Attribute Profile

There are no mandatory attributes in SWAMID. Instead attributes are set on a case-by-case basis from the following schemas:

The most common attribute that are used today are listed below. SWAMID provides several mechanisms for making attribute-release scalable, including the use of entity categories. Please note that the correctness of released attributes is dependent on the user's level of assurance.

Apart from the attributes listed below, IdPs are often able to produce other attributes. Contact SWAMID operations and/or the IdP administrator. Note that custom attributes are often a significant obstacle to large-scale deployment.

Identity Provider administrators are encouraged to review the SAML WebSSO Identity Provider Best Current Practice and use 4.1 Entity Categories for Service Providers to release attributes. These recommendations include several provisions for increased interoperability around attributes.

Names

  • givenName
  • sn
  • displayName

Applications are not consistent in their choice of attribute for names and IdPs should release all of these attributes or none of them as the case may be.

Contact information

  • mail

Identifiers

  • eduPersonPersistentID (eptid)
  • eduPersonPrincipalName (eppn)

EU data-protection makes no distinction between eptid and eppn because eptid is traceable through the IdP it still constitutes PII. The use of eptid vs eppn is mainly a question of risk management. Note that eptid is actually not an attribute as such but often represented as then SAML persistent NameID.

Level of Assurance

SWAMID has two defined levels of assurance, SWAMID AL1 (http://www.swamid.se/policy/assurance/al1) and SWAMID AL2 (http://www.swamid.se/policy/assurance/al2).

All by SWAMID approved assurance levels for an Identity Provider are defined in the SAML metadata as a SAML extended attribute urn:oasis:names:tc:SAML:attribute:assurance-certification. The Identity Provider uses the attribute eduPersonAssurance to define the logged in user's assurance level. Please observe that the Identity Provider shall not indicate any other assurance level than it's approved for.

A member organisation can be approved by SWAMID to assert users at

  • SWAMID AL1 and SWAMID AL2,
  • SWAMID AL1 only or
  • none of them.

A claim at SWAMID Identity Assurance Level 1 (SWAMID AL1) implies roughly the following:

  • The user is probably affiliated with the SWAMID member.
  • The user is very likely a human and not a robot or piece of software.
  • The user is most likely identified by a unique permanent user identifier.
  • Attributes/information released may be self-asserted.

A claim at SWAMID Identity Assurance Level 2 (SWAMID AL2) implies roughly the following:

  • The user is affiliated with the SWAMID member.
  • The user is an identified and confirmed individual.
  • The user is identified by a unique permanent user identifier.
  • The SWAMID member is responsible for the attributes/information released.

 

Affiliation

  • eduPersonScopedAffiliation
  • eduPersonScopedPrimaryAffiliation

See Rätt semantik för eduPersonScopedAffiliation and the eduPerson schema for details about the contents of these attributes.

Roles, Groups and Entitlement

  • eduPersonEntitlement

This multivalued attribute contains a list of URI identifiers (both URNs and URLs are commonly used for this) that indicate that the user in question has a certain entitlement described by the value. Note that this attribute is often generated per SP so that two SPs will often see different list of entitlements (although there is not requirement that this be the case). Entitlement values need to be defined in some way and may require implementation on the IdP.

Organisational (non-personal information)

  • o
  • c
  • co
  • norEduOrgAcronym
  • schacHomeOrganization
  • schacHomeOrganizationType

See Rekommenderad release av statisk organisationsinformation for information about how to configure a IdP for these static attributes.

Swedish Personal Information

  • norEduPersonNIN

Swedish National Identiy Numbers are considered sensitive information and are normally not released except to certain government agencies.

See Svenska personnummer och norEduPersonNIN for information about how to configure an IdP for norEduPersonNIN.