Table of Contents |
---|
Introduction
The main purpose of funetEduPerson schema is to serve Haka federation, the federation of Finnish higher education and research institutions, in inter-organisational exchange of attribute assertions regarding authenticated users. The schema contains also attributes of organisations and organisational units.
...
If the vocabulary of an attribute is not specified, the language used in attribute values can Finnish, Swedish, or English.
Borrowed Quoted text is in italic.
Attributes for persons
...
Attribute | MUST | SHOULD |
---|
...
cn | x | |
sn | x | |
displayName | x | |
givenName | x | |
eduPersonPrincipalName | x | |
eduPersonAssurance | x | |
eduPersonAffiliation | x | |
eduPersonScopedAffiliation | x | |
x | ||
schacHomeOrganization | x | |
schacHomeOrganizationType | x |
Mandatory attributes must be available for each user. However, this does not mean that they are always released to any service. In Haka federation, there are mechanisms in place to make sure that only relevant attributes are released to a service.
...
Attribute Profile: https://www.geant.org/Services/Trust_identity_and_security/eduGAIN/Documents/Resources/GN3-11-012%20eduGAIN_attribute_profile.pdf
Supplement attributes in funetEduPerson
Superseded attributes
Superseded attributes from ver 1.0 listed in table.
Attribute | Defined in | Superseded by |
---|---|---|
funetEduPersonHomeOrganization | ver 1.0 | SchacHomeOrganization |
funetEduPersonStudentID | ver 1.0 | SchacPersonalUniqueCode |
funetEduPersonIdentityCode | ver 1.0 | schacPersonalUniqueID |
funetEduPersonDateOfBirth | ver 1.0 | schacDateOfBirth |
funetEduPersonTargetDegreeUniversity | ver 1.0 | funetEduPersonTargetDegree |
funetEduPersonTargetDegreePolytech | ver 1.0 | funetEduPersonTargetDegree |
funetEduPersonEducationalProgramUniv | ver 1.0 | funetEduPersonProgram |
funetEduPersonEducationalProgramPolytech | ver 1.0 | funetEduPersonProgram |
funetEduPersonMajorUniv | ver 1.0 | funetEduPersonSpecialisation |
funetEduPersonOrientationAlternPolytech | ver 1.0 | funetEduPersonSpecialisation |
funetEduPersonTargetDegree
Specifies a student's target degree (suoritettava tutkinto) using an appropriate vocabulary.
...
funetEduPersonTargetDegree: urn:mace:funet.fi:tut.fi:schema:targetDegrees:915
funetEduPersonProgram
The educational degree program (tutkinto-ohjelma) using an appropriate vocabulary.
...
funetEduPersonProgram: urn:mace:funet.fi:attribute-def:funetEduPersonTargetDegree:stat.fi:733
funetEduPersonSpecialisation
The specialisation option (opintosuunta) of a student using an appropriate vocabulary.
...
funetEduPersonSpecialisation: urn:mace:funet.fi:attribute-def:funetEduPersonTargetDegree:stat.fi:6516
funetEduPersonStudyStart
The date when a student started his/her studies (opintojen aloittamispäivä).
OID | Syntax | values | relevance |
1.3.6.1.4.1.16161.1.1.14 | DirectoryStringNumericString | Multi | May |
Format: YYYYMMDD
Examples:
funetEduPersonStudyStart: 20050826
funetEduPersonPrimaryStudyStart
The date when a student started his/her primary studies (ensisijaisten opintojen aloittamispäivä).
OID | Syntax | values | relevance |
1.3.6.1.4.1.16161.1.1.15 | DirectoryStringNumericString | Single | May |
Format: YYYYMMDD
...
funetEduPersonPrimaryStudyStart: 20050826
funetEduPersonStudyToEnd
The date when a student is expected to finish his/her studies, e.g. graduate (arvioitu opintojen päättymispäivä/valmistumispäivä).
OID | Syntax | values | relevance |
1.3.6.1.4.1.16161.1.1.16 | DirectoryStringNumericString | Multi | May |
Format: YYYYMMDD
It is up to the institution to decide how to derive the value of this attribute.
...
funetEduPersonStudyToEnd: 20070531
funetEduPersonPrimaryStudyToEnd
The date when a student is expected to finish his/her primary studies, e.g. graduate (arvioitu ensisijaisen opinto-oikeuden päättymispäivä/valmistumispäivä).
OID | Syntax | values | relevance |
1.3.6.1.4.1.16161.1.1.17 | DirectoryStringNumericString | Single | May |
Format: YYYYMMDD
...
funetEduPersonPrimaryStudyToEnd: 20070531
funetEduPersonCreditUnits
Number of credit units (opintoviikko) a student has.
In Finland, national credit units (1 cu equals to 40 hours of work) were used before ECTS credit units were adopted in 2005.
OID | Syntax | values | relevance |
1.3.6.1.4.1.16161.1.1.18 | DirectoryStringInteger | Single | May |
The number of credit units a student has.
