Introduction

The main purpose of funetEduPerson schema is to serve Haka federation, the federation of Finnish higher education and research institutions, in inter-organisational exchange of attribute assertions regarding authenticated users. The schema contains also attributes of organisations and organisational units.

...

Attributes for persons

Following attributes are mandatory:

...

Attribute Profile: https://www.geant.org/Services/Trust_identity_and_security/eduGAIN/Documents/Resources/GN3-11-012%20eduGAIN_attribute_profile.pdf

Supplement attributes in funetEduPerson

Superseded attributes

Superseded attributes from ver 1.0 listed in table.

funetEduPersonTargetDegree

Specifies a student's target degree (suoritettava tutkinto) using an appropriate vocabulary.

...

funetEduPersonTargetDegree: urn:mace:funet.fi:tut.fi:schema:targetDegrees:915

funetEduPersonProgram

The educational degree program (tutkinto-ohjelma) using an appropriate vocabulary.

...

funetEduPersonProgram: urn:mace:funet.fi:attribute-def:funetEduPersonTargetDegree:stat.fi:733

funetEduPersonSpecialisation

The specialisation option (opintosuunta) of a student using an appropriate vocabulary.

...

funetEduPersonSpecialisation: urn:mace:funet.fi:attribute-def:funetEduPersonTargetDegree:stat.fi:6516

funetEduPersonStudyStart

The date when a student started his/her studies (opintojen aloittamispäivä).

...

funetEduPersonStudyStart: 20050826

funetEduPersonPrimaryStudyStart

The date when a student started his/her primary studies (ensisijaisten opintojen aloittamispäivä).

...

funetEduPersonPrimaryStudyStart: 20050826

funetEduPersonStudyToEnd

The date when a student is expected to finish his/her studies, e.g. graduate (arvioitu opintojen päättymispäivä/valmistumispäivä).

...

funetEduPersonStudyToEnd: 20070531

funetEduPersonPrimaryStudyToEnd

The date when a student is expected to finish his/her primary studies, e.g. graduate (arvioitu ensisijaisen opinto-oikeuden päättymispäivä/valmistumispäivä).

...

funetEduPersonPrimaryStudyToEnd: 20070531

funetEduPersonCreditUnits

Number of credit units (opintoviikko) a student has.
In Finland, national credit units (1 cu equals to 40 hours of work) were used before ECTS credit units were adopted in 2005.

...

funetEduPersonCreditUnits: 80

funetEduPersonECTS

Number of ECTS (European Credit Transfer System) credit units (opintopiste) a student has.

...

Examples:

funetEduPersonECTS: 140

funetEduPersonStudentCategory

Category of a student, based on the target of the studies.

...

funetEduPersonStudentCategory: master

funetEduPersonStudentStatus

Status of a student (läsnäolotieto); present or absent.

...

funetEduPersonStudentStatus: present

funetEduPersonStudentUnion

Name of the student union the student is a member of, if any.

...

funetEduPersonStudentUnion: Tampereen teknillisen yliopiston ylioppilaskunta

funetEduPersonHomeCity

Home City (kotikunta) of the user.

...

funetEduPersonHomeCity: 083

funetEduPersonEPPNTimeStamp

The date when eduPersonPrincipalName was issued to this individual.

...

This attribute is to complement these requirements by enabling services with extended user lifecycle to maintain user profiles longer.

...

funetEduPersonEPPNTimeStamp: 20040826

funetEduPersonGivenNames

The funetEduPersonGivenNames attribute type contains name strings that are the part of a person's name that is not their surname.

...

funetEduPersonFullName

Space delimited catenated string of all official name strings of a person.

...

funetEduPersonLearnerId

11-digit identifier to identify a person.

...

funeteduPersonLearnerId: 1.2.246.562.24.10000000008
funeteduPersonLearnerId: 1.2.246.562.24.99999999990

Attributes from Finnish public sector attribute profile

electronicIdentificationNumber (satu)

(Fin Attr Profile 1.1) The electronic identification number (sähköinen asiointitunnus, satu) issued to an individual by Population Registry Center (Väestörekisterikeskus). 

