SWITCH edu-ID identities are capable of representing a comprehensive set of user information. The illustration below shows an example set of attributes that could be represented for an indiviual in her edu-ID identity. It consists of the following parts:
The personal part of an edu-ID identity (mandatory): It contains at least the first name, last name and an email address which are provided by the individual. The edu-ID system automatically adds some identifiers and metadata.
A current affiliation is added to an edu-ID identity when the individual becomes a member of an organization, commonly as a student or staff member. As an individual may be affiliated with more than one organization at a time - e.g. a student at one organization and staff at another - an edu-ID identity may contain multiple current affiliations (0, 1 or more). Current affiliations are created and managed by organizations.
When an individual leaves the organization the respective current affiliation is transformed into a former affiliation with a reduced set of attributes. The former affiliations thus form the affiliation history of an individual.
Some services may require group membership information to grant a person access to specific resources. An edu-ID identity is capable of representing group memberships in the entitlement attribute.
The SWITCH edu-ID IdP supports two basic methods how attribute information can be made available to services.
The classic attribute model is fully compatible with services that were built to work with individual organizational IdPs in the pre-edu-ID era. It is the standad model for most use cases.
The extended attribute model is capable of providing a comprehensive set of attributes to services. A service can use this model on request. Additional legal conditions must be complied with by the service.
Attribute Model Support in SWITCH edu-ID
The OIDC implementation in edu-ID supports the classic attribute model only for the personal part of the edu-ID identity (edu-ID only configuration)