...
funetEduPersonCreditUnits: 80
funetEduPersonECTS
Number of ECTS (European Credit Transfer System) credit units (opintopiste) a student has.
OID | Syntax | values | relevance |
1.3.6.1.4.1.16161.1.1.19 | DirectoryStringInteger | Single | May |
The number of ECTS credit units a student has.
...
Examples:
funetEduPersonECTS: 140
funetEduPersonStudentCategory
Category of a student, based on the target of the studies.
...
funetEduPersonStudentCategory: master
funetEduPersonStudentStatus
Status of a student (läsnäolotieto); present or absent.
...
funetEduPersonStudentStatus: present
funetEduPersonStudentUnion
Name of the student union the student is a member of, if any.
...
funetEduPersonStudentUnion: Tampereen teknillisen yliopiston ylioppilaskunta
funetEduPersonHomeCity
Home City (kotikunta) of the user.
OID | Syntax | values | relevance |
1.3.6.1.4.1.16161.1.1.23 | DirectoryStringNumericString | Single | May |
Syntax: NNN
Vocabulary: the 3-number codes assigned by the Population Register Center (Väestörekisterikeskus) of Finland ("Kunta- ja rekisterinpitäjäluettelo").
...
funetEduPersonHomeCity: 083
funetEduPersonEPPNTimeStamp
The date when eduPersonPrincipalName was issued to this individual.
OID | Syntax | values | relevance |
1.3.6.1.4.1.16161.1.1.24 | DirectoryStringNumericString | Single | May |
Over time, some institutions reassign eduPersonPrincipalName values to new individuals. On the other hand, in services, eduPersonPrincipalName is commonly used for binding profiles to individuals. This attribute is intended for assisting services to deduce if eduPersonPrincipalName has been reassigned to a new person.
...
funetEduPersonEPPNTimeStamp: 20040826
funetEduPersonGivenNames
The funetEduPersonGivenNames attribute type contains name strings that are the part of a person's name that is not their surname.
...
Panel | ||
---|---|---|
| ||
See commonName for conventions for attributes carrying the name of an individual. This attribute SHOULD not be mixed with givenName attribute. |
funetEduPersonFullName
Space delimited catenated string of all official name strings of a person.
...
Panel | ||
---|---|---|
| ||
See commonName for conventions for attributes carrying the name of an individual. This attribute SHOULD not be mixed with givenName attribute. |
funetEduPersonLearnerId
11-digit identifier to identify a person.
...
funeteduPersonLearnerId: 1.2.246.562.24.10000000008
funeteduPersonLearnerId: 1.2.246.562.24.99999999990
Attributes from Finnish public sector attribute profile
electronicIdentificationNumber (satu)
(Fin Attr Profile 1.1) The electronic identification number (sähköinen asiointitunnus, satu) issued to an individual by Population Registry Center (Väestörekisterikeskus).
...
electronicIdentificationNumber: 012345678N
nationalIdentificationNumber (hetu)
(Fin Attr Profile 1.1) The national identification number (henkilötunnus, hetu) issued to an individual by Population Registry Center (Väestörekisterikeskus).
...
nationalIdentificationNumber: 010191-123A
Attributes from schac
schacMotherTongue
(schac 1.5.0) Is the language a person learns first. Correspondingly, the person is called a native speaker of the language. Usually a child learns the basics of their first language from their family.
...
schacMotherTongue: es-ES
schacMotherTongue: fi
schacGender
(schac 1.5.0) The state of being male or female. The gender attribute specifies the legal gender the subject it is associated with.
...
- 0 Not known
- 1 Male
- 2 Female
- 9 Not specified
Examples:
schacGender: 2
schacDateOfBirth
(schac 1.5.0) The date of birth for the subject it is associated with
...
schacDateOfBirth: 19660412
schacYearOfBirth
(schac 1.5.0) The year of birth for the subject is associated with.
...
Examples:
schacYearOfBirth = 1966
schacPlaceOfBirth
(schac 1.5.0) The schacPlaceOfBirth attribute specifies the place of birth for the subject it is associated with.
...
schacPlaceOfBirth: Turku, Suomi
schacCountryOfCitizenship
(schac 1.5.0) The schacCountryOfCitizenship attribute specifies the (claimed) countries of citizenship for the subject it is associated with.
...
schacCountryOfCitizenship: fi
schacHomeOrganization
(schac 1.5.0) Specifies a person´s home organization using the domain name of the organization. Issuers of schacHomeOrganization attribute values via SAML are strongly encouraged to publish matching shibmd:Scope elements as part of their IDP's SAML metadata. Relaying Parties recieving schacHomeOrganization values via SAML are strongly encouraged to check attribute values against the Issuer's published shibmd:Scope elements in SAML metadata, and may discard any non-matching values.
...
schacHomeOrganization: tut.fi
schacHomeOrganizationType
(schac 1.5.0) Type of a Home Organization.
