Attributes released by the Raven IdP: Difference between revisions
m (→University SPs: know -> known) |
(→University SPs: Add 'uid', mention that most of these values are only valid when asserted by the Raven IdP) |
||
Line 64: | Line 64: | ||
Raven will additionally release the following to any SP for which it has registration data and which it recognises as being operated by the University. Note that many of these values are subject to suppression in lookup and that Raven can only release values that are not suppressed. | Raven will additionally release the following to any SP for which it has registration data and which it recognises as being operated by the University. Note that many of these values are subject to suppression in lookup and that Raven can only release values that are not suppressed. | ||
Note that many of these are only defined locally and it is unlikely to make any sense to accept them from IdPs other than the one provided by Raven. Indeed it could be positively dangerous to do so - for example any IdP can assert any value it likes for 'uid' and to assume that this was a correctly established CRSid would be insecure. The default Shib SP configuration described elsewhere in these pages only configures the SP to trust the Raven IdP, so in that configuration all these values could be considered trustworthy. However more care should be taken should additional IdP's (such as those in the UK federation) be added as trusted. | |||
<table border="1" cellpadding="5"> | <table border="1" cellpadding="5"> | ||
Line 71: | Line 73: | ||
<th>Id</th> | <th>Id</th> | ||
<th>Description</th> | <th>Description</th> | ||
<th>Notes</th> | |||
</tr> | </tr> | ||
Line 77: | Line 80: | ||
<td>sn</td> | <td>sn</td> | ||
<td>User's Surname. Single-valued.</td> | <td>User's Surname. Single-valued.</td> | ||
<td></td> | |||
</tr> | </tr> | ||
Line 83: | Line 87: | ||
<td>cn</td> | <td>cn</td> | ||
<td>User's Registered Name. Single-valued.</td> | <td>User's Registered Name. Single-valued.</td> | ||
<td></td> | |||
</tr> | </tr> | ||
Line 89: | Line 94: | ||
<td>displayName</td> | <td>displayName</td> | ||
<td>User's Display Name. Single-valued.</td> | <td>User's Display Name. Single-valued.</td> | ||
<td></td> | |||
</tr> | </tr> | ||
Line 95: | Line 101: | ||
<td>title</td> | <td>title</td> | ||
<td>User's Roles. Multi-valued.</td> | <td>User's Roles. Multi-valued.</td> | ||
<td></td> | |||
</tr> | </tr> | ||
Line 101: | Line 108: | ||
<td>ou</td> | <td>ou</td> | ||
<td>The institutions to which the user belongs. Multi-valued.</td> | <td>The institutions to which the user belongs. Multi-valued.</td> | ||
<td></td> | |||
</tr> | </tr> | ||
Line 107: | Line 115: | ||
<td>instID</td> | <td>instID</td> | ||
<td>The 'Inst ID's of the institutions to which the user belongs. Note that this may not be in the same order as the values of ou. Multi-valued.</td> | <td>The 'Inst ID's of the institutions to which the user belongs. Note that this may not be in the same order as the values of ou. Multi-valued.</td> | ||
<td></td> | |||
</tr> | </tr> | ||
Line 113: | Line 122: | ||
<td>jdInst</td> | <td>jdInst</td> | ||
<td>The 'Inst ID' of the user's primary institution as shown in the Computing Service's Jackdaw database. Single-valued.</td> | <td>The 'Inst ID' of the user's primary institution as shown in the Computing Service's Jackdaw database. Single-valued.</td> | ||
<td></td> | |||
</tr> | </tr> | ||
Line 119: | Line 129: | ||
<td>telephoneNumber</td> | <td>telephoneNumber</td> | ||
<td>User's Telephone Numbers. Multi-valued.</td> | <td>User's Telephone Numbers. Multi-valued.</td> | ||
<td></td> | |||
</tr> | </tr> | ||
Line 125: | Line 136: | ||
<td>mail</td> | <td>mail</td> | ||
<td>User's preferred email address. Single valued.</td> | <td>User's preferred email address. Single valued.</td> | ||
<td></td> | |||
</tr> | </tr> | ||
Line 131: | Line 143: | ||
<td>mailAlternative</td> | <td>mailAlternative</td> | ||
<td>User's other mail addresses. Multi-valued.</td> | <td>User's other mail addresses. Multi-valued.</td> | ||
<td></td> | |||
</tr> | </tr> | ||
Line 137: | Line 150: | ||
<td>misAffiliation</td> | <td>misAffiliation</td> | ||
