Attributes released by Raven SAML 2.0

Following authentication, the IdP on Raven will release various attributes about the authenticated user. Most of these are derived from the user's Lookup entry.

Each of these attributes has a formal name which appears in the protocol messages on the wire. When using the Shibboleth service provider software this is mapped, by the attribute-map.xml file, into a more useful id which in turn is used to make attribute values available to websites.

There are two common sets of formal names in use: one with names starting urn:mace: and one with names starting urn:oid:. In line with recommendations from the UK Access Management Federation, the Raven IdP uses urn:oid: format for SAML 2.0 responses.

Raven SAML 2.0 is intended both for University-managed websites and websites managed by external entities. The level of detail Raven SAML 2.0 releases about users differs between internal sites (those whose domain names end in .cam.ac.uk) and external sites (all other sites).

External sites are given basic information on users including an email address formatted identifier of the form [crsid]@cam.ac.uk, an opaque persistent identifier and some basic information about whether they are considered a "member" of the University. Internal sites are given a lot more information.

The attribute definitions used by Raven SAML 2.0 are derived from the eduPerson and inetOrgPerson object classes.

All service providers

Raven will release the following to any service provider registered with the Metadata application.

Name Display Name Description
urn:oid:1.3.6.1.4.1.5923.1.1.1.6 Principal name (eduPersonPrincipalName) A unique persistent user identifier which is consistent across all services. This is based on the user's CRSid and is formatted as an email address, [crsid]@cam.ac.uk.

Raven SAML 2.0 makes no guarantee that this email address has an associated mailbox and you should not assume that email set to this address will be delivered.

urn:oid:1.3.6.1.4.1.5923.1.1.1.9 Scoped affiliation (eduPersonScopedAffiliation) One or more values indicating the authenticated user's relationship with the organisation operating the IdP.

Anyone appearing in Lookup will have the member@cam.ac.uk value.

Anyone entitled to the bulk of the electronic resources licensed by the University library will have the member@eresources.lib.ac.uk value.

New values may be added over time. Unknown values should be ignored.

urn:oid:1.3.6.1.4.1.5923.1.1.1.7 Entitlement (eduPersonEntitlement) One or more values indicating particular entitlements. The only value used at the moment is urn:mace:dir:entitlement:common-lib-terms for anyone entitled to access the general University Library electronic resource collection.

New values may be added over time. Unknown values should be ignored.

urn:oid:1.3.6.1.4.1.5923.1.1.1.10 Anonymous identifier (eduPersonTargetedID) A unique persistent user identifier which is consistent for all accesses to a particular service provider by a particular user but which will be different for different users and for different services.
urn:oid:0.9.2342.19200300.100.1.3 E-mail (mail) Synthesised email address of the form [crsid]@cam.ac.uk.

Internal service providers

Raven SAML 2.0 will additionally release the following information to any internal service provider. Internal service providers are usually those being served from a .cam.ac.uk domain. Raven SAML 2.0 will only release values that have at least "University Wide" visibility in Lookup.

Danger

Much of the data in Lookup is under its subject's direct control and so should never be used for identification or authorisation purposes.

Name Display Name Description Notes
urn:oid:2.5.4.4 Surname Single-valued.
urn:oid:2.5.4.3 Common Name Registered Name. Single-valued.
urn:oid:2.16.840.1.113730.3.1.241 Display Name Single-valued. 3
urn:oid:2.5.4.12 Title Roles or job titles. Multi-valued. 3
urn:oid:2.5.4.11 Organizational unit Institutions as human-friendly names. Multi-values.
urn:oid:1.3.6.1.4.1.6822.1.1.5 Institution ID Institutions as Lookup "instid"s. Multi-valued. This is not guaranteed to be in the same order as the human-friendly names. 1
urn:oid:1.3.6.1.4.1.6822.1.1.30 Primary institution ID "Primary" institution as a Lookup "instid" according to the University's "Jackdaw" system. Single-valued. 1
urn:oid:2.5.4.20 Business phone number Contact telephone numbers. Multi-valued. 3
urn:oid:1.3.6.1.4.1.6822.1.1.11 Alternative email All contact email addresses listed in Lookup. Multi-valued. 1, 3
urn:oid:1.3.6.1.4.1.6822.1.1.38 MIS status Status within the University. Multi-valued. Possible values include staff and student.

Individuals can have both values if they appear in the University's central HR system and the University's student database.

Individuals who are employed by a University institution but are not in the University's central HR system will not have the staff value set.

New values may be added over time. Unknown values should be ignored.

1
urn:oid:1.3.6.1.4.1.6822.1.1.19 Lookup group name The names of the Lookup groups which the user is a member of. Multi-valued. The availability of this attribute is subject to both the user's choice of suppression and the group administrator's. 1
urn:oid:1.3.6.1.4.1.6822.1.1.22 Lookup group ID The Lookup "groupid"s of the groups which the user is a member of. Multi-valued. The availability of this attribute is subject to both the user's choice of suppression and the group administrator's.

This is not necessarily in the same order as the group names.

1
urn:oid:0.9.2342.19200300.100.1.1 CRSid / User ID Centrally-managed University user ID. Also known as "CRSid". Use urn:oid:1.3.6.1.4.1.5923.1.1.1.6 in preference. 2
1 A Raven SAML 2.0-only attribute. This is unlikely to be meaningful or trustworthy except when asserted by Raven SAML 2.0.
2 A standard attribute but is used by Raven SAML 2.0 for a specific local purpose. This attribute might have different meanings in other identity providers.
3 User-controlled attribute. Never use this attribute for identification or authorisation purposes.

Customisations for internal service providers

Previously the Raven SAML 2.0 administrators have customised some of these attributes for particular service providers in the University. This placed considerable load on the administrators to test that updates to Raven SAML 2.0 did not change behaviour for all the custom service providers. The Raven SAML 2.0 service will not offer custom attribute release to new service providers in future.

Attribute release policy

The UIS documents the Raven SAML 2.0 attribute release policy for external service providers.


Last update: January 7, 2021