...
schacHomeOrganizationType: urn:schac:homeOrganizationType:es:opi
schacCountryOfResidence
(schac 1.5.0) The schacCountryOfResidence attribute specifies the (claimed) country of residence for the subject is associated with.
...
schacCountryOfResidence: fi
schacUserPresenceID
(schac 1.5.0) To store a set of values related to network presence protocols.
...
schacUserPresenceID: h323:pepe@myweb.fi:808;params
schacPersonalPosition
(schac 1.5.0) The Personal Position attribute type specifies a personal position inside an institution.
...
schacPersonalPosition: urn:schac:personalPosition:pl:umk.pl:programmer
schacPersonalUniqueCode
(schac 1.5.0) Specifies a "unique code" for the subject it is associated with. Its value does not necessarily correspond to any identifier outside the scope of the directories using this schema.
...
schacPersonalUniqueCode: urn:schac:personalUniqueCode:se:LIN:87654321
schacPersonalUniqueID
(schac 1.5.0) Specifies a "legal unique identifier" for the subject it is associated with. This might be DNI in Spain, FIC (henkilötunnus) in Finland, NIN in Sweden,...
...
schacPersonalUniqueID: urn:schac:personalUniquelD:se:NIN:12345678
schacExpiryDate
(schac 1.5.0) The date from which the set of data is to be considered invalid (specifically, in what refers to rights and entitlements). This date applies to the entry as a whole.
...
schacExpiryDate: 20051231125959Z
schacUserPrivateAttribute
(schac 1.5.0) Used to model privacy requirements, as expressed by the user and/or organizational policies. The values are intended to be attribute type names and applies to the attribute and any subtypes of it for a given entity. In what respects to data exchange, it applies to the expression of privacy requirements. This attribute can also have specific operational semantics (one has already been applied to LDAP servers: see references below), that will be defined in a separate document.
...
schacUserPrivateAttribute: telephoneNumber
schacUserStatus
(schac 1.5.0) Used to store a set of status of a person as user of services.
...
schacUserStatus:
urn:schac:userStatus:si:ujl.si:webmail:active?+ttl=20060531235959
schacProjectMembership
(schac 1.5.0) The name of the project the user belongs to
...
schacProjectMemberShip: perfsonar
schacProjectSpecificRole
(schac 1.5.0) Used to store a set of roles inside specific projects
...
schacProjectSpecificRole: urn:schac:projectSpecificRole:perfsonar:developer
Attributes from eduPerson
eduPersonAffiliation
(eduPerson202001) Specifies the person's relationship(s) to the institution in broad categories such as student, faculty, staff, alum, etc.
...
eduPersonAffiliation: library-walk-in
eduPersonEntitlement
(eduPerson202001) URI (either URN or URL) that indicates a set of rights to specific resources.
...
eduPersonEntitlement: http://xstor.com/contracts/HEd123
eduPersonEntitlement: urn:mace:washington.edu:confocalMicroscope
eduPersonEntitlement: http://www.joopas.fi/virkailijaroolit/jooHakemuksenPuoltaja
eduPersonNickname
(eduPerson202001) Person's nickname, or the informal name by which they are accustomed to be hailed.
...
Examples:
eduPersonNickname: Sepi
eduPersonOrcid
(eduPerson202001, RFC4512)
...
eduPersonOrcid: http://orcid.org/0000-0002-1825-0097
eduPersonOrgDN
(eduPerson202001) The distinguished name (DN) of the of the directory entry representing the institution with which the person is associated.
...
eduPersonOrgDN: o=Hogwarts, dc=hsww, dc=wiz
eduPersonOrgUnitDN
(eduPerson202001) The distinguished name(s) (DN) of the directory entries representing the person's Organizational Unit(s). May be multivalued, as for example, in the case of a faculty member with appointments in multiple departments or a person who is a student in one department and an employee in another.
...
eduPersonOrgUnitDN: ou=Potions, o=Hogwarts, dc=hsww, dc=wiz
eduPersonPrimaryAffiliation
(eduPerson202001) Specifies the person's PRIMARY relationship to the institution in broad categories such as student, faculty, staff, alum, etc.
...
Think of this as the affiliation one might put on the name tag if this person were to attend a general institutional social gathering. Note that the single-valued eduPersonPrimaryAffiliation attribute assigns each person in the directory into one and only one category of affiliation. There are application scenarios where this would be useful.
See 158139193 158140367 for further details.
Panel | ||
---|---|---|
| ||
See eduPersonAffiliation for a more specific Finnish interpretation. In Haka federation, following priorities are recommended: 1) faculty, 2) staff, 3) employee, 4) student, 5) member, 6) affiliate, 7) library-walk-in. |
eduPersonPrimaryOrgUnitDN
(eduPerson201310eduPerson202001) The distinguished name (DN) of the directory entry representing the person's primary Organizational Unit(s).
...