...

electronicIdentificationNumber: 012345678N

nationalIdentificationNumber (hetu)

(Fin Attr Profile 1.1) The national identification number (henkilötunnus, hetu) issued to an individual by Population Registry Center (Väestörekisterikeskus). 

...

nationalIdentificationNumber: 010191-123A 

Attributes from schac

schacMotherTongue

(schac 1.5.0) Is the language a person learns first. Correspondingly, the person is called a native speaker of the language. Usually a child learns the basics of their first language from their family.

...

schacMotherTongue: es-ES

schacMotherTongue: fi

schacGender

(schac 1.5.0) The state of being male or female. The gender attribute specifies the legal gender the subject it is associated with.

...

• 0 Not known
• 1 Male
• 2 Female
• 9 Not specified

Examples:

schacGender: 2

schacDateOfBirth

(schac 1.5.0) The date of birth for the subject it is associated with

...

schacDateOfBirth: 19660412

schacYearOfBirth

(schac 1.5.0) The year of birth for the subject is associated with.

...

Examples:

schacYearOfBirth = 1966

schacPlaceOfBirth

(schac 1.5.0) The schacPlaceOfBirth attribute specifies the place of birth for the subject it is associated with.

...

schacPlaceOfBirth: Turku, Suomi

schacCountryOfCitizenship

(schac 1.5.0) The schacCountryOfCitizenship attribute specifies the (claimed) countries of citizenship for the subject it is associated with.

...

schacCountryOfCitizenship: fi

schacHomeOrganization

(schac 1.5.0) Specifies a person´s home organization using the domain name of the organization. Issuers of schacHomeOrganization attribute values via SAML are strongly encouraged to publish matching shibmd:Scope elements as part of their IDP's SAML metadata. Relaying Parties recieving schacHomeOrganization values via SAML are strongly encouraged to check attribute values against the Issuer's published shibmd:Scope elements in SAML metadata, and may discard any non-matching values. 

...

schacHomeOrganization: tut.fi

schacHomeOrganizationType

(schac 1.5.0) Type of a Home Organization.

...

schacHomeOrganizationType: urn:schac:homeOrganizationType:es:opi

schacCountryOfResidence

(schac 1.5.0) The schacCountryOfResidence attribute specifies the (claimed) country of residence for the subject is associated with.

...

schacCountryOfResidence: fi

schacUserPresenceID

(schac 1.5.0) To store a set of values related to network presence protocols.

...

schacUserPresenceID: h323:pepe@myweb.fi:808;params

schacPersonalPosition

(schac 1.5.0) The Personal Position attribute type specifies a personal position inside an institution.

...

schacPersonalPosition: urn:schac:personalPosition:pl:umk.pl:programmer

schacPersonalUniqueCode

(schac 1.5.0) Specifies a "unique code" for the subject it is associated with. Its value does not necessarily correspond to any identifier outside the scope of the directories using this schema.

...

schacPersonalUniqueCode: urn:schac:personalUniqueCode:se:LIN:87654321

schacPersonalUniqueID

(schac 1.5.0) Specifies a "legal unique identifier" for the subject it is associated with. This might be DNI in Spain, FIC (henkilötunnus) in Finland, NIN in Sweden,...

...

schacPersonalUniqueID: urn:schac:personalUniquelD:se:NIN:12345678

schacExpiryDate

(schac 1.5.0) The date from which the set of data is to be considered invalid (specifically, in what refers to rights and entitlements). This date applies to the entry as a whole. 

...

schacExpiryDate: 20051231125959Z 

schacUserPrivateAttribute

(schac 1.5.0) Used to model privacy requirements, as expressed by the user and/or organizational policies. The values are intended to be attribute type names and applies to the attribute and any subtypes of it for a given entity. In what respects to data exchange, it applies to the expression of privacy requirements. This attribute can also have specific operational semantics (one has already been applied to LDAP servers: see references below), that will be defined in a separate document. 

