====== Attributes and scopes ====== This document defines the attributes available to relying services from E-INFRA AAI. ==== E-INFRA Identifier ==== * **Description:** unique, unrecykled user´s identificator within e-infrastructure CESNET * **SAML attribute(s):** urn:oid:1.3.6.1.4.1.5923.1.1.1.13 (eduPersonUniqueId) * **OIDC scope:** openid * **OIDC claim:** sub * **Multiplicity:** No * **Changes:** No * **Example value:** 3e65bd2aa4c818bd3579023939b546b69e1b75ee@einfra.cesnet.cz * **Note:** ==== E-INFRA username ==== * **Description:** User´s login within e-infrastructure CESNET * **SAML attribute(s):** urn:oid:1.3.6.1.4.1.5923.1.1.1.6 (eduPersonPrincipalName) * **OIDC scope:** profile * **OIDC claim:** preferred_username (Without scope) * **Multiplicity:** Single-value * **Changes:** May be changed (revoked) over time (e.g. if a user changes their name). Revoked identifiers will not be reassigned. * **Example value:** josef@einfra.cesnet.cz * **Note:** ==== Affiliation with E-INFRA AAI ==== * **Description:** Specifies the person's affiliation within the E-INFRA AAI. Fixed scope '@einfra.cesnet.cz' is used after the at sign. The default value affiliate@einfra.cesnet.cz is automatically assigned. * **SAML attribute(s):** urn:oid:1.3.6.1.4.1.5923.1.1.1.9 (eduPersonScopedAffiliation) * **OIDC scope:** - * **OIDC claim:** - * **Multiplicity:** Multi-valued * **Changes:** Can change * **Example value:** affiliate@einfra.cesnet.cz * **Note:** Same for all users: affiliate@einfra.cesnet.cz ==== Affiliation with home organization ==== * **Description:** One or more home organisations (such as, universities, research institutions or private companies) this user is affiliated with. The syntax and semantics follows eduPersonScopedAffiliation attribute. * **SAML attribute(s):** urn:oid:1.3.6.1.4.1.34998.3.3.1.11 * **OIDC scope:** voperson_external_affiliation * **OIDC claim:** voperson_external_affiliation * **Multiplicity:** Multi-valued * **Changes:** Can change * **Example value:** [affiliate@einfra.cesnet.cz, affiliate@google.extidp.cesnet.cz] * * **Note:** ==== Entitlements ==== * **Description:** A list of groups where a user is a member. It´s connected to a service and merged with a list of groups received from IdP. * **SAML attribute(s):** urn:oid:1.3.6.1.4.1.5923.1.1.1.7 (eduPersonEntitlement) * **OIDC scope:** eduperson_entitlement * **OIDC claim:** eduperson_entitlement * **Multiplicity:** Multi-valued * **Changes:** Can change * **Example value:** [urn:geant:cesnet.cz:group:einfra#perun.cesnet.cz, urn:geant:cesnet.cz:group:einfra:members#perun.cesnet.cz] * **Note:** * More information can be found [[ en:index:documentation:sp:proxy:Attributes and scopes:Entitlement | here ]]. ==== User's identifiers ==== * **Description:** A list of all user´s eduPersonPrincipalName (merging by all registered external identities) * **SAML attribute(s):** urn:oid:1.3.6.1.4.1.34998.3.3.1.5 * **OIDC scope:** voperson_external_id * **OIDC claim:** voperson_external_id * **Multiplicity:** Multi-valued * **Changes:** Can change * **Example value:** [cesnetLogin@cesnet.cz, googleLogin@google.extidp.cesnet.cz] * **Note:** ==== loa ==== * **Description:** Maximum value loa from all external identites * **SAML attribute(s):** urn:oid:1.3.6.1.4.1.8057.2.1 * **OIDC scope:** - * **OIDC claim:** - * **Multiplicity:** Single-valued * **Changes:** Can change * **Example value:** 2 * **Note:** DEPRECATED ==== Display Name ==== * **Description:** User name * **SAML attribute(s):** * urn:oid:2.16.840.1.113730.3.1.241 (displayName) * urn:oid:2.5.4.3 (cn) * **OIDC scope:** profile * **OIDC claim:** name * **Multiplicity:** Single-valued * **Changes:** Can change * **Example value:** Josef Novák * **Note:** ==== sn ==== * **Description:** User surname * **SAML attribute(s):** urn:oid:2.5.4.4 * **OIDC scope:** profile * **OIDC claim:** family_name * **Multiplicity:** Single-valued * **Changes:** Can change * **Example value:** Novák * **Note:** ==== givenName ==== * **Description:** User given name * **SAML attribute(s):** urn:oid:2.5.4.42 (givenName) * **OIDC scope:** profile * **OIDC claim:** given_name * **Multiplicity:** Single-valued * **Changes:** Can change * **Example value:** Josef * **Note:** ==== mail ==== * **Description:** User Email * **SAML attribute(s):** urn:oid:0.9.2342.19200300.100.1.3 (mail) * **OIDC scope:** email * **OIDC claim:** email * **Multiplicity:** Single-valued * **Changes:** Can change * **Example value:** email@email.com * **Note:** ==== isCesnetEligibleLastSeen ==== * **Description:** Timestamp when a user logged for the last time with the identity fulfilling the condition of academic employee * **SAML attribute(s):** urn:cesnet:proxyidp:attribute:isCesnetEligibleLastSeen * **OIDC scope:** isCesnetEligibleLastSeen * **OIDC claim:** isCesnetEligibleLastSeen * **Multiplicity:** Single-valued * **Changes:** Can change * **Example value:** 2019-07-18 07:53:37 * **Note:** ==== Ofline access ==== * **Description:** Possibility to release refresh token * **SAML attribute(s):** - * **OIDC scope:** offline_access * **OIDC claim:** offline_access * **Multiplicity:** Single-valued * **Changes:** Can change * **Example value:** true * **Note:** ==== Access into Perun RPC API ==== * **Description:** Possibility to access into Perun RPC API * **SAML attribute(s):** - * **OIDC scope:** perun_api * **OIDC claim:** perun_api * **Multiplicity:** Single-valued * **Changes:** Can change * **Example value:** TRUE * **Note:** The value is static. ==== Perun Admin access ==== * **Description:** Information in user has Perun Admin access rights. * **SAML attribute(s):** - * **OIDC scope:** perun_admin * **OIDC claim:** perun_admin * **Multiplicity:** Single-valued * **Changes:** Can change * **Example value:** TRUE * **Note:** The value is static.