Each institution populating this attribute decides the criteria for determining which organization unit entry is the primary one for a given individual.
eduPersonPrincipalName
(eduPerson202001) A scoped identifier for a person. It should be represented in the form "user@scope" where 'user' is a name-based identifier for the person and where the "scope" portion MUST be the administrative domain of the identity system where the identifier was created and assigned. Each value of 'scope' defines a namespace within which the assigned identifiers MUST be unique. Given this rule, if two eduPersonPrincipalName (ePPN) values are the same at a given point in time, they refer to the same person. There must be one and only one "@" sign in valid values of eduPersonPrincipalName.
...
mvirtane@hut.fi
mkorhone@students.oamk.fi
eduPersonPrincipalNamePrior (defined in eduPerson 201211)
(eduPerson202001) Each value of this multi-valued attribute represents an ePPN (eduPersonPrincipalName) value that was previously associated with the entry. The values MUST NOT include the currently valid ePPN value. There is no implied or assumed order to the values. This attribute MUST NOT be populated if ePPN values are ever reassigned to a different entry (after, for example, a period of dormancy). That is, they MUST be unique in space and over time.
...
eduPersonPrincipalName: baz@hsww.wiz
eduPersonPrincipalNamePrior: foo@hsww.wiz
eduPersonPrincipalNamePrior: bar@hsww.wiz
eduPersonScopedAffiliation
(eduPerson202001) Specifies the person's affiliation within a particular security domain in broad categories such as student, faculty, staff, alum, etc. The values consist of a left and right component separated by an "@" sign. The left component is one of the values from the eduPersonAffiliation controlled vocabulary. This right-hand side syntax of eduPersonScopedAffiliation intentionally matches that used for the right-hand side values for eduPersonPrincipalName since both identify a security domain. Multiple "@" signs are not recommended, but in any case, the first occurrence of the "@" sign starting from the left is to be taken as the delimiter between components. Thus, user identifier is to the left, security domain to the right of the first "@". This parsing rule conforms to the POSIX "greedy" disambiguation method in regluar expression processing.
...
eduPersonScopedAffiliation: faculty@tut.fi
eduPersonScopedAffiliation: student@students.oamk.fi
eduPersonTargetedID
NOTE: eduPersonTargetedID is DEPRECATED and will be marked as obsolete in a future version of this specification. Its equivalent definition in SAML 2.0 has been replaced by a new specification for standard Subject Identifier attributes [https://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/saml-subject-id-attr-v1.0.html], one of which ("urn:oasis:names:tc:SAML:attribute:pairwise-id") is a direct replacement for this identifier with a simpler syntax and safer comparison rules. Existing use of this attribute in SAML 1.1 or SAML 2.0 should be phased out in favor of the new Subject Identifier attributes."
...
Identity or service providers or directory-enabled applications with the need to link an external account to an internal account maintained within their own system. This attribute is often used to represent a long-term account linking relationship between an identity provider and service provider(s) (or other identity/attribute provider).
eduPersonAssurance
(eduPerson202001) Set of URIs that assert compliance with specific standards for identity assurance.
...
Panel | ||
---|---|---|
| ||
In Haka federation, the released attribute values of eduPersonAssurance MUST be defined in included in, but not limited to, REFEDS Assurance Framework. |
...
eduPersonAssurance: http://idm.example.org/LOA#sample
eduPersonUniqueId
(eduPerson202001) A long-lived, non re-assignable, omnidirectional identifier suitable for use as a principal identifier by authentication providers or as a unique external key by applications.
...
eduPersonUniqueId: 28c5353b8bb34984a8bd4169ba94c606@foo.edu
Common attributes
cn / commonName
(RFC 4519) The 'cn' ('commonName' in X.500) attribute type contains names of an object. Each name is one value of this multi-valued attribute. If the object corresponds to a person, it is typically the person's full name. (RFC2256) This is the X.500 commonName attribute, which contains a name of an object. If the object corresponds to a person, it is typically the person's full name.
...
Panel | ||
---|---|---|
| ||
In Finland, people have one family name and at most three first names, for example Seppo Matinpoika Johannes Virtanen.
Examples: sn: Virtanen |
description
(RFC 2256) This attribute contains a human-readable description of the object.eduPerson202001) (RFC 4519) The 'description' attribute type contains human-readable descriptive phrases about the object. Each description is one value of this multi-valued attribute.
OID | Syntax | values | relevance |
2.5.4.13 | DirectoryString | Multi | May |
(eduPerson201310) Open-ended; whatever the person or the directory manager puts here.
displayName
(eduPerson202001) (RFC 2798 ) Preferred name of a person to be used when displaying entries. (RFC2798) When displaying an entry, especially within a one-line summary list, it is useful to be able to identify a name to be used. Since other attribute types such as 'cn' are multivalued, an additional attribute type is needed. Display name is defined for this purpose.
...