...

schacUserPrivateAttribute: telephoneNumber

schacUserStatus

(schac 1.5.0) Used to store a set of status of a person as user of services.

...

schacUserStatus:
 urn:schac:userStatus:si:ujl.si:webmail:active?+ttl=20060531235959

schacProjectMembership

(schac 1.5.0) The name of the project the user belongs to 

...

schacProjectMemberShip: perfsonar 

schacProjectSpecificRole

(schac 1.5.0) Used to store a set of roles inside specific projects  

...

schacProjectSpecificRole: urn:schac:projectSpecificRole:perfsonar:developer

Attributes from eduPerson

eduPersonAffiliation

(eduPerson201310) Specifies the person's relationship(s) to the institution in broad categories such as student, faculty, staff, alum, etc.

...

eduPersonAffiliation: library-walk-in

eduPersonEntitlement

(eduPerson201310) URI (either URN or URL) that indicates a set of rights to specific resources.

...

eduPersonEntitlement: http://xstor.com/contracts/HEd123
eduPersonEntitlement: urn:mace:washington.edu:confocalMicroscope
eduPersonEntitlement: http://www.joopas.fi/virkailijaroolit/jooHakemuksenPuoltaja

eduPersonNickname

(eduPerson201310) Person's nickname, or the informal name by which they are accustomed to be hailed.

...

Examples:

eduPersonNickname: Sepi

eduPersonOrcid

(orcid-draft-01) An eduPersonOrcid attribute carries values of the ORCID-assigned researcher identifiers for the associated entry.

...

eduPersonOrcid: http://orcid.org/0000-0102-9134-699X

eduPersonOrgDN

(eduPerson201310) The distinguished name (DN) of the of the directory entry representing the institution with which the person is associated.

...

eduPersonOrgDN: o=Hogwarts, dc=hsww, dc=wiz

eduPersonOrgUnitDN

(eduPerson201310) The distinguished name(s) (DN) of the directory entries representing the person's Organizational Unit(s). May be multivalued, as for example, in the case of a faculty member with appointments in multiple departments or a person who is a student in one department and an employee in another.

...

eduPersonOrgUnitDN: ou=Potions, o=Hogwarts, dc=hsww, dc=wiz

eduPersonPrimaryAffiliation

(eduPerson201310) Specifies the person's PRIMARY relationship to the institution in broad categories such as student, faculty, staff, alum, etc.

...

Think of this as the affiliation one might put on the name tag if this person were to attend a general institutional social gathering. Note that the single-valued eduPersonPrimaryAffiliation attribute assigns each person in the directory into one and only one category of affiliation. There are application scenarios where this would be useful.

See funetEduPersonSchema2dot3draft eduPersonAffiliation for further details.

eduPersonPrimaryOrgUnitDN

(eduPerson201310) The distinguished name (DN) of the directory entry representing the person's primary Organizational Unit(s).

...

Each institution populating this attribute decides the criteria for determining which organization unit entry is the primary one for a given individual.

eduPersonPrincipalName

(eduPerson201310) A scoped identifier for a person. It should be represented in the form "user@scope" where 'user' is a name-based identifier for the person and where the "scope" portion MUST be the administrative domain of the identity system where the identifier was created and assigned. Each value of 'scope' defines a namespace within which the assigned identifiers MUST be unique. Given this rule, if two eduPersonPrincipalName (ePPN) values are the same at a given point in time, they refer to the same person. There must be one and only one "@" sign in valid values of eduPersonPrincipalName.

...

Values of eduPersonPrincipalName are often, but not required to be, human-friendly, and may change as a result of various business processes. They may also be reassigned after a locally-defined period of dormancy. Applications that require a guarantee of non-reassignment and more stability, but can tolerate values unfriendly (and unknown) to humans should refer to the funetEduPersonSchema2dot3draft eduPersonTargetedID attribute.

