REFEDS Attribute Registry

Contents

User Identifier

FriendlyName: refedsUserID
Name: http://refeds.org/attribute/refedsUserID

An Identity Provider (or Attribute Authority) is said to release a User Identifier when it releases at least one of the following attributes on the wire:

  1. eduPersonTargetedID

  2. eduPersonUniqueId

  3. eduPersonPrincipalName (if non-reassigned)

A Service Provider is said to request a User Identifier when it does so directly, as shown in the following example.

Example

Here is an example of an abstract User Identifier requested in Service Provider metadata:

<md:RequestedAttribute FriendlyName="refedsUserID"
   Name="http://refeds.org/attribute/refedsUserID"
   NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>

Non-Private User Identifier

FriendlyName: refedsNonPrivateUserID
Name:
http://refeds.org/attribute/refedsNonPrivateUserID

A Non-Private User Identifier is a persistent, non-reassigned, non-targeted identifier.

An Identity Provider (or Attribute Authority) is said to release a Non-Private User Identifier when it releases at least one of the following attributes (or attribute combinations) on the wire:

  1. eduPersonUniqueId

  2. eduPersonPrincipalName (if non-reassigned)

  3. eduPersonPrincipalName + eduPersonTargetedID

A Service Provider is said to request a Non-Private User Identifier when it requests the eduPersonUniqueId attribute in metadata or a query. Alternatively, a Service Provider may request a Non-Private User Identifier directly, as shown in the following example.

Example

Here is an example of an abstract Non-Private User Identifier requested in Service Provider metadata:

<md:RequestedAttribute FriendlyName="refedsNonPrivateUserID"
   Name="http://refeds.org/attribute/refedsNonPrivateUserID"
   NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>

Person Name

FriendlyName: refedsPersonName
Name:
http://refeds.org/attribute/refedsPersonName

A Person Name is a human-readable name for the person (or subject) involved in a federated transaction.

An Identity Provider (or Attribute Authority) is said to release a Person Name when it releases at least one of the following attributes (or attribute combinations) on the wire:

  1. displayName

  2. givenName + sn (surname)

A Service Provider is said to request a Person Name when it requests the displayName attribute in metadata or a query. Alternatively, a Service Provider may request a Person Name directly, as shown in the following example.

Example

Here is an example of an abstract Person Name requested in Service Provider metadata:

<md:RequestedAttribute FriendlyName="refedsPersonName"
   Name="http://refeds.org/attribute/refedsPersonName"
   NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>

Email Address

FriendlyName: refedsEmailAddress
Name:
http://refeds.org/attribute/refedsEmailAddress

An Email Address is an electronic mail address for the person (or subject) involved in a federated transaction. By definition, an Email Address is synonymous with the mail attribute.

An Identity Provider (or Attribute Authority) is said to release an Email Address when it releases the mail attribute on the wire. A Service Provider is said to request an Email Address when it requests the mail attribute in metadata or a query. Alternatively, a Service Provider may request an Email Address directly, as shown in the following example.

Example

Here is an example of an abstract Email Address requested in Service Provider metadata:

<md:RequestedAttribute FriendlyName="refedsEmailAddress"
   Name="http://refeds.org/attribute/refedsEmailAddress"
   NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>