Attributes and scopes

This document defines the attributes available to relying services from E-INFRA AAI.

E-INFRA Identifier

  • Description: unique, unrecykled user´s identificator within e-infrastructure CESNET
  • SAML attribute(s): urn:oid:1.3.6.1.4.1.5923.1.1.1.13 (eduPersonUniqueId)
  • OIDC scope: openid
  • OIDC claim: sub
  • Multiplicity: No
  • Changes: No
  • Example value: 3e65bd2aa4c818bd3579023939b546b69e1b75ee@einfra.cesnet.cz
  • Note:

E-INFRA username

  • Description: User´s login within e-infrastructure CESNET
  • SAML attribute(s): urn:oid:1.3.6.1.4.1.5923.1.1.1.6 (eduPersonPrincipalName)
  • OIDC scope: profile
  • OIDC claim: preferred_username (Without scope)
  • Multiplicity: Single-value
  • Changes: May be changed (revoked) over time (e.g. if a user changes their name). Revoked identifiers will not be reassigned.
  • Example value: josef@einfra.cesnet.cz
  • Note:

Affiliation with E-INFRA AAI

  • Description: Specifies the person's affiliation within the E-INFRA AAI. Fixed scope '@einfra.cesnet.cz' is used after the at sign. The default value affiliate@einfra.cesnet.cz is automatically assigned.
  • SAML attribute(s): urn:oid:1.3.6.1.4.1.5923.1.1.1.9 (eduPersonScopedAffiliation)
  • OIDC scope: -
  • OIDC claim: -
  • Multiplicity: Multi-valued
  • Changes: Can change
  • Example value: affiliate@einfra.cesnet.cz
  • Note: Same for all users: affiliate@einfra.cesnet.cz

Affiliation with home organization

  • Description: One or more home organisations (such as, universities, research institutions or private companies) this user is affiliated with. The syntax and semantics follows eduPersonScopedAffiliation attribute.
  • SAML attribute(s): urn:oid:1.3.6.1.4.1.34998.3.3.1.11
  • OIDC scope: voperson_external_affiliation
  • OIDC claim: voperson_external_affiliation
  • Multiplicity: Multi-valued
  • Changes: Can change
  • Example value: [affiliate@einfra.cesnet.cz, affiliate@google.extidp.cesnet.cz]
  • Note:

Entitlements

  • Description: A list of groups where a user is a member. It´s connected to a service and merged with a list of groups received from IdP.
  • SAML attribute(s): urn:oid:1.3.6.1.4.1.5923.1.1.1.7 (eduPersonEntitlement)
  • OIDC scope: eduperson_entitlement
  • OIDC claim: eduperson_entitlement
  • Multiplicity: Multi-valued
  • Changes: Can change
  • Example value: [urn:geant:cesnet.cz:group:einfra#perun.cesnet.cz, urn:geant:cesnet.cz:group:einfra:members#perun.cesnet.cz]
  • Note:
    • More information can be found here .

User's identifiers

  • Description: A list of all user´s eduPersonPrincipalName (merging by all registered external identities)
  • SAML attribute(s): urn:oid:1.3.6.1.4.1.34998.3.3.1.5
  • OIDC scope: voperson_external_id
  • OIDC claim: voperson_external_id
  • Multiplicity: Multi-valued
  • Changes: Can change
  • Example value: [cesnetLogin@cesnet.cz, googleLogin@google.extidp.cesnet.cz]
  • Note:

loa

  • Description: Maximum value loa from all external identites
  • SAML attribute(s): urn:oid:1.3.6.1.4.1.8057.2.1
  • OIDC scope: -
  • OIDC claim: -
  • Multiplicity: Single-valued
  • Changes: Can change
  • Example value: 2
  • Note: DEPRECATED

Display Name

  • Description: User name
  • SAML attribute(s):
    • urn:oid:2.16.840.1.113730.3.1.241 (displayName)
    • urn:oid:2.5.4.3 (cn)
  • OIDC scope: profile
  • OIDC claim: name
  • Multiplicity: Single-valued
  • Changes: Can change
  • Example value: Josef Novák
  • Note:

sn

  • Description: User surname
  • SAML attribute(s): urn:oid:2.5.4.4
  • OIDC scope: profile
  • OIDC claim: family_name
  • Multiplicity: Single-valued
  • Changes: Can change
  • Example value: Novák
  • Note:

givenName

  • Description: User given name
  • SAML attribute(s): urn:oid:2.5.4.42 (givenName)
  • OIDC scope: profile
  • OIDC claim: given_name
  • Multiplicity: Single-valued
  • Changes: Can change
  • Example value: Josef
  • Note:

mail

  • Description: User Email
  • SAML attribute(s): urn:oid:0.9.2342.19200300.100.1.3 (mail)
  • OIDC scope: email
  • OIDC claim: email
  • Multiplicity: Single-valued
  • Changes: Can change
  • Example value: email@email.com
  • Note:

isCesnetEligibleLastSeen

  • Description: Timestamp when a user logged for the last time with the identity fulfilling the condition of academic employee
  • SAML attribute(s): urn:cesnet:proxyidp:attribute:isCesnetEligibleLastSeen
  • OIDC scope: isCesnetEligibleLastSeen
  • OIDC claim: isCesnetEligibleLastSeen
  • Multiplicity: Single-valued
  • Changes: Can change
  • Example value: 2019-07-18 07:53:37
  • Note:

Ofline access

  • Description: Possibility to release refresh token
  • SAML attribute(s): -
  • OIDC scope: offline_access
  • OIDC claim: offline_access
  • Multiplicity: Single-valued
  • Changes: Can change
  • Example value: true
  • Note:

Access into Perun RPC API

  • Description: Possibility to access into Perun RPC API
  • SAML attribute(s): -
  • OIDC scope: perun_api
  • OIDC claim: perun_api
  • Multiplicity: Single-valued
  • Changes: Can change
  • Example value: TRUE
  • Note: The value is static.

Perun Admin access

  • Description: Information in user has Perun Admin access rights.
  • SAML attribute(s): -
  • OIDC scope: perun_admin
  • OIDC claim: perun_admin
  • Multiplicity: Single-valued
  • Changes: Can change
  • Example value: TRUE
  • Note: The value is static.