Panel | ||
---|---|---|
| ||
See commonName for conventions for attributes carrying the name of an individual. |
employeeNumber
(RFC 2798) Numeric or alphanumeric identifier assigned to a person, typically based on order of hire or association with an organization. Single valued.
...
Examples:
employeeNumber: 1054
facsimileTelephoneNumber
(eduPerson202001) The 'facsimileTelephoneNumber' attribute type contains telephone numbers (and, optionally, the parameters) for facsimile terminals. Each telephone number is one value of this multi-valued attribute.
...
Attribute values should comply with the ITU Recommendation E.123 [E.123]: i.e., "+44 71 123 4567."
givenName
(eduPerson202001) (RFC 2256) The givenName attribute is used to hold the part of a person's name which is not their surname nor middle name. (RFC 4519) The 'givenName' attribute type contains name strings that are the part of a person's name that is not their surname. Each string is one value of this multi-valued attribute.
...
Panel | ||
---|---|---|
| ||
See commonName for conventions for attributes carrying the name of an individual. If the object corresponds to a person, following rules should be considered. Since displayName seems to be widely used as full name of a person in addition to cn, Haka interpretation of the givenName attribute is the preferred given name the person has indicated to be used (in Finland: "kutsumanimi"). In Finland, only one name can be registered as preferred. For this reason and to avoid confusion, only one value SHOULD be made available when describing a person. Traditionally both givenName (displayname in FEP 2.1 and before) and sn have been made available for each user in Haka as mandatory attributes. After the change in semantics in version 2.2 of the schema, givenName needs to be specified as mandatory for the same set of personal data to be available as before in FEP 2.1. |
homePhone
(eduPerson202001) (RFC 1274) The Home Telephone Number attribute type specifies a home telephonenumber associated with a person. Attribute values should follow the agreed format for international telephone numbers: i.e., "+44 71 123 4567".
...
homePhone: +358 3 317 7059
homePostalAddress
(eduPerson202001) (RFC 1274) The Home postal address attribute type specifies a home postal address for an object. This should be limited to up to 6 lines of 30 characters each.
...
homePostalAddress: Kotikatu 4$00100 Helsinki
jpegPhoto
(eduPerson202001) (RFC 2798) Used to store one or more images of a person using the JPEG File Interchange Format [JFIF].
OID | Syntax | values | relevance |
0.9.2342.19200300.100.1.60 | JPEG | Multi | May |
l / localityName
(RFC 2256 / RFC 4519) The 'l' ('localityName' in X.500) attribute type contains names of a locality or place, such as a city, county, or other geographic region. Each name is one value of this multi-valued attribute."This attribute contains the name of a locality, such as a city, county or other geographic region (localityName).
OID | Syntax | values | relevance |
2.5.4.7 | DirectoryString | Multi | May |
Examples:
l: Viikki
labeledURI
(eduPerson202001) Follow inetOrgPerson definition of RFC 2079: "Uniform Resource Identifier with optional label."
Commonly a URL for a web site associated with this person.
...
labeledURI: http://students.tut.fi/%7Eteemu Teemu Teekkari's home page
labeledURI: http://champagne.inria.fr/Unites/rennes.gif Rennes [photo]
(eduPerson202001) (RFC 4524) The 'mail' (rfc822mailbox) attribute type holds Internet mail addresses in Mailbox [RFC2821] form (e.g., user@example.com).
...
mail: esko.esimerkki@oulu.fi
mobile
(eduPerson202001) (RFC 4524) The 'mobile' (mobileTelephoneNumber) attribute specifies mobile telephone numbers (e.g., "+1 775 555 6789") associated with a person (or entity). (RFC1274) The Mobile Telephone Number attribute type specifies a mobile telephone number associated with a person. Attribute values should follow the agreed format for international telephone numbers: i.e., "+44 71 123 4567".
...
Examples:
mobile: +358 40 345 6789
o / organizationName
(eduPerson201310) Standard name of the top-level organization (institution) with which this person is associated. (RFC2256) This attribute contains the name of an organization (organizationName).
...
Examples:
o: University of Tampere
ou/organizationalUnitName
(RFC2256) This attribute contains the name of an organizational unit (organizationalUnitName). (eduPerson201310) Organizational unit(s). According to X.520(2000), "The Organizational Unit Name attribute type specifies an organizational unit. When used as a component of a directory name it identifies an organizational unit with which the named object is affiliated."
...
ou: Faculty of Humanities
ou: Department of History
postalAddress
(eduPerson202001) Campus or office address. inetOrgPerson has a homePostalAddress that complements this attribute. X.520(2000) reads: "The Postal Address attribute type specifies the address information required for the physical postal delivery to an object."
...
postalAddress: P.O. Box 405$02101 Espoo
postalCode
(eduPerson202001) Follow X.500(2001): "The postal code attribute type specifies the postal code of the named object. If this attribute value is present, it will be part of the object's postal address."
...
Examples:
postalCode: 02101
preferredLanguage
(eduPerson202001) (RFC 2798) Preferred written or spoken language for a person.