<td>User's 'status' within the University. Possible values are <tt>staff</tt> and/or <tt>student</tt>. New values may be added over time - applications relying on this attribute should ignore unrecognised values. Note: the coverage of this attribute is known to be incomplete - anyone with the value <tt>student</tt> probably is a student (for some definition thereof); anyone without this may or may not be. Ditto for 'staff'. Multi-valued.</td> | <td>User's 'status' within the University. Possible values are <tt>staff</tt> and/or <tt>student</tt>. New values may be added over time - applications relying on this attribute should ignore unrecognised values. Note: the coverage of this attribute is known to be incomplete - anyone with the value <tt>student</tt> probably is a student (for some definition thereof); anyone without this may or may not be. Ditto for 'staff'. Multi-valued.</td> | ||
<td></td> | |||
</tr> | </tr> | ||
Line 143: | Line 157: | ||
<td>groupTitle</td> | <td>groupTitle</td> | ||
<td>The names of the lookup groups to which the user belongs. Multi-valued. Note the availability of this attribute is subject to both the user's choice of suppression and the group administrator's.</td> | <td>The names of the lookup groups to which the user belongs. Multi-valued. Note the availability of this attribute is subject to both the user's choice of suppression and the group administrator's.</td> | ||
<td></td> | |||
</tr> | </tr> | ||
Line 149: | Line 164: | ||
<td>groupID</td> | <td>groupID</td> | ||
<td>The groupID of the lookup groups to which the user belongs. Multi-valued. Note the availability of this attribute is subject to both the user's choice of suppression and the group administrator's. Note that this may not be in the same order as the values of groupTitle.</td> | <td>The groupID of the lookup groups to which the user belongs. Multi-valued. Note the availability of this attribute is subject to both the user's choice of suppression and the group administrator's. Note that this may not be in the same order as the values of groupTitle.</td> | ||
<td></td> | |||
</tr> | </tr> | ||
Line 155: | Line 171: | ||
<td>persistent-id</td> | <td>persistent-id</td> | ||
<td>An alternate form of a persistent, unique user identifier which is consistent for all accesses to a particular SP by a particular user but which will be different for different users and for different services (c.f. targeted-id above). See https://spaces.internet2.edu/display/SHIB2/NativeSPTargetedID for background to this duplication.</td> | <td>An alternate form of a persistent, unique user identifier which is consistent for all accesses to a particular SP by a particular user but which will be different for different users and for different services (c.f. targeted-id above). See https://spaces.internet2.edu/display/SHIB2/NativeSPTargetedID for background to this duplication.</td> | ||
<td></td> | |||
</tr> | |||
<tr align="left" valign="top"> | |||
<td>urn:mace:dir:attribute-def:uid</td> | |||
<td>uid</td> | |||
<td>User's CRSid (centrally-managed University user ID)</td> | |||
<td></td> | |||
</tr> | </tr> | ||
</table> | </table> |
Revision as of 10:47, 16 March 2010
Following authentication, the IdP on Raven will release various attributes about the authenticated user. Most of these come from or are derived from lookup. An example attribute map is available for use by SPs within the University - this document assumes that this file is in use and that users are authenticating to the Raven IdP - other maps and other IdPs will behave differently. In particular, IdPs elsewhere in the UK federation are unlikely to release by default anything other than urn:mace:dir:attribute-def:eduPersonScopedAffiliation and urn:mace:dir:attribute-def:eduPersonTargetedID (and perhaps not even that).
Each of these attributes has a formal 'name' (which appears in the protocol messages on the wire) and this is mapped, by the attribute-map.xml file, into a more useful 'id' which in turn is used to make attribute values available to web sites. How this happens depends on platform. For Apache, the 'id's are used as the names of environment variables (with all occurrences of '-' converted to '_' and with multiple values seperated by ';'). On IIS, the 'id's are used as the names of server variables.
Exactly what is released will differ depend on how (if at all) the SP is registered with Raven. SP registration takes place by providing 'Metadata', which may appear either in the UK federation metadata file or in the local 'Ucam federation' one.
Registered, but with technical errors
No attributes are released. This is a common failure mode and suggests that Raven is finding metadata about the SP but that this doesn't match reality.
