Skip to content

Attributes in B2ACCESS#

Provided Attributes from B2ACCESS#

Please note, that the service MUST only request attributes that are necessary for running it. Anything in addition is a violation to the GDPR and may have legal consequences. User will see which attributes are going to be released to the service.

SAML:#

Name Format
common name urn:oid:2.5.4.3
email urn:oid:0.9.2342.19200300.100.1.3
eduPersonScopedAffiliation urn:oid:1.3.6.1.4.1.5923.1.1.1.9
eduPersonPrincipalName urn:oid:1.3.6.1.4.1.5923.1.1.1.6
givenName urn:oid:2.5.4.42
sn urn:oid:2.5.4.4
eduPersonEntitlement urn:oid:1.3.6.1.4.1.5923.1.1.1.7
voPersonId urn:oid:1.3.6.1.4.1.25178.4.1.6
voPersonExternalAffiliation urn:oid:1.3.6.1.4.1.25178.4.1.11

OAuth2/OIDC:#

scope Attribute
openid
email email, email_verified
profile name, given_name, family_name
credentials ssh_key, preferred_username
eduperson_scoped_affiliation eduperson_scoped_affiliation
entitlements entitlements
eduperson_principal_name eduperson_principal_name
voperson_id voperson_id
assurance loa
display_name display_name
single-logout

Unique identifier in B2ACCESS:#

The B2ACCESS identifier offers an unique identifier for every user, which allows to connect the accounts of the user on different services. This is released as voPersonId (SAML: urn:oid:1.3.6.1.4.1.25178.4.1.6 / OIDC: voperson_id). This ID is created by B2ACCESS itself. B2ACCESS does not reuse some identifier from the external Identity providers for several reasons:

  • Email is no identifier because it is not unique across time and will be reused if a user left the organisation
  • eduPersonPrincipalName is no good identifier because centres may use the email address as eduPersonUniqueId too.
  • Sent identifiers by remote Identity providers are not used because some does not sent persistent identifiers but transient identifiers. Those are only unique for user, identity provider and service provider. If a user logs into two different services the IDs, released to this services, are not equal.

In case of SAML the identifier is the first part of the voPersonId. In case of the OAuth/OIDC the voPersonId is sub(without dashes)@iss.

Group membership information:#

B2ACCESS releases group membership information according to AARC-G002 guideline. The information is released as eduPersonEntitlement in the following format:

<NAMESPACE>:group:GROUPNAME[:SUBGROUPNAME]#<AUTHORITY>

The first part, inclusive the namespace, is the unique name of the group information. The authority displays which provider accounted the user to the group. Group membership information may be granted by different authorities. The user can review the group memberships of groups which are managed within the B2ACCESS in their profile in the home endpoint. In this case only the GROUPNAME is displayed. The created eduPersonEntitlement values are released together with information, received during the login with the centres identity provider.

Resource capability information:#

B2ACCESS releases resource capability information according to AARC-G027 guideline. The information is released as eduPersonEntitlement in the following format:

<NAMESPACE>:res:RESOURCENAME[:PERMISSION]#<AUTHORITY>

The first part, including the namespace, is the unique name of the resources where capabilities are granted. The authority displays which provider granted the permission to use the resource. Resource capabilities may be granted by different authorities. The created eduPersonEntitlement values are released together with information, received during the login with the centres identity provider.

 

Last update: 09.02.2024