Home

eduPersonScopedAffiliation

Submitted by Andreas Åkre Solberg [1] on 10 November, 2007 - 22:03

eduPersonScopedAffiliation

A short description

Specifies the person's affiliation within a particular security domain in broad categories such as student, faculty, staff, alum, etc.

Usage

Utility classUtility class
[ Core | Standard | Extended ]
Basic applications like white pages and some authorization data.

RequiredIs attribute required?
Optional. Application selects whether it will support attribute or not.

ConfidentialityConfidentiality
Low. Data well known from other sources.

IntegrityIntegrity
Medium. Values should be up to date.

AvailabilityAvailability
Medium. If the LDAP uses this attribute, it should normally be provided for relevant objects. Authorization may fail if no value is available.

details

Details

Multivalued Multiple values?
Multivalued

value format Value format
DirectoryString

Origin Attribute origin
eduPerson

details

LDAP

OID
1.3.6.1.4.1.5923.1.1.1.9
Datatype
DirectoryString
details

eduGAIN

This attribute is planned to be used with eduGAIN. In eduGAIN this attribute will be identified as:
urn:mace:dir:attribute-def:eduPersonScopedAffiliation

« Back to view list of all attributes

The values consist of a left and right component separated by an "@" sign. The left component is one of the values from the eduPersonAffiliation controlled vocabulary. The right-hand side syntax of eduPersonScopedAffiliation intentionally matches that used for the right-hand side values for eduPersonPrincipalName since both identify a security domain.

Consumers of eduPersonScopedAffiliation will have to decide whether or not they trust values of this attribute. In the general case, the directory carrying the eduPersonScopedAffiliation is not the ultimate authoritative speaker for the truth of the assertion. Trust must be established out of band with respect to exchanges of this attribute value.

An eduPersonScopedAffiliation value of "x@y" is to be interpreted as an assertion that the person in whose entry this value occurs holds an affiliation of type "x" within the security domain "y."

Feide usage notes

The values to the right of the “@” should either be the realm part of the user's eduPersonPrincipalName, or this value prefixed with the norEduOrgUnitUniqueIdentifier to which the affiliation applies, separated by a full stop. The second example above illustrates the use of a norEduOrgUnitUniqueIdentifier part for a Feide user at ntnu.no who is an employee in the unit with the (locally) unique identifier 112233.

Example applications for which this attribute would be useful:

White pages, controlling access to resources.

Examples

  • member@uninett.no

  • employee@112233.ntnu.no