AAI Attributes

The document AAI Attribute Specification is the reference for attributes within SWITCHaai. Administrators of IdPs and SPs should be familiar with this document.

Recent changes of the document

Implementing the changes on the IdP and SP

Service Provider administrators should check the "Attribute Release Matrix" on the AAI Resource Registry (requires authentication with an account in the SWITCHaai federation).

Core attributes: Attributes mandatory to be implemented by home organizations

Unique ID (swissEduPersonUniqueID)

Description

A unique, opaque (non-transparent) identifier for a person, mainly for inter-institutional user identification on personalized services

Example values

845938727494@ethz.ch
e2d8e08-248b-11dc-8314-0800200c9a66@uzh.ch

Not allowed are transparent identifiers like:

hans.p.muster@ethz.ch
student-S01333444@uzh.ch

Targeted ID (eduPersonTargetedID)
Description	A persistent, non-reassigned, privacy-preserving identifier for a principal shared between a pair of coordinating entities, denoted by the SAML 2 architectural overview as identity provider and service provider (or a group of service providers). An identity provider uses the appropriate value of this attribute when communicating with a particular service provider or group of service providers, and does not reveal that value to any other service provider except in limited circumstances.
Example values	09ccc15e-7315-4871-83ce-45b078410ed9
Using the persistent ID as a user identifier attribute

Surname (surname)
Description	Surname or family name
Example values	Meier-Müller Bauchière von Roten

Given name (givenName)
Description	Given name of a person
Example values	Hans-Peter Hans Jürg René

E-mail address (mail)
Description	Preferred address for the "To:" field of e-mail to be sent to this person
Example values	peter.meier@uzh.ch dumbledore@hsww.wiz

Home organization (swissEduPersonHomeOrganization)
Description	Domain name of a home organization
Example values	unil.ch ethz.ch library.ethz.ch

Home organization type (swissEduPersonHomeOrganizationType)
Description	Type of a home organization
Example values	university vho hospital

Affiliation (eduPersonAffiliation)
Description	Multi-valued type of affiliation. Users having the values `student`, `staff` or `faculty` set should also have the value `member`
Example values	student staff faculty affiliate

Other attributes, optional to be implemented by home organizations

User ID (uid)
Description	A unique identifier for a person, mainly used for user identification within the user's home organization
Example values	pmuster stud_05999123

Matriculation number (swissEduPersonMatriculationNumber)
Description	Matriculation number of a student
Example values	04911506 72836596

Employee number (employeeNumber)
Description	Identifies an employee within an organization
Example values	400345 74622225

Card UID (swissEduPersonCardUID)
Description	Card unique identifier
Example values	E002219C5298303B@ISO15693 0298450109348@unil.ch

Nick name (eduPersonNickname)
Description	Person's nickname, or the informal name by which they are accustomed to be hailed.
Example values	Spike

Date of birth (swissEduPersonDateOfBirth)
Description	The date of birth of the person
Example values	19871022 20021010

Gender (swissEduPersonGender)
Description	The state of being male or female
Example values	1 9

Home postal address (homePostalAddress)
Description	Home address of the user
Example values	Bernerstrasse 45$CH-8048 Zürich ch. des Vignes 59$CH-1260 Nyon

Business postal address (postalAddress)
Description	Campus or office address
Example values	ETH Zentrum$CH-8092 Zürich Quartier UNIL-Sorge$Bâtiment Amphimax$CH-1015 Lausanne

Business phone number (telephoneNumber)
Description	Office/campus phone number
Example values	+41 44 345 6789 +44 71 123 4567

Mobile phone number (mobile)
Description	Mobile phone number
Example values	+41 79 345 6789 +44 71 123 4567

Scoped affiliation (eduPersonScopedAffiliation)
Description	Specifies the person's affiliation within a particular security domain in broad categories such as student, faculty, staff, alum, etc. The values consist of a left and right component separated by an "@" sign. The left component is one of the values from the eduPersonAffiliation controlled vocabulary. This right-hand side syntax of eduPersonScopedAffiliation intentionally matches that used for the right-hand side values for eduPersonPrincipalName since both identify a security domain. Multiple "@" signs are not recommended, but in any case, the first occurrence of the "@" sign starting from the left is to be taken as the delimiter between components. Thus, user identifier is to the left, security domain to the right of the first "@". This parsing rule conforms to the POSIX "greedy" disambiguation method in regular expression processing.
Example values	faculty@cs.berkeley.edu

Study branch 1 (swissEduPersonStudyBranch1)
Description	Study branch of a student, first level of classification
Example values	4 6
The study branch page provides detailed information.