...
Examples:
preferredLanguage: fi
seeAlso
(eduPerson202001) (RFC 4519) The 'seeAlso' attribute type contains the distinguished names of objects that are related to the subject object. Each related object name is one value of this multi-valued attribute.
...
seeAlso: cn=Department Chair, ou=physics, o=University of Technology, dc=utech, dc=ac, dc=uk
sn / surname
(RFC 4519) The 'sn' ('surname' in X.500) attribute type contains name strings for the family names of a person. Each string is one value of this multi-valued attribute." (RFC2256) This is the X.500 surname attribute, which contains the family name of a person.
...
Panel | ||
---|---|---|
| ||
See commonName for conventions for attributes carrying the name of an individual. |
street
(eduPerson202001) (RFC 4519) The 'street' ('streetAddress' in X.500) attribute type contains site information from a postal address (i.e., the street name, place, avenue, and the house number). Each street is one value of this multi-valued attribute.
...
street: Korkeakoulunkatu 1
telephoneNumber
(eduPerson202001) Office/campus phone number. Attribute values should follow the agreed format for international telephone numbers: i.e., "+44 71 123 4567."
OID | Syntax | values | relevance |
2.5.4.20 | TelephoneNumber | Multi | May |
title
(eduPerson202001) (RFC 4519) The 'title' attribute type contains the title of a person in their organizational context. Each title is one value of this multi-valued attribute.
...
Examples:
Title: professor
uid
(eduPerson202001) (RFC 4519) The 'uid' ('userid' in RFC 1274) attribute type contains computer system login names associated with the object. Each name is one value of this multi-valued attribute.
...
A number of off-the-shelf directory-enabled applications make use of this inetOrgPerson attribute, not always consistently.
userCertificate
(eduPerson202001) A user's X.509 certificate
...
Note that userSMIMECertificate is in binary syntax (1.3.6.1.4.1.1466.115.121.1.5) whereas the userCertificate attribute is in certificate syntax (1.3.6.1.4.1.1466.115.121.1.8).
userPassword
(eduPerson202001) This attribute identifies the entry's password and encryption method in the following format:
{encryption method}encrypted password.
...
The user pw is hidden, and is used in the bind operation in LDAP. The bind operation must be done over SSL to avoid sending clear text passwords over the wire or through the air.
userSMIMECertificate
(eduPerson202001) An X.509 certificate specifically for use in S/MIME applications (see RFCs 2632, 2633 and 2634).
...
(RFC 2798) If available, this attribute is preferred over the userCertificate attribute for S/MIME applications. This attribute is to be stored and requested in the binary form, as 'userSMIMECertificate;binary.'
Attributes for organisations
These are attributes for an object representing an organisation or organisational unit. The attributes are expected to be used in the organisation branch of an enterprise directory.
Attributes from eduOrg
eduOrgHomePageURI
(eduOrg200210) The URL for the organization's top level home page.
...
eduOrgHomePageURI: http://www.helsinki.fi/
eduOrgIdentityAuthNPolicyURI
(eduOrg200210) A URI pointing to the location of the organization´s policy regarding identification and authentication (the issuance and use of digital credentials). Most often a URL, but with appropriate resolution mechanisms in place, could be a URN.
...
eduOrgIdentficationAuthNPolicyURI: http://www.tut.fi/public/it/idm/TTY-idm-kuvaus.html
eduOrgLegalName
(eduOrg200210) The organization´s legal corporate name.
...
eduOrgLegalName: Päijät-Hämeen koulutuskonserni
eduOrgSuperiorURI
(eduOrg200210) LDAP URL for the organization object one level superior to this entry.
OID | Syntax | values | relevance |
1.3.6.1.4.1.5923.1.2.1.5 | DirectoryString | multi | May |
eduOrgWhitePagesURI
( eduOrg200210) The URL of the open white pages directory service for the university, predominantly LDAP these days
OID | Syntax | values | relevance |
1.3.6.1.4.1.5923.1.2.1.6 | DirectoryString | multi | May |
cn /commonName
(eduOrg200210) X.520 (2001) "commonName." Name or names by which this organization is commonly known.
...
cn: University of Lapland
description
(eduOrg200210) Open-ended; whatever the person or the directory manager puts here. According to RFC 2256, "This attribute contains a human-readable description of the object.
OID | Syntax | values | relevance |
2.5.4.13 | DirectoryString | multi | May |
facsimileTelephoneNumber
(eduPerson202001) A fax number for the directory entry. Attribute values should follow the agreed format for international telephone numbers: i.e., "+44 71 123 4567.
OID | Syntax | values | relevance |
2.5.4.23 | FacsimileTelephoneNumber | multi | May |
l (localityName)
(eduOrg200210) According to RFC 2256, "This attribute contains the name of a locality, such as a city, county or other geographic region."