...

mvirtane@hut.fi
mkorhone@students.oamk.fi

eduPersonPrincipalNamePrior (defined in eduPerson 201211)

(eduPerson201312) Each value of this multi-valued attribute represents an ePPN (eduPersonPrincipalName) value that was previously associated with the entry. The values MUST NOT include the currently valid ePPN value. There is no implied or assumed order to the values. This attribute MUST NOT be populated if ePPN values are ever reassigned to a different entry (after, for example, a period of dormancy). That is, they MUST be unique in space and over time.

...

eduPersonPrincipalName: baz@hsww.wiz
eduPersonPrincipalNamePrior: foo@hsww.wiz
eduPersonPrincipalNamePrior: bar@hsww.wiz

eduPersonScopedAffiliation

(eduPerson201310) Specifies the person's affiliation within a particular security domain in broad categories such as student, faculty, staff, alum, etc. The values consist of a left and right component separated by an "@" sign. The left component is one of the values from the eduPersonAffiliation controlled vocabulary. This right-hand side syntax of eduPersonScopedAffiliation intentionally matches that used for the right-hand side values for eduPersonPrincipalName since both identify a security domain. Multiple "@" signs are not recommended, but in any case, the first occurrence of the "@" sign starting from the left is to be taken as the delimiter between components. Thus, user identifier is to the left, security domain to the right of the first "@". This parsing rule conforms to the POSIX "greedy" disambiguation method in regluar expression processing.

...

eduPersonScopedAffiliation: faculty@tut.fi
eduPersonScopedAffiliation: student@students.oamk.fi

eduPersonTargetedID

(eduPerson201310) A persistent, non-reassigned, opaque identifier for a principal.

...

Identity or service providers or directory-enabled applications with the need to link an external account to an internal account maintained within their own system. This attribute is often used to represent a long-term account linking relationship between an identity provider and service provider(s) (or other identity/attribute provider).

eduPersonAssurance

(eduPerson201310) Set of URIs that assert compliance with specific standards for identity assurance.

...

eduPersonAssurance: http://idm.example.org/LOA#sample

eduPersonUniqueId

(eduPerson201310) A long-lived, non re-assignable, omnidirectional identifier suitable for use as a principal identifier by authentication providers or as a unique external key by applications.

...

eduPersonUniqueId: 28c5353b8bb34984a8bd4169ba94c606@foo.edu

Common attributes

cn / commonName

(RFC 4519) The 'cn' ('commonName' in X.500) attribute type contains names of an object. Each name is one value of this multi-valued attribute. If the object corresponds to a person, it is typically the person's full name. (RFC2256) This is the X.500 commonName attribute, which contains a name of an object. If the object corresponds to a person, it is typically the person's full name.

...

sn: Virtanen
givenName: Seppo
funetEduPersonGivenNames: Seppo Matinpoika Johannes
funetEduPersonFullName: Seppo Matinpoika Johannes Virtanen
cn: Seppo Virtanen
displayName: Seppo Virtanen
eduPersonNickname: Sepi

description

(RFC 2256) This attribute contains a human-readable description of the object. (RFC 4519) The 'description' attribute type contains human-readable descriptive phrases about the object. Each description is one value of this multi-valued attribute.

...

(eduPerson201310) Open-ended; whatever the person or the directory manager puts here.

displayName

(RFC 2798 ) Preferred name of a person to be used when displaying entries. (RFC2798) When displaying an entry, especially within a one-line summary list, it is useful to be able to identify a name to be used. Since other attribute types such as 'cn' are multivalued, an additional attribute type is needed. Display name is defined for this purpose.

...

employeeNumber

(RFC 2798) Numeric or alphanumeric identifier assigned to a person, typically based on order of hire or association with an organization. Single valued.

...

Examples:

employeeNumber: 1054

facsimileTelephoneNumber

(RFC 2256 RFC 4519) The 'facsimileTelephoneNumber' attribute type contains telephone numbers (and, optionally, the parameters) for facsimile terminals. Each telephone number is one value of this multi-valued attribute.

...