Study branch 2 (swissEduPersonStudyBranch2)
Description	Study branch of a student, intermediate level of classification
Example values	42 62
The study branch page provides detailed information.

Organization path (eduPersonOrgDN)
Description	The distinguished name (DN) of the directory entry representing the organization with which the person is associated
Example values	o=Universite de Lausanne,c=CH o=Hogwarts,dc=hsww,dc=wiz

Organizational unit path (eduPersonOrgUnitDN)
Description	The distinguished name (DN) of the directory entries representing the person's Organizational Unit(s)
Example values	ou=Faculte des sciences,o=Universite de Lausanne,c=CH ou=Potions,o=Hogwarts,dc=hsww,dc=wiz

Primary organizational unit (eduPersonPrimaryOrgUnitDN)
Description	The distinguished name (DN) of the directory entry representing the person's primary Organizational Unit(s).
Example values	ou=Music Department,o=Notre Dame,dc=nd,dc=edu

Entitlement (eduPersonEntitlement)
Description	URI (either URL or URN) that indicates a set of rights to specific resources
Example values	http://unil.ch/resources/biblio92 urn:mace:dir:entitlement:common-lib-terms

Assurance level (eduPersonAssurance)
Description	Set of URIs that assert compliance with specific standards for identity assurance.
Example values	urn:mace:incommon:IAQ:sample http://idm.example.org/LOA#sample

Preferred language (preferredLanguage)
Description	Preferred language of a user
Example values	en de-ch it fr-ch

Private phone number (homePhone)
Description	Private phone number
Example values	+41 44 345 6789 +44 71 123 4567

Study branch 3 (swissEduPersonStudyBranch3)
Description	Study branch of a student
Example values	4700 7450
The study branch page provides detailed information.

Study level (swissEduPersonStudyLevel)
Description	Study level of a student in a particular study branch
Example values	4700-15 7450-20

Staff category (swissEduPersonStaffCategory)
Description	Workbranch of a staff member
Example values	101 305

Deprecated attributes: the use of these is not recommended

Principal name (eduPersonPrincipalName)
Description	The "NetID" of the person for the purposes of inter-institutional authentication. It should be represented in the form "user@scope" where scope defines a local security domain. Multiple "@" signs are not recommended, but in any case, the first occurrence of the "@" sign starting from the left is to be taken as the delimiter between components. Thus, user identifier is to the left, security domain to the right of the first "@". This parsing rule conforms to the POSIX "greedy" disambiguation method in regular expression processing. When the scope is a registered domain name, the corresponding registrant organization is to be taken as the scope. For example, francis@trinity.edu would imply that the identity behind the ePPN has the "NetID" "francis" at the instituion of higher education that registered itself with the domain name "trinity.edu." If other value styles are used, their semantics will have to be profiled by the parties involved. Each value of scope defines a namespace within which the assigned principal names are unique. Given this rule, no pair of eduPersonPrincipalName values should clash. If they are the same, they refer to the same principal within the same administrative domain.
Example values	hputter@hsww.wiz
The use of this attribute is not recommended, unless Federation Partners require it. Use surname / givenname for personalization and Unique ID or Targeted ID to uniquely identify the user.

Primary affiliation (eduPersonPrimaryAffiliation)
Description	Specifies the person's PRIMARY relationship to the institution in broad categories such as student, faculty, staff, alum, etc.
Example values	student
The use of this attribute is not recommended. Use affiliation instead.