KNF:Attributen overzicht voor Identity Providers/en: verschil tussen versies
Regel 79: | Regel 79: | ||
===Realm in the ''uid'' attribute=== |
===Realm in the ''uid'' attribute=== |
||
+ | The ''uid''-attribute combined with the ''employeeNumber'' are the basis of the unique identity of the user within the system. Service Providers who are connected to Entree Federation use this ID to monitor progress or link licenses to it. From a users perspective therefor it is of the atmost importance that this ID is persistent. |
||
+ | The ''uid''-attribute also contains a domain (or realm). If a school wants to change to another type of Identity Provider it is important that the ''uid'' of its users stay persistent. Therefor the domain should not contain the name of a system, e.g. pietjepukkelen@elonaam, but the domain should be linked to the school, e.g. pietjepukkelen@petteflatcollege. |
||
− | Het attribuut ''uid'' vormt samen met het ''employeeNumber'' de basis van de unieke identiteit van een gebruiker binnen de hele keten. Diensten die zijn aangesloten bij Entree Federatie koppelen de voortgang of licenties van de gebruikeraan dit ID. Het is voor de gebruiker daarom uiterst belangrijk dat dit ID persistent is en blijft. |
||
− | |||
− | In het attribuut ''uid'' wordt een domein (of realm) meegegeven. Indien een school in de toekomst naar een andere systeem wil migreren is het belangrijk dat ''uid'' van gebruikers persistent blijft. Daarom moet als domein niet een systeemnaam, bijvoorbeeld pietjepukkelen@elonaam, gebruikt wordt maar een domein van de school, bijvoorbeeld pietjepukkelen@petteflatcollege. |
||
Een Identity Provider waar meerdere onderwijsinstellingen gebruik van maken, moet in staat zijn om per aangesloten onderwijsinstelling een uniek domein door te geven in het ''uid'' attribuut. |
Een Identity Provider waar meerdere onderwijsinstellingen gebruik van maken, moet in staat zijn om per aangesloten onderwijsinstelling een uniek domein door te geven in het ''uid'' attribuut. |
Versie van 2 nov 2016 16:47
Nederlands | English |
To authenticate and subsequently authorize a user the Entree Federation uses attributes. These attributes contain information (for example a firstname) about the user who wants access to a connected Service Provider.
There are two types of attributes used within the context of Entree Federation:
- Standard attributes
- Additional attributes
For most Service Providers the set with standard attributes will suffice to authenticate and authorize users. However there are situations in which a Service Provider requires more information about a user. In this case one or more additional attributes can be used.
In order to enable the users to gain access to all connected Service Providers an Identity Provider has to support both the standard attributes and the additional attributes.
Standard attributes
In this table you can find the attributes that an Identity Provider always has to pass on to Entree Federation.
Attributename | Description | Format | Example |
---|---|---|---|
uid | Unique ID for the user, consisting of a username and a realm 1 | userId@realm | pietjepukkelen@petteflatcollege |
employeeNumber | Studentnumber | string | 140136 |
givenName | First name | string | Pietje |
sn | Surname | string | Pukkelen |
eduPersonAffiliation | Role | student, employee, staff or affiliate | student |
nlEduPersonHomeOrganizationId | BRIN code of the institution | 4 or 6 characters | 11ZZ03 |
nlEduPersonHomeOrganization | Name of the institution | string | Petteflat College |
1 Attention: When using the SAML protocol the value of uid attribute has to be the same as the value of the <saml:NameID> field.
Additional attributes
These attributes will only passed on to a Service Provider after the school has given explicit permission by signing an Attribute Release Policy form.
Attributename | Description | Format | Example |
---|---|---|---|
nlEduPersonRealId 1 | Unencrypted version of the uid | [userId]@[realm] | pietjepukkelen@petteflatcollege |
givenName | First name | string | Pietje |
nlEduPersonTussenvoegsels | Insertion | string | van |
sn | Surname | string | Pukkelen |
Email address | string | pietjepukkelen@petteflatcollege.nl | |
initials | Initals | string | P. |
homePhone | Phone number | string | +31791234567 |
mobile | Mobile number | string | +31612345678 |
homePostalAddress | Address | Maximum of 6 lines each containing a maximum of 30 characters | Petteflat 121e 2518PP Zoetermeer |
nlEduPersonBirthDate | Date of birth | yyyymmdd | 19801231 |
nlEduPersonProfile | Name of study preceded by CREBO<space>. Optionally BOL_ or BBL_ can be added at the beginning |
string | 2345 BOL_ICT.Gamedeveloper |
nlEduPersonDepartment | Department or sector | string | Techniek |
nlEduPersonUnit | Primary class or group. Unique within the school administration or domain | string | H2A |
ou | Class or group | string | H2A |
nlEduPersonCohort | Starting year | string | 2014 |
nlEduPersonProfileId | ECK attribute If a school has multiple administrations the administrationnumber can be added after the @ as in the example |
studentnumber@administrationnumber.schooldomain.nl | 95312@1.kennisnet.nl |
ocwILTRegistratiecode | ILT Registrationcode In accordance with annex I and II, corresponding to Article 1 of the Regulation of the Minister of OCW containing the determination of the elementcode table and studycode table for secondary and adult education: No DUO / OND-2013/15135 M. |
four digits | 0011 |
ocwILTLeerjaar | ILT cohort In accordance with annex I and II, corresponding to Article 1 of the Regulation of the Minister of OCW containing the determination of the elementcode table and studycode table for secondary and adult education: nr. DUO/OND-2013/15135 M. |
1 digit | 1 |
1 Attention: The encrypted version of this attribute will always be passed on to Service Providers. To pass on the unencrypted version the school has to sign an Attribute Release Policy.
Guidelines for Identity Providers
The user's identity is defined by the attributes that are passed down. It's important that this happens correctly and consistently. Therefore Kennisnet has set up a number of guidelines.
Realm in the uid attribute
The uid-attribute combined with the employeeNumber are the basis of the unique identity of the user within the system. Service Providers who are connected to Entree Federation use this ID to monitor progress or link licenses to it. From a users perspective therefor it is of the atmost importance that this ID is persistent.
The uid-attribute also contains a domain (or realm). If a school wants to change to another type of Identity Provider it is important that the uid of its users stay persistent. Therefor the domain should not contain the name of a system, e.g. pietjepukkelen@elonaam, but the domain should be linked to the school, e.g. pietjepukkelen@petteflatcollege.
Een Identity Provider waar meerdere onderwijsinstellingen gebruik van maken, moet in staat zijn om per aangesloten onderwijsinstelling een uniek domein door te geven in het uid attribuut.
BRIN number in the nlEduPersonHomeOrganizationId attribute
Many of the connected Service Providers use schoollicenses. In those cases the BRIN number in the nlEduPersonHomeOrganizationId attribute is used to authorize the user. Entree Federation will validate the received BRIN number against the registered BRIN number.
- An Identity Provider must be able to pass on a BRIN number containing either four or six characters.
- If an Identity Provider is used by multiple educational institutions, the Identity Provider has to be able to pass on a unique BRIN numebr per educational institution within the nlEduPersonHomeOrganizationId attribute.