1 260
szerkesztés
Módosítások
→eduPersonPrincipalName: disallow special chars
== Goal Purpose of the Attribute Specification this document ==
In a federation, information about the user is represented in SAML attributes transferred from the Identity Provider to the Service Provider. It is important for both parties to interpret the data in the same way.
Exact definition definitions of the attributes are maintained in the their defining schemas. Within this specification, we us use the following schemaschemas:
* ''person'', ''organizationalPerson'' (X.521)
* ''inetOrgPerson'' (RFC2798)
* ''eduPerson'' (http://middleware.internet2.edu/eduperson/, version 200806)* ''SCHAC'' (http://www.terena.org/activities/tf-emc2/schacreleases.html, version 1.4.1)
* ''niifPerson'', ''niifEduPerson'' ([[NIIFSchema]])
This Attribute Specification provides an ''interpretation'' of the above documents defined attributes for federational their usewithin the federation. It might be somewhat more specific than the original definition, in order to let the SPs get more specific information about the user.
Beyond the specification, parties may bilaterally agree on any other attributes.
== Use of attributes ==
=== Glossary Terms ===* '''Implementing an An attributeis ''': an IdP 'implemented'implements'' an attribute, if the information is available according to the semantics of the specification. Releasing an implemented attribute is simply a policy decisionof the IdP.* An attribute is '''Attribute releasereleased''': transferring , when the information within SAML attributes data is transferred from the IdP to an SP. Not all available information is sent out normally, only the attributes that are relevant for the SP.
=== Levels of implementation ===
=== Persistent user identifiers ===
For some most services, it is necessary to store application-specific data, such as user edits for a wiki page. This data is stored in some a database , which is local to the SP, while the key between the user and the database entry is a the '''persistent user identifier'''.
Persistent identifiers can be:
* '''computed''': the identifier is generated run-time from one or more attributes of the user (usually by some cryptographic hashing algorithm).
* '''stored''': the identifier is stored in the user's digital identity at the IdP, thus it is persistent even when other user information is changed. Uniqueness of the identifier must be preserved.
* '''persistence''': IdPs must ensure that the identifier does not change during the life-cycle of the user at the institution.
* '''non-reassignable''': IdPs must ensure that an identifier of a user will not be reassigned to another user.
* '''opacity''': opaque identifiers are do not refer to any personal data
* '''targeted''': targeted identifiers are different for each SP, thus the SPs are unable to build common user profile without the cooperation of the IdP. Such identifiers are preferred from privacy reasons.
Persistent identifiers can be transferred in SAML attributes or in NameID of a SAML Assertion. Certain SP implementations (such as Shibboleth 2.x) can hide the details of the transfer, and can provide a persistent identifier in REMOTE_USER header.
=== List of attributes ===
In this specification, only mandatory and recommended attributes are specified. The [[HREFAttributeSpec|Hungarian version of the Attribute Specification]] contains descriptions of the optional attributes as well. If you have any questions regarding the optional attributes, please contact the Federation Operator.
==== eduPersonTargetedID ====
|implementation=mandatory
|syntax=Must be a SAML2 persistent NameID; the unique identifier part must not be no longer than 256 ASCII characters.
|example=
An IdP sends the attribute on the wire such as:
The application at the SP receives the attribute as the following:
https://idp.example.org/idp/shibboleth!https://sp.example.org/shibboleth!84e411ea-7daa-4a57-bbf6-b5cc52981b73
|assurer=institution
}}
eduPersonPrincipalName '''must not be reassigned'''
As some applications do not support special characters in identifiers, eduPersonPrincipalName MUST only contain the following characters: alpanumeric characters, dot ('.'), hyphen ('-') and underscore ('_').
|example=gipsz.jakab@example.org
|assurer=institution
}}
==== schacHomeOrganizationType ====
{{AttributeDefAttributeDefEn|name=schacHomeOrganizationType
|URI=urn:mace:dir:attribute-def:schacHomeOrganizationType
|OID=1.3.6.1.4.1.25178.1.2.10
|values=urn:schac:homeOrganizationType:hu:{university,nren,library,vho,school,business,other,test}
|implementation=mandatory
|description=Az intézmény jellegeType of the Home Organisation
|semantics=
* '''university''': Az Oktatási Minisztérium által elismert felsőoktatási intézmények (egyetemek és főiskolák)universities and colleges* '''nren''': Nemzeti kutatási és felsőoktatási kutatói hálózat szolgáltatójaNational research and educational network* '''library''': KönyvtárakLibraries* '''vho''': Virtuális azonosító szervezet egyének föderációs azonosítása céljáraVirtual home organisation* '''school''': Általános és középiskolákPrimary and secondary education* '''business''': Ipari vagy kereskedelmi intézményekIndustrial or commercial companies* '''other''': EgyébOther* '''test''': Teszt felhasználóról van szóThe principal is a test account
|numOfValues=single
|assurer=inst
|syntax=URN
}}