Completely unregistered ('Anonymous')
Raven will release the following attributes with the described values to SPs it knows nothing about:
Name | Id | Description |
---|---|---|
urn:mace:dir:attribute-def:eduPersonPrincipalName | eppn | A single persistent, unique user identifier which is consistent across all services. For a Raven user has the form <crsid>@cam.ac.uk. It is NOT an email address. |
urn:mace:dir:attribute-def:eduPersonScopedAffiliation | affiliation | One or more values indicating the authenticated user's relationship with the organisation operating the IdP. For a Raven user has the value member@cam.ac.uk for anyone who appears in lookup, and the value member@eresources.lib.ac.uk for anyone entitled to access the bulk of University Library-licensed electronic resources. New values may be added over time - applications relying on this attribute should ignore unrecognised values. |
urn:mace:dir:attribute-def:eduPersonEntitlement | entitlement | One or more values indicating particular entitlements. Currently includes urn:mace:dir:entitlement:common-lib-terms on behalf of anyone entitled to access the general University Library electronic resource collection. New values may be added over time - applications relying on this attribute should ignore unrecognised values. |
Registered SPs
Raven will additionally release the following to any SP for which it has registration data:
Name | Id | Description |
---|---|---|
urn:mace:dir:attribute-def:eduPersonTargetedID | targeted-id | A single persistent, unique user identifier which is consistent for all accesses to a particular SP by a particular user but which will be different for different users and for different services. The recommended attribute map returns this in the old, deprecated scoped format <opaque string>@cam.ac.uk. See https://spaces.internet2.edu/display/SHIB2/NativeSPTargetedID for discussion on this, and why it might be better to synthesise something in the persistent-id format (see below). |
University SPs
Raven will additionally release the following to any SP for which it has registration data and which it recognises as being operated by the University. Note that many of these values are subject to suppression in lookup and that Raven can only release values that are not suppressed.
Note that many of these are only defined locally and it is unlikely to make any sense to accept them from IdPs other than the one provided by Raven. Indeed it could be positively dangerous to do so - for example any IdP can assert any value it likes for 'uid' and to assume that this was a correctly established CRSid would be insecure. The default Shib SP configuration described elsewhere in these pages only configures the SP to trust the Raven IdP, so in that configuration all these values could be considered trustworthy. However more care should be taken should additional IdP's (such as those in the UK federation) be added as trusted.
Name | Id | Description | Notes |
---|---|---|---|
urn:mace:dir:attribute-def:sn | sn | User's Surname. Single-valued. | |
urn:mace:dir:attribute-def:cn | cn | User's Registered Name. Single-valued. | |
urn:mace:dir:attribute-def:displayName | displayName | User's Display Name. Single-valued. | |
urn:mace:dir:attribute-def:title | title | User's Roles. Multi-valued. | |
urn:mace:dir:attribute-def:ou | ou | The institutions to which the user belongs. Multi-valued. | |
urn:oid:1.3.6.1.4.1.6822.1.1.5 | instID | The 'Inst ID's of the institutions to which the user belongs. Note that this may not be in the same order as the values of ou. Multi-valued. | |
urn:oid:1.3.6.1.4.1.6822.1.1.30 | jdInst | The 'Inst ID' of the user's primary institution as shown in the Computing Service's Jackdaw database. Single-valued. | |
urn:mace:dir:attribute-def:telephoneNumber | telephoneNumber | User's Telephone Numbers. Multi-valued. | |
urn:mace:dir:attribute-def:mail | User's preferred email address. Single valued. | ||
urn:oid:1.3.6.1.4.1.6822.1.1.11 | mailAlternative | User's other mail addresses. Multi-valued. | |
urn:oid:1.3.6.1.4.1.6822.1.1.38 | misAffiliation | User's 'status' within the University. Possible values are staff and/or student. New values may be added over time - applications relying on this attribute should ignore unrecognised values. Note: the coverage of this attribute is known to be incomplete - anyone with the value student probably is a student (for some definition thereof); anyone without this may or may not be. Ditto for 'staff'. Multi-valued. | |
urn:oid:1.3.6.1.4.1.6822.1.1.22 | groupTitle | The names of the lookup groups to which the user belongs. Multi-valued. Note the availability of this attribute is subject to both the user's choice of suppression and the group administrator's. | |
urn:oid:1.3.6.1.4.1.6822.1.1.22 | groupID | The groupID of the lookup groups to which the user belongs. Multi-valued. Note the availability of this attribute is subject to both the user's choice of suppression and the group administrator's. Note that this may not be in the same order as the values of groupTitle. | |
urn:oid:1.3.6.1.4.1.5923.1.1.1.10 | persistent-id | An alternate form of a persistent, unique user identifier which is consistent for all accesses to a particular SP by a particular user but which will be different for different users and for different services (c.f. targeted-id above). See https://spaces.internet2.edu/display/SHIB2/NativeSPTargetedID for background to this duplication. | |
urn:mace:dir:attribute-def:uid | uid | User's CRSid (centrally-managed University user ID) |