REFEDS Attribute Registry
User Identifier
FriendlyName: refedsUserID
Name: http://refeds.org/attribute/refedsUserID
A User Identifier is defined to be either a Private User Identifier or a Non-Private User Identifier.
An Identity Provider (or Attribute Authority) is said to release a User Identifier when it releases at least one of the following attributes on the wire:
eduPersonUniqueId
eduPersonPrincipalName
(if non-reassigned)eduPersonTargetedID
A Service Provider requests a User Identifier directly, as shown in the following example.
Example
Here is an example of an abstract User Identifier requested in Service Provider metadata:
<md:RequestedAttribute FriendlyName="refedsUserID" Name="http://refeds.org/attribute/refedsUserID" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
Non-Private User Identifier
FriendlyName: refedsNonPrivateUserID
Name: http://refeds.org/attribute/refedsNonPrivateUserID
A Non-Private User Identifier is a persistent, non-reassigned, non-targeted identifier.
An Identity Provider (or Attribute Authority) is said to release a Non-Private User Identifier when it releases at least one of the following attributes (or attribute combinations) on the wire:
eduPersonUniqueId
eduPersonPrincipalName
(if non-reassigned)eduPersonPrincipalName
+eduPersonTargetedID
A Service Provider is said to request a Non-Private User Identifier when it requests the eduPersonUniqueId
attribute in metadata or a query. A Service Provider may also request a Non-Private User Identifier directly, as shown in the following example.
Example
Here is an example of an abstract Non-Private User Identifier requested in Service Provider metadata:
<md:RequestedAttribute FriendlyName="refedsNonPrivateUserID" Name="http://refeds.org/attribute/refedsNonPrivateUserID" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
Private User Identifier
FriendlyName: refedsPrivateUserID
Name: http://refeds.org/attribute/refedsPrivateUserID
A Private User Identifier is a persistent, non-reassigned, targeted identifier. By definition, a Private User Identifier is synonymous with the eduPersonTargetedID
attribute.
An Identity Provider (or Attribute Authority) is said to release a Private User Identifier when it releases the eduPersonTargetedID
attribute on the wire. A Service Provider is said to request a Non-Private User Identifier when it requests the eduPersonTargetedID
attribute in metadata or a query. A Service Provider may also request a Private User Identifier directly, as shown in the following example.
Example
Here is an example of an abstract Private User Identifier requested in Service Provider metadata:
<md:RequestedAttribute FriendlyName="refedsPrivateUserID" Name="http://refeds.org/attribute/refedsPrivateUserID" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
Person Name
FriendlyName: refedsPersonName
Name: http://refeds.org/attribute/refedsPersonName
A Person Name is a human-readable name for the person (or subject) involved in a federated transaction.
An Identity Provider (or Attribute Authority) is said to release a Person Name when it releases at least one of the following attributes (or attribute combinations) on the wire:
displayName
givenName
+sn
(surname)
A Service Provider is said to request a Person Name when it requests the displayName attribute in metadata or a query. A Service Provider may also request a Person Name directly, as shown in the following example.
Example
Here is an example of an abstract Person Name requested in Service Provider metadata:
<md:RequestedAttribute FriendlyName="refedsPersonName" Name="http://refeds.org/attribute/refedsPersonName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
Email Address
FriendlyName: refedsEmailAddress
Name: http://refeds.org/attribute/refedsEmailAddress
An Email Address is an electronic mail address for the person (or subject) involved in a federated transaction. By definition, an Email Address is synonymous with the mail
attribute.
An Identity Provider (or Attribute Authority) is said to release an Email Address when it releases the mail
attribute on the wire. A Service Provider is said to request an Email Address when it requests the mail
attribute in metadata or a query. A Service Provider may also request an Email Address directly, as shown in the following example.
Example
Here is an example of an abstract Email Address requested in Service Provider metadata:
<md:RequestedAttribute FriendlyName="refedsEmailAddress" Name="http://refeds.org/attribute/refedsEmailAddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>