Notes for Service Developers#

In many cases when implementing a service you will need attributes about your users. Please note, that you MUST only request attributes that are necessary for running the service. Anything in addition is a violation to the GDPR and may have legal consequences.

Available Attributes#

The attributes, that are generally available are those specified in the => REFEDS Research and Scholarship entity category.

In addition, the assurance of the user will be described, using the => REFEDS Assurance Framework.

REFEDS Research and Scholarship#

Also called R and S, or R&S.

You should read the original link (it’s not long). In short, R&S makes sure that your service will obtain these attributes.

Please note that this is specified in SAML. For OIDC read below

• Mandatory:

  • shared user identifier

    • eduPersonPrincipalName (if non-reassigned)
    • eduPersonPrincipalName + eduPersonTargetedID

  • person name either (or both) of the following:

    • displayName
    • givenName + sn

  • email address:

    • email

• Optionally:

  • affiliation
    • eduPersonScopedAffiliation

Notes for OIDC#

Currently the discussion is held in the OIDCRE Group and in the RANDE Group.

Bottomline is that it is a bit unclear which OIDC claims you have to use. Yet, you will get the attributes, but they use the OIDC notation, which is:

• eduperson_principal_name (if non-reassigned)
• eduperson_principal_name + `eduperson_targeted_id
• given_name
• sn
• email
• eduperson_scoped_affiliation

In addition unity supports additional scopes, the most notable of which are:

• credentials: Gives you ssh_key (and preferred_username, if specified by the user)
• eduperson_entitlement: Gives you AARC-G002 formatted entitlements (globally unique group memberships, roles, .... Extremely useful!)
• eduperson_assurance: Gives you the assurance profile according to the REFEDS Assurance Framework and the extensions. For HDF we use the profiles IGTF Dogwood and RAF Cappuccino.