KNF:Attributen overzicht voor Identity Providers/en
To authenticate and subsequently authorize a user the Entree Federation uses attributes. These attributes contain information (for example a firstname) about the user who wants access to a connected Service Provider.
There are two types of attributes used within the context of Entree Federation:
- Default attributes
- Additional attributes
For most Service Providers the set with default attributes will suffice to authenticate and authorize users. However there are situations in which a Service Provider requires more information about a user. In this case one or more additional attributes can be used.
In order to enable the users to gain access to all connected Service Providers an Identity Provider has to support both the default attributes and the additional attributes.
In this table you can find the attributes that an Identity Provider always has to pass on to Entree Federation.
|uid||Unique ID for the user, consisting of a username and a realm 1||userId@realm||pietjepukkelen@petteflatcollege|
|eduPersonAffiliation||Role||student, employee, staff or affiliate||student|
|nlEduPersonHomeOrganizationId||BRIN code of the institution||4 or 6 characters||11ZZ03|
|nlEduPersonHomeOrganization||Name of the institution||string||Petteflat College|
1 Attention: When using the SAML protocol the value of uid attribute has to be the same as the value of the <saml:NameID> field.
These attributes will only passed on to a Service Provider after the school has given explicit permission by signing an Attribute Release Policy form.
If a school has multiple administrations the administrationnumber can be added after the @ as in the example
|eckId||Unique ECK pseudonym for students and teachers 1||string||https://ketenid.nl/pilot/8e0a9f57fc76854d3dd2d3c4fa732feaf7b7a2d5f549a5458ce300223b83172f5074aa88a8cef0712aca19b62e9b90d0352e98fc76f498cd3947e7cc810f03fa|
|nlEduPersonBirthDate||Date of birth||yyyymmdd||19801231|
|nlEduPersonProfile||Name of study preceded by CREBO<space>.
Optionally BOL_ or BBL_ can be added at the beginning
|nlEduPersonDepartment||Department or sector||string||Techniek|
|nlEduPersonUnit||Primary class or group. Unique within the school administration or domain||string||H2A|
|ou||Class or group||string||H2A|
In accordance with annex I and II, corresponding to Article 1 of the Regulation of the Minister of OCW containing the determination of the elementcode table and studycode table for secondary and adult education: No DUO / OND-2013/15135 M.
In accordance with annex I and II, corresponding to Article 1 of the Regulation of the Minister of OCW containing the determination of the elementcode table and studycode table for secondary and adult education: nr. DUO/OND-2013/15135 M.
|digiDeliveryId||ECK digital delivery address||string||ED8AE607-WI3N-414C-T87A-624E74S7T005|
1 For more information on the ECK-iD: https://www.eck-id.nl/
The nlEduPersonRealId attribute
In some cases a Service Provider request the nlEduPersonRealId attribute. During an authentication the Entree Federation application will copy the value of the uid attribitute that is sent by the Identity Provider into the nlEduPersonRealId attribute. Therefore the Identity Provider does not need to configure the nlEduPersonRealId and it is not listed in the tabel above.
Guidelines for Identity Providers
The user's identity is defined by the attributes that are passed down. It's important that this happens correctly and consistently. Therefore Kennisnet has set up a number of guidelines.
Realm in the uid attribute
The uid-attribute combined with the employeeNumber are the basis of the unique identity of the user within the system. Service Providers who are connected to Entree Federation use this ID to monitor progress or link licenses to it. From a users perspective therefor it is of the atmost importance that this ID is persistent.
The uid-attribute also contains a domain (or realm). If a school wants to change to another type of Identity Provider it is important that the uid of its users stay persistent. Therefor the domain should not contain the name of a system, e.g. pietjepukkelen@elonaam, but the domain should be linked to the school, e.g. pietjepukkelen@petteflatcollege.
If an Identity Provider is used by multiple educational institutions, the Identity Provider has to be able to pass on a unique domain per educational institution within the uid-attribute.
BRIN number in the nlEduPersonHomeOrganizationId attribute
Many of the connected Service Providers use schoollicenses. In those cases the BRIN number in the nlEduPersonHomeOrganizationId-attribute is used to authorize the user. Entree Federation will validate the received BRIN number against the registered BRIN number.
- An Identity Provider must be able to pass on a BRIN number containing either four or six characters.
- If an Identity Provider is used by multiple educational institutions, the Identity Provider has to be able to pass on a unique BRIN number per educational institution within the nlEduPersonHomeOrganizationId-attribute.