(eduPerson201310) Attribute values should comply with the ITU Recommendation E.123 [E.123]: i.e., "+44 71 123 4567."

givenName

(RFC 2256) The givenName attribute is used to hold the part of a person's name which is not their surname nor middle name. (RFC 4519) The 'givenName' attribute type contains name strings that are the part of a person's name that is not their surname. Each string is one value of this multi-valued attribute.

...

homePhone

(RFC 1274) The Home Telephone Number attribute type specifies a home telephonenumber associated with a person. Attribute values should follow the agreed format for international telephone numbers: i.e., "+44 71 123 4567".

...

 homePhone: +358 3 317 7059

homePostalAddress

(RFC 1274) The Home postal address attribute type specifies a home postal address for an object. This should be limited to up to 6 lines of 30 characters each.

...

homePostalAddress: Kotikatu 4$00100 Helsinki

jpegPhoto

(RFC 2798) Used to store one or more images of a person using the JPEG File Interchange Format [JFIF].

l / localityName

(RFC 2256 / RFC 4519) The 'l' ('localityName' in X.500) attribute type contains names of a locality or place, such as a city, county, or other geographic region. Each name is one value of this multi-valued attribute."This attribute contains the name of a locality, such as a city, county or other geographic region (localityName).

Examples:

 l: Viikki

labeledURI

(eduPerson201310) Follow inetOrgPerson definition of RFC 2079: "Uniform Resource Identifier with optional label."
Commonly a URL for a web site associated with this person.

...

labeledURI: http://students.tut.fi/%7Eteemu Teemu Teekkari's home page
labeledURI: http://champagne.inria.fr/Unites/rennes.gif Rennes [photo]

mail

(RFC 4524) The 'mail' (rfc822mailbox) attribute type holds Internet mail addresses in Mailbox [RFC2821] form (e.g., user@example.com).

...

mail: esko.esimerkki@oulu.fi

mobile

(RFC 4524) The 'mobile' (mobileTelephoneNumber) attribute specifies mobile telephone numbers (e.g., "+1 775 555 6789") associated with a person (or entity). (RFC1274) The Mobile Telephone Number attribute type specifies a mobile telephone number associated with a person. Attribute values should follow the agreed format for international telephone numbers: i.e., "+44 71 123 4567".

...

Examples:

mobile: +358 40 345 6789

o / organizationName

(eduPerson201310) Standard name of the top-level organization (institution) with which this person is associated. (RFC2256) This attribute contains the name of an organization (organizationName).

...

Examples:

 o: University of Tampere

ou/organizationalUnitName

(RFC2256) This attribute contains the name of an organizational unit (organizationalUnitName). (eduPerson201310) Organizational unit(s). According to X.520(2000), "The Organizational Unit Name attribute type specifies an organizational unit. When used as a component of a directory name it identifies an organizational unit with which the named object is affiliated."

...

ou: Faculty of Humanities
ou: Department of History

postalAddress

(eduPerson201310) Campus or office address. inetOrgPerson has a homePostalAddress that complements this attribute. X.520(2000) reads: "The Postal Address attribute type specifies the address information required for the physical postal delivery to an object."

...

postalAddress: P.O. Box 405$02101 Espoo

postalCode

(eduPerson201310) Follow X.500(2001): "The postal code attribute type specifies the postal code of the named object. If this attribute value is present, it will be part of the object's postal address."

...

Examples:

postalCode: 02101

preferredLanguage

(RFC 2798) Preferred written or spoken language for a person.

...

Examples:

preferredLanguage: fi

seeAlso

(RFC 4519) The 'seeAlso' attribute type contains the distinguished names of objects that are related to the subject object. Each related object name is one value of this multi-valued attribute.

...

 seeAlso: cn=Department Chair, ou=physics, o=University of Technology, dc=utech, dc=ac, dc=uk

sn / surname

(RFC 4519) The 'sn' ('surname' in X.500) attribute type contains name strings for the family names of a person. Each string is one value of this multi-valued attribute." (RFC2256) This is the X.500 surname attribute, which contains the family name of a person.

