id (SAML2 Name ID) deprecated - value should - if ever possible - be identical to the pairwise-id (the part in front of the scope)
1.3 Others
transient Id ( SAML2 Name ID) recommended (required for Logout)
2. Person names
displayName docs (de) recommended
3. Email address(es) - do not use as identifier!
mail docs (de) recommended (ideally a single value)
4. Name of the home organization
schacHomeOrganization and o Documentation about o (de) und schacHomeOrganization (de) recommended
5. Other attributes that have to be defined (Attribute Resolver)
eduPersonAssurance docs (de) see REFEDS Assurance Framework and configuration examples for IdPs
eduPersonEntitlement docs (de)
eduPersonOrcid docs (de) possibly empty
eduPersonScopedAffiliation docs (de)
schacUserStatus docs (de) for the deprovisioning of user accounts on SP side (de)
  • Last modified: 2 years ago