X.520 (2001) reads: "The Locality Name attribute type specifies a locality. When used as a component of a directory name, it identifies a geographical area or locality in which the named object is physically located or with which it is associated in some other important way."
OID | Syntax | values | relevance |
2.5.4.7 | DirectoryString | multi | May |
o / organizationName
(eduOrg200210) Standard name of the top-level organization (institution).
OID | Syntax | values | relevance |
2.5.4.10 | DirectoryString | multi | May |
postalAddress
(eduOrg200210) Main office address. X.520 (2001) reads: "The Postal Address attribute type specifies the address information required for the physical postal delivery to an object."
OID | Syntax | values | relevance |
2.5.4.16 | PostalAddress | multi | May |
postalCode
(eduOrg200210) Follow X.520 (2001): "The postal code attribute type specifies the postal code of the named object. If this attribute value is present, it will be part of the object's postal address." Zip code in USA, postal code for other countries.
OID | Syntax | values | relevance |
2.5.4.17 | DirectoryString | multi | May |
postOfficeBox
(eduOrg200210) Follow X.520 (2001): "The Post Office Box attribute type specifies the Postal Office Box by which the object will receive physical postal delivery. If present, the attribute value is part of the object's postal address.
OID | Syntax | values | relevance |
2.5.4.18 | DirectoryString | multi | May |
seeAlso
(eduOrg200210) The distinguished name of another directory entry. According to X.520 (2001), "The See Also attribute type specifies names of other Directory objects which may be other aspects (in some sense) of the same real world object."
OID | Syntax | values | relevance |
2.5.4.34 | DistinguishedName | multi | May |
street
(eduOrg200210) Street address of the primary campus offices. According to RFC 2256, "This attribute contains the physical address of the object to which the entry corresponds, such as an address for package delivery (streetAddress)."
OID | Syntax | values | relevance |
2.5.4.9 | DirectoryString | multi | May |
telephoneNumber
(eduPerson202001) Office/campus phone number. Attribute values should comply with the international format specified in ITU Recommendation E.123: e.g., "+44 71 123 4567."
OID | Syntax | values | relevance |
2.5.4.20 | TelephoneNumber | multi | May |
Supplement attributes
Mail address of the organisation, as defined in the Act on Electronic Services and Communication in the Public Sector (Laki sähköisestä asioinnista viranomaistoiminnassa).
...
Example:
mail: kirjaamo@uta.fi
Acknowledgements
Haka-IAM -verkosto is a network of specialists working on the access and identity management on Finnish higher education institutions facilitated by Haka identity federation. The network has participated actively on the update to version 2.2.
References
- eduPerson202001
- eduPerson Object Class Specification (202001), 09 January 2020. https://wiki.refeds.org/display/STAN/eduPerson+2020-01, Internet2.
- eduOrg200210
- Internet2 Middleware Architecture Committee, Directory Working Group. "EduOrg Object Class Specification (200210)." October, 2002. http://middleware.internet2.edu/eduperson/ , cited with the permission of Internet2.
- eduPerson200806
- Internet2 Middleware Architecture Committee for Education, Directory Working Group. "EduPerson Object Class Specification (200806)." June, 2008. http://www.educause.edu/eduperson , cited with the permission of Internet2.
- RFC1274
- Barker, P., Kille, S. "RFC 1274: The COSINE and Internet X.500 Schema." November, 1991
- RFC 2256
- Wahl, M. "RFC2256: A Summary of the X.500(96) User Schema for use with LDAPv3". December, 1997.
- RFC2798
- Smith, M. "RFC 2798: Definition of the inetOrgPerson LDAP Object Class". April, 2000.
- RFC 3066
- Alvestrand, H. "RFC 3066: Tags for the Identification of Languages". January, 2001.
- Schac ver 1.2.0
- Schac, Schema for Academia. "Attribute Definitions for Individual Data", 4 May 2006
- RFC 4519
- Sciberras, A. "RFC 4519: Lightweight Directory Access Protocol (LDAP): Schema for User Applications." June, 2006.
- RFC 4524
- Zeilenga, K. "RFC 4524: COSINE LDAP/X.500 Schema". June, 2006.
- RFC 4512
- schac 1.5.0
Schac, SCHema for ACademia v1.5.0, 12 December 2015. https://wiki.refeds.org/display/STAN/SCHAC+Releases
- Schac ver 1.3.0
- Schac, Schema for Academia. "Attribute Definitions for Individual Data", 12 December 2006
- eduOrg201203
Internet2 Middleware Architecture Committee for Education, Directory Working Group (MACE-Dir).
- Fin Attr Profile 1.1
- Approved by Ministry of Finance and Ministry of Employment and the Economy, SAML 2.0 Attribute Profile specification for the Finnish public sector identity federation services, version 1.1, 21.2.2011
- eduGAIN Policy Framework, Attribute Profile
- REFEDS Assurance Framework
Appendix A: Collection of attributes for intra-organisational use
These attributes are used in intra-organizational user administration by some Finnish universities and polytechnics. The list has been collected from several directory schemas and is published to help organizations to create their organizational user directories.