...

street

(RFC 4519) The 'street' ('streetAddress' in X.500) attribute type contains site information from a postal address (i.e., the street name, place, avenue, and the house number). Each street is one value of this multi-valued attribute.

...

 street: Korkeakoulunkatu 1

telephoneNumber

(eduPerson201310) Office/campus phone number. Attribute values should follow the agreed format for international telephone numbers: i.e., "+44 71 123 4567."

title

(RFC 4519) The 'title' attribute type contains the title of a person in their organizational context. Each title is one value of this multi-valued attribute.

...

Examples:

 Title: professor

uid

(RFC 4519) The 'uid' ('userid' in RFC 1274) attribute type contains computer system login names associated with the object. Each name is one value of this multi-valued attribute.

...

A number of off-the-shelf directory-enabled applications make use of this inetOrgPerson attribute, not always consistently.

userCertificate

(eduPerson201310) A user's X.509 certificate

...

(eduPerson201310) Note that userSMIMECertificate is in binary syntax (1.3.6.1.4.1.1466.115.121.1.5) whereas the userCertificate attribute is in certificate syntax (1.3.6.1.4.1.1466.115.121.1.8).

userPassword

(eduPerson200312eduPerson200806) This attribute identifies the entry's password and encryption method in the following format:
{encryption method}encrypted password.

...

(eduPerson200312eduPerson200806) The user pw is hidden, and is used in the bind operation in LDAP. The bind operation must be done over SSL to avoid sending clear text passwords over the wire or through the air.

userSMIMECertificate

(eduPerson200806) An X.509 certificate specifically for use in S/MIME applications (see RFCs 2632, 2633 and 2634).

...

(RFC 2798) If available, this attribute is preferred over the userCertificate attribute for S/MIME applications. This attribute is to be stored and requested in the binary form, as 'userSMIMECertificate;binary.'

Attributes for organisations

These are attributes for an object representing an organisation or organisational unit. The attributes are expected to be used in the organisation branch of an enterprise directory.

Attributes from eduOrg

eduOrgHomePageURI

(eduOrg200210) The URL for the organization's top level home page.

...

 eduOrgHomePageURI: http://www.helsinki.fi/

eduOrgIdentityAuthNPolicyURI

(eduOrg200210) A URI pointing to the location of the organization´s policy regarding identification and authentication (the issuance and use of digital credentials). Most often a URL, but with appropriate resolution mechanisms in place, could be a URN.

...

eduOrgIdentficationAuthNPolicyURI: http://www.tut.fi/public/it/idm/TTY-idm-kuvaus.html

eduOrgLegalName

(eduOrg200210) The organization´s legal corporate name.

...

eduOrgLegalName: Päijät-Hämeen koulutuskonserni

eduOrgSuperiorURI

(eduOrg200210) LDAP URL for the organization object one level superior to this entry.

eduOrgWhitePagesURI

( eduOrg200210) The URL of the open white pages directory service for the university, predominantly LDAP these days

cn /commonName

(eduOrg200210) X.520 (2001) "commonName." Name or names by which this organization is commonly known.

...

cn: University of Lapland

description

(eduOrg200210) Open-ended; whatever the person or the directory manager puts here. According to RFC 2256, "This attribute contains a human-readable description of the object.

facsimileTelephoneNumber

(eduOrg200210) A fax number for the directory entry. Attribute values should follow the agreed format for international telephone numbers: i.e., "+44 71 123 4567.

l (localityName)

(eduOrg200210) According to RFC 2256, "This attribute contains the name of a locality, such as a city, county or other geographic region."
X.520 (2001) reads: "The Locality Name attribute type specifies a locality. When used as a component of a directory name, it identifies a geographical area or locality in which the named object is physically located or with which it is associated in some other important way."

o / organizationName

(eduOrg200210) Standard name of the top-level organization (institution).

postalAddress

(eduOrg200210) Main office address. X.520 (2001) reads: "The Postal Address attribute type specifies the address information required for the physical postal delivery to an object."

