1 260
szerkesztés
Módosítások
autosave
Beyond the specification, parties may bilaterally agree on any other attributes.
== Use of attributes ==
* '''Desired''': the information can add extra functionality to the application or can provide better user experience
:: i.e. when <code>displayName</code> is transferred, the user is not prompted to supply his or her common name.
== Attributes ==
=== Summary ===
==== Mandatory attributes ====
{| {{prettytable}}
|eduPersonTargetedID
|-
|eduPersonScopedAffiliation
|-
|schacHomeOrganizationType
|-
|eduPersonPrincipalName
|}
==== Recommended attributes ====
{| {{prettytable}}
|displayName
|-
|mail
|-
|eduPersonEntitlement
|-
|}
=== Persistent user identifiers ===
For some services, it is necessary to store application-specific data, such as user edits for a wiki page. This data is stored in some database local to the SP, while the key between the user and the database entry is a '''persistent user identifier'''.
Persistent identifiers can be:
* '''static''': the identifier is created at the time of user creation at the IdP
* '''computed''': the identifier is generated run-time from one or more attributes of the user (usually by some cryptographic hashing algorithm).
* '''stored''': the identifier is stored in the user's digital identity at the IdP, thus it is persistent even when other user information is changed. Uniqueness of the identifier must be preserved.
Identifiers can hold the following properties:
* '''persistence''': IdPs must ensure that the identifier does not change during the life-cycle of the user at the institution.
* '''non-reassignable''': IdPs must ensure that an identifier of a user will not be reassigned to another user.
* '''opacity''': opaque identifiers are not refer to any personal data
* '''targeted''': targeted identifiers are different for each SP, thus the SPs are unable to build common user profile without the cooperation of the IdP. Such identifiers are preferred from privacy reasons.
Persistent identifiers can be transferred in SAML attributes or in NameID of a SAML Assertion. Certain SP implementations (such as Shibboleth 2.x) can hide the details of the transfer, and can provide a persistent identifier in REMOTE_USER header.