...
Attributes relevant for a user account:
(own)AccountOwnerID # DirIDNumber of an account owner
(own)AccountHost # win, unix
(own)AccountWinStatus # shows status of Windows account
(own)AccountUnixStatus # shows status of Unix account
(own)AccountWinExpirDate # the date when the account expires
Appendix B: Changelog
Changes from funetEduPerson ver 2.3
- added eduPersonAssurance interpretation and marked it as mandatory attribute
- updated attribute specifications to correspond eduPerson202001
- noted eduPersonTargetedId being deprecated and will be marked as obsolete in future versions
- clarified mail attribute relevance being SHOULD
- updated attribute syntax from DirectoryString to NumericString in attributes funetEduPersonStudyStart ,funetEduPersonPrimaryStudyStart, funetEduPersonStudyToEnd, funetEduPersonPrimaryStudyToEnd
- updated attribute syntax from DirectoryString to Integer in attributes funetEduPersonCreditUnits, funetEduPersonECTS
Changes from funetEduPerson ver 2.2
- Local requirements of the eduPersonPrincipalName attribute. Values will be persistent after grace period.
Changes from funetEduPerson ver 2.1
- Superseded attributes from ver 1.0 listed in table
- added schacHomeOrganization interpretation from Advisory Commitee
- new supplementary attributes:
- funetEduPersonLearnerId
- funetEduPersonGivenNames
- funetEduPersonFullName
- new attributes from the Finnish Public Sector attribute profile
- electronicIdentificationNumber
- nationalIdentificationNumber
- corrections regarding to the referenced schema: schac, eduOrg eduPerson
- changes in mandatory and recommended attributes
- eduPersonAffiliation value faculty set to RECOMMENDED
- givenName set as mandatory
- added recommendation to follow eduGAIN Attribute profile
- new attribute eduPersonOrcid from eduOrg draft
- new attributes from schac:
- schacYearOfBirth
- schacUserPrivateAttribute
- schacExpiryDate
- schacProjectMembership
- schacProjectSpecificRole
- removed sub-category Other object Classes (course membership, group membershib)
- removed Shibboleth 1.0 attribute names
- new namespace for funetEduPersonTargetDegree
- deprecated namespaces for funetEduPersonTargetDegree, funetEduPersonProgram and funetEduPersonSpecialisation
Changes from funetEduPerson ver 2.0
- introduced SAML 2.0 attribute names (urn:oid:…)
- corrected broken URLs in the document
- corrected discrepancy in the relevance of funetEduPersonEPPNTimeStamp. The correct relevance is May
- adopted eduPerson 200806 and 200712:
- new attribute eduPersonAssurance
- new vocabulary value "library-walk-in" for eduPersonAffiliation/ScopedAffiliation/PrimaryAffiliation
- updated "Common attributes" section according to eduPerson 200806 (references to new RFCs 4519 and 4524)
- new attribute userSMIMECertificate
- adopted schac 1.3.0
- changed schacHomeOrganization syntax to directory string
- changed schacUserStatus syntax and examples
- introduced "int" as an alternative to country codes
Changes from funetEduPerson ver 1.0
- reformatting, rearranging and adding examples to make the document easier to read
- mandatory attributes revised
- adopted eduPerson 200604
- only one occurrence of '@' in eduPersonScopedAffiliation and Eppn
- eduPersonTargetedID definitions
- added new attributes: eduPersonScopeedAffiliation, eduPersonTargetedID and eduPersonNickname
- introduced schac and replaced overlapping national attributes
- the replaced attributes: funetEduPersonHomeOrganization (replaced by schacHomeOrganization), funetEduPersonStudentID (schacPersonalUniqueCode), funetEduPersonIdentityCode (schacPersonalUniqueID), funetEduPersonDateOfBirth (schacDateOfBirth)
- added/clarified Haka federation interpretation for
- attributes carrying the name of an individual
- eduPersonAffiliation, eduPersonPrimaryAffiliation and eduPersonScopedAffiliation
- reassignment of eduPersonPrincipalName
- added new attributes funetEduPersonStudyStart, funetEduPersonPrimaryStudyStart, funetEduPersonStudyToEnd, funetEduPersonPrimaryStudyToEnd, funetEduPersonCreditUnits, funetEduPersonECTS, funetEduPersonEPPNTimeStamp, funetEduPersonHomeCity, funetEduPersonStudentCategory, funetEduPersonStudentStatus, funetEduPersonStudentUnion
- added new attributes for target degree, study program and specialisation with hierarchical syntax, adopted the terminology and translations (educational degree programme, specialication option) of Finnish Virtual University.
- added employeeNumber
- attribute LDAP syntax fix: codes by tilastokeskus changed: Integer-> DirectoryString and name length cut to max 32 chars
- added references to eduCourse and eduMember
...