postalCode

(eduOrg200210) Follow X.520 (2001): "The postal code attribute type specifies the postal code of the named object. If this attribute value is present, it will be part of the object's postal address." Zip code in USA, postal code for other countries.

postOfficeBox

(eduOrg200210) Follow X.520 (2001): "The Post Office Box attribute type specifies the Postal Office Box by which the object will receive physical postal delivery. If present, the attribute value is part of the object's postal address.

seeAlso

(eduOrg200210) The distinguished name of another directory entry. According to X.520 (2001), "The See Also attribute type specifies names of other Directory objects which may be other aspects (in some sense) of the same real world object."

street

(eduOrg200210) Street address of the primary campus offices. According to RFC 2256, "This attribute contains the physical address of the object to which the entry corresponds, such as an address for package delivery (streetAddress)."

telephoneNumber

(eduOrg200210) Main campus phone number. Attribute values should follow the agreed format for international telephone numbers: i.e., "+44 71 123 4567."

Supplement attributes

mail

Mail address of the organisation, as defined in the Act on Electronic Services and Communication in the Public Sector (Laki sähköisestä asioinnista viranomaistoiminnassa).

...

Example:

 mail: kirjaamo@uta.fi

Acknowledgements

Haka-IAM -verkosto is a network of specialists working on the access and identity management on Finnish higher education institutions facilitated by Haka identity federation. The network has participated actively on the update to version 2.2.

References

• eduOrg200210
  
  • Internet2 Middleware Architecture Committee, Directory Working Group. "EduOrg Object Class Specification (200210)." October, 2002. http://middleware.internet2.edu/eduperson/ , cited with the permission of Internet2.
• eduPerson200806 
  • Internet2 Middleware Architecture Committee for Education, Directory Working Group. "EduPerson Object Class Specification (200806)." June, 2008. http://www.educause.edu/eduperson , cited with the permission of Internet2.
• RFC1274
  • Barker, P., Kille, S. "RFC 1274: The COSINE and Internet X.500 Schema." November, 1991
• RFC 2256
  • Wahl, M. "RFC2256: A Summary of the X.500(96) User Schema for use with LDAPv3". December, 1997.
• RFC2798
  • Smith, M. "RFC 2798: Definition of the inetOrgPerson LDAP Object Class". April, 2000.
• RFC 3066
  • Alvestrand, H. "RFC 3066: Tags for the Identification of Languages". January, 2001.
• Schac ver 1.2.0
  • Schac, Schema for Academia. "Attribute Definitions for Individual Data", 4 May 2006
• RFC 4519
  • Sciberras, A. "RFC 4519: Lightweight Directory Access Protocol (LDAP): Schema for User Applications." June, 2006. 
• RFC 4524
  • Zeilenga, K. "RFC 4524: COSINE LDAP/X.500 Schema". June, 2006.
• Schac ver 1.3.0
  • Schac, Schema for Academia. "Attribute Definitions for Individual Data", 12 December 2006
• eduOrg201203

  • Internet2 Middleware Architecture Committee for Education, Directory Working Group (MACE-Dir). 

• SCHAC schema IAD 1.5.0.c

  • The SCHema for ACademia, TERENA Task Force on Middleware, TF-EMC2

• Fin Attr Profile 1.1
  • Approved by Ministry of Finance and Ministry of Employment and the Economy, SAML 2.0 Attribute Profile specification for the Finnish public sector identity federation services, version 1.1, 21.2.2011
• eduGAIN Policy Framework, Attribute Profile

Appendix A: Collection of attributes for intra-organisational use

These attributes are used in intra-organizational user administration by some Finnish universities and polytechnics. The list has been collected from several directory schemas and is published to help organizations to create their organizational user directories.

...

