Recommended Best Practices for the use of attributes in DFN-AAI
(back to the Overview (de))
You can find configuration samples for attribute resolver, attribute filter, and relying party configuration on this page.
1. Name Identifier and attributes with similar functions (also see SAML2int Profile V2.0, section “3.1.3. Subject Identification”) |
|
1.1 Omni-directional, non-targeted | |
---|---|
urn:oasis:names:tc:SAML:attribute:subject-id docs (de) | recommended |
eduPersonUniqueId docs (de) | deprecated - the value in front of the scope should - if ever possible - be identical to the value of the subject-id |
eduPersonPrincipalName | do not use! |
mail | do not use as identifier! |
1.2 Pairwise / targeted | |
urn:oasis:names:tc:SAML:attribute:pairwise-id docs (de) | recommended - stored Id! (plus scope) |
eduPersonTargetedID docs(de) | deprecated - value should - if ever possible - be identical to the pairwise-id (the part in front of the scope) |
persistent Id (SAML2 Name ID) | deprecated - value should - if ever possible - be identical to the pairwise-id (the part in front of the scope) |
1.3 Others | |
transient Id ( SAML2 Name ID) | recommended (required for Logout) |
2. Person names | |
displayName docs (de) | recommended |
3. Email address(es) - do not use as identifier! | |
mail docs (de) | recommended (ideally a single value) |
4. Name of the home organization | |
schacHomeOrganization and o Documentation about o (de) und schacHomeOrganization (de) | recommended |
5. Other attributes that have to be defined (Attribute Resolver) | |
eduPersonAssurance docs (de) | see REFEDS Assurance Framework and configuration examples for IdPs |
eduPersonEntitlement docs (de) |
|
eduPersonOrcid docs (de) | possibly empty |
eduPersonScopedAffiliation docs (de) |
|
schacUserStatus docs (de) | for the deprovisioning of user accounts on SP side (de) |