Attributes in B2ACCESS#
Provided Attributes from B2ACCESS#
Please note, that the service MUST only request attributes that are necessary for running it. Anything in addition is a violation to the GDPR and may have legal consequences. User will see which attributes are going to be released to the service.
SAML:#
Name | Format |
---|---|
common name |
urn:oid:2.5.4.3 |
email |
urn:oid:0.9.2342.19200300.100.1.3 |
eduPersonScopedAffiliation |
urn:oid:1.3.6.1.4.1.5923.1.1.1.9 |
eduPersonPrincipalName |
urn:oid:1.3.6.1.4.1.5923.1.1.1.6 |
givenName |
urn:oid:2.5.4.42 |
sn |
urn:oid:2.5.4.4 |
eduPersonEntitlement |
urn:oid:1.3.6.1.4.1.5923.1.1.1.7 |
voPersonId |
urn:oid:1.3.6.1.4.1.25178.4.1.6 |
voPersonExternalAffiliation |
urn:oid:1.3.6.1.4.1.25178.4.1.11 |
OAuth2/OIDC:#
scope | Attribute |
---|---|
openid |
|
email |
email , email_verified |
profile |
name , given_name , family_name |
credentials |
ssh_key , preferred_username |
eduperson_scoped_affiliation |
eduperson_scoped_affiliation |
entitlements |
entitlements |
eduperson_principal_name |
eduperson_principal_name |
voperson_id |
voperson_id |
assurance |
loa |
display_name |
display_name |
single-logout |
Unique identifier in B2ACCESS:#
The B2ACCESS identifier offers an unique identifier for every user, which
allows to connect the accounts of the user on different services. This is
released as voPersonId
(SAML: urn:oid:1.3.6.1.4.1.25178.4.1.6
/ OIDC: voperson_id
). This ID is
created by B2ACCESS itself. B2ACCESS does not reuse
some identifier from the external Identity providers for several reasons:
Email
is no identifier because it is not unique across time and will be reused if a user left the organisationeduPersonPrincipalName
is no good identifier because centres may use the email address aseduPersonUniqueId
too.- Sent identifiers by remote Identity providers are not used because some does not sent persistent identifiers but transient identifiers. Those are only unique for user, identity provider and service provider. If a user logs into two different services the IDs, released to this services, are not equal.
In case of SAML the identifier is the first part of the voPersonId
. In case of the OAuth/OIDC the voPersonId
is sub(without dashes)@iss.
Group membership information:#
B2ACCESS releases group membership information according to
AARC-G002 guideline.
The information is released as eduPersonEntitlement
in the following
format:
<NAMESPACE>:group:GROUPNAME[:SUBGROUPNAME]#<AUTHORITY>
The first part, inclusive the namespace, is the unique name of the group
information. The authority displays which provider accounted the user to
the group. Group membership information may be granted by different
authorities. The user can review the group memberships of groups which are
managed within the B2ACCESS in their profile in the home endpoint. In
this case only the GROUPNAME is displayed. The created eduPersonEntitlement
values are released together with information, received during the login
with the centres identity provider.
Resource capability information:#
B2ACCESS releases resource capability information according to
AARC-G027 guideline. The information is released as eduPersonEntitlement
in the following format:
<NAMESPACE>:res:RESOURCENAME[:PERMISSION]#<AUTHORITY>
The first part, including the namespace, is the unique name of the
resources where capabilities are granted. The authority displays which
provider granted the permission to use the resource. Resource capabilities
may be granted by different authorities. The created eduPersonEntitlement
values are released together with information, received during the login
with the centres identity provider.
Last update: 09.02.2024