MPG-AAI Attribute Recommendations

In general an Identity Provider could, technically, release any attributes he'd like.

Only: Respecting user privacy, it is strictly recommended to in fact release exclusively authorization relevant attributes for obvious privacy and security reason.

An IdP is not meant as a general user data provider!

Generally Recommended Attributes

Anonymous User Identifier

Attribute Name, ID	Description, Purpose	Example	Scope, Target
eduPersonTargetedID urn:oid:1.3.6.1.4.1.5923.1.1.1.10	an opaque user-identifier: anonymized & persistent user-ID (best auto generated)*, different for each SP ("targeted" service)	"47adb924 -23f5-4647-8a29 -f64e5c4gtz82c"	if personalization is required

*we strongly advice to use the (Shibboleth) IdP - Stored-ID connector therefore:
it generates an UUID ("Universally Unique Identifier") of type 4.
see also: Wikipedia - UUID, ISO/IEC 9834-8, IETF rfc-4122, ITU-T Rec. X.66

Home Institute

Attribute Name, ID	Description, Purpose	Example	Scope, Target
o, organization urn:oid:2.5.4.10	to identify the institute/IdP as member of the Max Planck Society (MPG)	MPG Max Planck Society	generally to all
ou, organizational unit urn:oid:2.5.4.11	to identify the home (hosting) institute* of the IdP; needed for access statistics and accounting	rzg.mpg.de* Rechenzentrum Garching	generally to all

*Requirement: Institute Identifier

to get proper access to publisher resources you have to

provide the OU attribute
including as (one of its) value(s) the home institute's domain

Roles & Privileges : Entitlement

Attribute Name, ID	Description, Purpose	Example	Scope, Target
eduPersonEntitlement urn:oid:1.3.6.1.4.1.5923.1.1.1.7	an authoriative attribute defining access privileges, structured as namespace*	"urn:mace:dir:entitlement: common-lib-terms" "urn:geant:dfn.de:mpg:aai: mpgaai:sample:role"	where specific authorization is required

*Namespaces should be administered in a central registry;
there is the URN namespace registry of Geant2 where the MPG has reserved a namespace under the DFN namespace domain:

urn:geant:dfn.de:mpg: registered MPG root namespace
urn:geant:dfn.de:mpg:aai: proposed MPG-AAI root namespace
urn:geant:dfn.de:mpg:aai : <institute|provider> : <service|project|group> : <role>: proposed MPG-AAI namespace syntax

Attribute Requirements for Selected Services

Outlined above you find the general attribute requirements. Still the can be more|special attributes required to access certain services.

Web-IP-Proxy

As already mentioned above: To get access to publisher resources via the MPG-AAI Web-IP-Proxy an institute-identifier is required - defined as:

Attribute:	OU, organizational unit
Value:	Home Institute Domain
Reason:	as institute-identifier for proper IP-address mapping to get access to the classically IP-protected publisher resources with the right "institute-IP" via this proxy

IdP-Proxy

The MPG-AAI IdP-Proxy is special in two ways:

1) The Proxy Implication:

Since it acts as a proxy to the actual institutes' IdPs behind it:
So for Service Provider where user log in via the IdP-Proxy (SPs of partner federations),
the attributes required by/for such Service Provider have to be released from the institute IdP to the IdP-Proxy - instead to the SP directly!
The SP talks only to the IdP-Proxy (as gateway to the SP in the partner federation), and not to the actual institute IdP:

Institute IdP <=> IdP-Proxy <=> Service Provider

2) Targeted-ID base value - "UID"

For various reasons - technically and for consistency* - the IdP-Proxy cannot just pass through the institute-IdP's eduPersonTargetedID to the SP. It has to actually generate a new, own* one.

Therefore it needs a base value of an user-identifier to generate this (new) targetedID.
Again for specific reasons it is sensible that MPG-AAI has chosen the UID-attribute.

But don't worry (privacy!):
The provided value of this "UID" does not have to be the actual UID of the user at the institute: It just has to be

unique and persistent in your institute's (IdP) namespace

- and this again is quite the definition of eduPersonTargetedID.

*Background: By the nature of the eduPersonTargetedID definition the value has to include an ID of the releasing IdP to ensure overall uniqueness of the whole eduPersonTargetedID. It defines thus a namespace of the IdP's targetedIDs. So just passing the value of a backend IdP through a (IdP-)Proxy would not really follow this definition anymore.

In Summary:

Attribute:	UID urn:oid:0.9.2342.19200300.100.1.1
Value:	a unique and persistent user-ID; it does not have to necessarily be the actual UID in the institute IDM; recommended: release generated eduPersonTargetedID under the label of "UID"
Reason:	needed as base value for generating the eduPersonTargetedID within the IdP-Proxy namespace.

More Service Provider...

Please understand that we currently cannot maintain here all attribute requirements for any special service in the whole federation (plus partner federation).

If you have problems getting access due to attribute restrictions please feel free to contact us (or the SP itself) to ask for the detailed attribute requirements for this service.

Service	Attribute	Expected Value	IdP-Proxy
Foodle - a doodle clone	eMail urn:oid:0.9.2342.19200300.100.1.3	the current user's email address	exclusively