Page tree
Skip to end of metadata
Go to start of metadata

Data model 1.0

The MPASS proxy issues the following SAML attributes about authenticated users:

  • urn:oid:2.5.4.4 (single value): The last/family name of the user.
  • urn:oid:2.5.4.42 (single value): The first/given name of the user.
  • http://eidas.europa.eu/attributes/naturalperson/CurrentGivenName (single value): All the first/given names of the user.
  • urn:mpass.id:uid (single value): The unique identifier of the authenticated user. Currently recommended identifier for identifying the user. NOTE: will change if the user moves to another user registry.
  • urn:mpass.id:legacyCryptId (single value): The legacy (national) cryptID of the user divided to two parts with @ -character. The left-side contains the cryptID of the user as right-side contains an identifier to the source registry. For instance: f0ba7691aeff3ef2302d6edce5303641@ldap_test. This attribute is issued for legacy reasons, avoid using it if possible.
  • urn:mpass.id:legacyCryptIde (single value): A strengthened version of the legacy cryptID (see above) of the user, divided to two parts with @ -character. The left-side contains the strengthened (encrypted by MPASS proxy) version of the cryptID of the user as right-side contains an identifier to the source registry. For instance: 9ecb8b0256d0c177320037322cf87e4f1211f2df45a2f8e4a667ca5b24a10e89@ldap_test.
  • urn:mpass.id:municipalityCode (multi value): The municipality code of the authenticated user. See http://tilastokeskus.fi/meta/luokitukset/kunta/001-2017/index.html for mappings in Finland.
  • urn:mpass.id:municipality (multi value): The human-readable name of the municipality of the authenticated user.
  • urn:mpass.id:schoolCode (multi value): The school code of the authenticated user. See https://virkailija.opintopolku.fi/koodisto-service/ for the mappings in Finland. For example, https://virkailija.opintopolku.fi/koodisto-service/rest/codeelement/oppilaitosnumero_04647 for school code 04647.
  • urn:mpass.id:school (multi value): The human-readable name of the school of the authenticated user. School name is retrieved based on a value of urn:mpass.id:schoolCode. If no name is found this attribute can be empty. 
  • urn:mpass.id:class (multi value): The class/group-information of the authenticated user. For instance: 8A or 3B.
  • urn:mpass.id:classLevel (multi value): The class/level-information of the authenticated user. For instance 8 or 3.
  • urn:mpass.id:role (multi value): The role of the user in four parts, divided with a semicolon (;) character. First municipality, followed by school code, group and role in the group. For instance Helsinki;32132;9A;Oppilas.

All the attributes are issued in the SAML NameFormat urn:oasis:names:tc:SAML:2.0:attrname-format:uri.

Old data model

In addition to the data model 1.0, the MPASS proxy currently issues also the following SAML attributes about authenticated users. However, the same information exists in the data model 1.0:

  • urn:educloudalliance.org:OID (single value): The object identifier of the user.
  • urn:educloudalliance.org:municipality (multi-value): The municipality of the user.
  • urn:educloudalliance.org:school (multi-value): The school of the user.
  • urn:educloudalliance.org:structuredRole (multi-value): The role of the user in four parts, divided with a semicolon (;) character. First municipality, followed by school, group and role in the group.

All the attributes are issued in the SAML NameFormat urn:oasis:names:tc:SAML:2.0:attrname-format:uri.

  • No labels