KNF:Attributen overzicht voor Identity Providers/en: verschil tussen versies

Uit Kennisnet Developers Documentatie
Ga naar: navigatie, zoeken
(Additional attributes)
Regel 87: Regel 87:
   
 
[[Categorie:Entree Federatie]]
 
[[Categorie:Entree Federatie]]
[[Categorie:Entree Federatie Identity Provider]]
 

Versie van 16 aug 2018 om 15:41

Nl.gif Nederlands En.gif English


To authenticate and subsequently authorize a user the Entree Federation uses attributes. These attributes contain information (for example a firstname) about the user who wants access to a connected Service Provider.
There are two types of attributes used within the context of Entree Federation:

  • Standard attributes
  • Additional attributes

For most Service Providers the set with standard attributes will suffice to authenticate and authorize users. However there are situations in which a Service Provider requires more information about a user. In this case one or more additional attributes can be used.

In order to enable the users to gain access to all connected Service Providers an Identity Provider has to support both the standard attributes and the additional attributes.

Standard attributes

In this table you can find the attributes that an Identity Provider always has to pass on to Entree Federation.

Attributename Description Format Example
uid Unique ID for the user, consisting of a username and a realm 1 userId@realm pietjepukkelen@petteflatcollege
employeeNumber Studentnumber string 140136
givenName First name string Pietje
sn Surname string Pukkelen
eduPersonAffiliation Role student, employee, staff or affiliate student
nlEduPersonHomeOrganizationId BRIN code of the institution 4 or 6 characters 11ZZ03
nlEduPersonHomeOrganization Name of the institution string Petteflat College

1 Attention: When using the SAML protocol the value of uid attribute has to be the same as the value of the <saml:NameID> field.

Additional attributes

These attributes will only passed on to a Service Provider after the school has given explicit permission by signing an Attribute Release Policy form.

Attributename Description Format Example
nlEduPersonRealId 1 Unencrypted version of the uid [userId]@[realm] pietjepukkelen@petteflatcollege
nlEduPersonTussenvoegsels Insertion string van
mail Email address string pietjepukkelen@petteflatcollege.nl
initials Initals string P.
homePhone Phone number string +31791234567
mobile Mobile number string +31612345678
homePostalAddress Address Maximum of 6 lines each containing a maximum of 30 characters Petteflat 121e
2518PP Zoetermeer
nlEduPersonBirthDate Date of birth yyyymmdd 19801231
nlEduPersonProfile Name of study preceded by CREBO<space>.
Optionally BOL_ or BBL_ can be added at the beginning
string 2345 BOL_ICT.Gamedeveloper
nlEduPersonDepartment Department or sector string Techniek
nlEduPersonUnit Primary class or group. Unique within the school administration or domain string H2A
ou Class or group string H2A
nlEduPersonCohort Starting year string 2014
nlEduPersonProfileId ECK attribute
If a school has multiple administrations the administrationnumber can be added after the @ as in the example
studentnumber@administrationnumber.schooldomain.nl 95312@1.kennisnet.nl
ocwILTRegistratiecode ILT Registrationcode
In accordance with annex I and II, corresponding to Article 1 of the Regulation of the Minister of OCW containing the determination of the elementcode table and studycode table for secondary and adult education: No DUO / OND-2013/15135 M.
four digits 0011
ocwILTLeerjaar ILT cohort
In accordance with annex I and II, corresponding to Article 1 of the Regulation of the Minister of OCW containing the determination of the elementcode table and studycode table for secondary and adult education: nr. DUO/OND-2013/15135 M.
1 digit 1

1 Attention: The encrypted version of this attribute will always be passed on to Service Providers. To pass on the unencrypted version the school has to sign an Attribute Release Policy.

Guidelines for Identity Providers

The user's identity is defined by the attributes that are passed down. It's important that this happens correctly and consistently. Therefore Kennisnet has set up a number of guidelines.

Realm in the uid attribute

The uid-attribute combined with the employeeNumber are the basis of the unique identity of the user within the system. Service Providers who are connected to Entree Federation use this ID to monitor progress or link licenses to it. From a users perspective therefor it is of the atmost importance that this ID is persistent.

The uid-attribute also contains a domain (or realm). If a school wants to change to another type of Identity Provider it is important that the uid of its users stay persistent. Therefor the domain should not contain the name of a system, e.g. pietjepukkelen@elonaam, but the domain should be linked to the school, e.g. pietjepukkelen@petteflatcollege.

If an Identity Provider is used by multiple educational institutions, the Identity Provider has to be able to pass on a unique domain per educational institution within the uid-attribute.

BRIN number in the nlEduPersonHomeOrganizationId attribute

Many of the connected Service Providers use schoollicenses. In those cases the BRIN number in the nlEduPersonHomeOrganizationId-attribute is used to authorize the user. Entree Federation will validate the received BRIN number against the registered BRIN number.

  1. An Identity Provider must be able to pass on a BRIN number containing either four or six characters.
  2. If an Identity Provider is used by multiple educational institutions, the Identity Provider has to be able to pass on a unique BRIN number per educational institution within the nlEduPersonHomeOrganizationId-attribute.