Extended Attribute Model

With the classic attribute model a service can get one part of an edu-ID identity at a time. There may be cases where a service requires attributes from multiple home organizations simultaneously. In such cases, a service can be configured for the edu-ID only extended attribute model.

In the extended attribute model a service can potentially get a SAML assertion for attributes in the bold red boxes in the diagram below:

  • attributes from the personal part of the identity
  • some attributes from linked current affiliations:
    • the list of organizational unique-IDs (swissEduIDLinkedAffiliationUniqueID)
    • the list of organizational email addresses (swissEduIDLinkedAffiliationMail)
    • the list of organizational scoped-affiliations (swissEduIDLinkedAffiliation)
  • group membership information

Getting more attributes via backchannel

If a service needs access to more attributes from current affilations (the red dashed boxes in the diagram), the procedure is as follows:

  • from the list of organizational unique-IDs (swissEduIDLinkedAffiliationUniqueID) the service extracts the individual unique-IDs
  • for each organizational unique-ID the service requests the attributes of the associated current affiliation by issuing a GET request on the affiliation API

Currently, accessing the attributes in former affiliations is not supported.

Usage policy for services

The service must comply with additional legal conditions.

Backchannel attribute requests may take place out-of-band without user interaction, and the IdP can't ask for a user's consent before sending attributes to the service. Therefore the service is responsible for asking the user's consent to access personal attributes.