Attributes relevant for a user account:
(own)AccountOwnerID # DirIDNumber of an account owner
(own)AccountHost # win, unix
(own)AccountWinStatus # shows status of Windows account
(own)AccountUnixStatus # shows status of Unix account
(own)AccountWinExpirDate # the date when the account expires

Appendix B: Changelog

Changes from funetEduPerson ver 2.2

• Local requirements of the eduPersonPrincipalName attribute. Values will be persistent after grace period. 

Changes from funetEduPerson ver 2.1

• Superseded attributes from ver 1.0 listed in table
• added schacHomeOrganization interpretation from Advisory Commitee
• new supplementary attributes:
  • funetEduPersonLearnerId
  • funetEduPersonGivenNames
  • funetEduPersonFullName
• new attributes from the Finnish Public Sector attribute profile
  • electronicIdentificationNumber
  • nationalIdentificationNumber
• corrections regarding to the referenced schema: schac, eduOrg eduPerson
• changes in mandatory and recommended attributes
  • eduPersonAffiliation value faculty set to RECOMMENDED
  • givenName set as mandatory
  • added recommendation to follow eduGAIN Attribute profile
• new attribute eduPersonOrcid from eduOrg draft
• new attributes from schac:
  • schacYearOfBirth
  • schacUserPrivateAttribute
  • schacExpiryDate
  • schacProjectMembership
  • schacProjectSpecificRole
• removed sub-category Other object Classes (course membership, group membershib)
• removed Shibboleth 1.0 attribute names
• new namespace for funetEduPersonTargetDegree
• deprecated namespaces for funetEduPersonTargetDegree, funetEduPersonProgram and funetEduPersonSpecialisation

Changes from funetEduPerson ver 2.0

• introduced SAML 2.0 attribute names (urn:oid:…)
• corrected broken URLs in the document
• corrected discrepancy in the relevance of funetEduPersonEPPNTimeStamp. The correct relevance is May
• adopted eduPerson 200806 and 200712:
  • new attribute eduPersonAssurance
  • new vocabulary value "library-walk-in" for eduPersonAffiliation/ScopedAffiliation/PrimaryAffiliation
  • updated "Common attributes" section according to eduPerson 200806 (references to new RFCs 4519 and 4524)
  • new attribute userSMIMECertificate
• adopted schac 1.3.0
  • changed schacHomeOrganization syntax to directory string
  • changed schacUserStatus syntax and examples
  • introduced "int" as an alternative to country codes

Changes from funetEduPerson ver 1.0

• reformatting, rearranging and adding examples to make the document easier to read
• mandatory attributes revised
• adopted eduPerson 200604
• only one occurrence of '@' in eduPersonScopedAffiliation and Eppn
• eduPersonTargetedID definitions
• added new attributes: eduPersonScopeedAffiliation, eduPersonTargetedID and eduPersonNickname
• introduced schac and replaced overlapping national attributes
• the replaced attributes: funetEduPersonHomeOrganization (replaced by schacHomeOrganization), funetEduPersonStudentID (schacPersonalUniqueCode), funetEduPersonIdentityCode (schacPersonalUniqueID), funetEduPersonDateOfBirth (schacDateOfBirth)
• added/clarified Haka federation interpretation for
• attributes carrying the name of an individual
• eduPersonAffiliation, eduPersonPrimaryAffiliation and eduPersonScopedAffiliation
• reassignment of eduPersonPrincipalName
• added new attributes funetEduPersonStudyStart, funetEduPersonPrimaryStudyStart, funetEduPersonStudyToEnd, funetEduPersonPrimaryStudyToEnd, funetEduPersonCreditUnits, funetEduPersonECTS, funetEduPersonEPPNTimeStamp, funetEduPersonHomeCity, funetEduPersonStudentCategory, funetEduPersonStudentStatus, funetEduPersonStudentUnion
• added new attributes for target degree, study program and specialisation with hierarchical syntax, adopted the terminology and translations (educational degree programme, specialication option) of Finnish Virtual University.
• added employeeNumber
• attribute LDAP syntax fix: codes by tilastokeskus changed: Integer-> DirectoryString and name length cut to max 32 chars
• added references to eduCourse and eduMember