Attribute groups#
What information the service can receive about the end user is defined in the attribute groups that the service provider sets for the service in the customer portal (kunde.feide.no).
The attribute groups contain a set of attributes about the user and the organization sent from the host organization’s directory. The availability of the information depends on whether it is registered about the user in the host organization’s directory. Read about attributes and their availability in Feide documentation.
Before selecting attribute groups think about what information the service needs to know about the user and organization. Avoid requesting access to more information than the service needs to work. Some services only need to log in to ensure that there is a person associated with the education sector, while others need more to personalize the service for the user. If you find out later that the service needs more information about the user, you can add more attribute groups.
The ways in which applications can access this information differs between OpenID Connect and SAML. Read in OpenID Connect details about the relationship between SAML attributes and OpenID Connect claims and scopes.
Below is an overview of the information each attribute group contains.
Personal information#
Below are attribute groups with personal information about the user like name, user identifier, mail, mobile and preferred language.
Name (userinfo-name)#
Attribute name |
|
|---|---|
Given name |
|
Surname |
|
Legal name |
|
Display name |
|
Common name |
OpenID Connect claim name |
claim value |
|---|---|
name |
Display name |
User identifiers at organization (userid-feide)#
Attribute name |
||
|---|---|---|
Person’s previous Feide IDs at the organization |
||
Person’s Feide IDs organization |
||
User name |
||
Service specific identifier |
Only available with SAML configuration |
|
Long lived principal identifier |
Only available with SAML configuration |
OpenID Connect claim name, ID token |
claim value |
availability |
|---|---|---|
https://n.feide.no/claims/eduPersonPrincipalName |
See userinfo docs |
when logged in to a Feide host organization |
https://n.feide.no/claims/userid_sec |
See userinfo docs |
always, includes eduPersonPrincipalName only when logged in to a Feide host organization |
These are claim names. They do not refer to pages on the web
OpenID connect claim name, userinfo |
claim value |
availability |
|---|---|---|
dataporten-userid_sec (Deprecated) |
See userinfo docs |
always, includes eduPersonPrincipalName only when logged in to a Feide host organization |
https://n.feide.no/claims/userid_sec |
See userinfo docs |
always, includes eduPersonPrincipalName only when logged in to a Feide host organization |
https://n.feide.no/claims/eduPersonPrincipalName |
See userinfo docs |
when logged in to a Feide host organization |
Mail (email)#
Attribute name |
|
|---|---|
OpenID Connect claim name |
claim value |
|---|---|
Mobile (userinfo-mobile)#
Attribute name |
|
|---|---|
Mobile |
No OpenID Connect claims for this attribute group. The extended userinfo endpoint can be used.
Preferred language (userinfo-language)#
Attribute name |
|
|---|---|
Preferred language |
No OpenID Connect claims for this attribute group. The extended userinfo endpoint can be used.
Identity number (userid-nin)#
The information in this attribute group is by the general public and Feide considered as semi-sensitive information. This attribute group is only released where actual need is demonstrated.
Therefore, it can only can be added to a service by Sikt. Send an email to kontakt@sikt.no and explain why the service requires this attribute group, and why it is not enough with another user identifier available through Feide.
Attribute name |
|
|---|---|
Identity number assigned by public authorities |
OpenID Connect claim name, ID token |
claim value |
availability |
|---|---|---|
https://n.feide.no/claims/userid_sec |
See userinfo docs |
always, includes NIN only when logged in via ID-porten |
https://n.feide.no/claims/nin |
See userinfo docs |
always |
These are claim names. They do not refer to pages on the web.
OpenID connect claim name, userinfo |
claim value |
availability |
|---|---|---|
dataporten-userid_sec (Deprecated) |
See userinfo docs |
always, includes NIN only when logged in via ID-porten |
https://n.feide.no/claims/userid_sec |
See userinfo docs |
always, includes NIN only when logged in via ID-porten |
https://n.feide.no/claims/nin |
See userinfo docs |
always |
Identity assurance (userinfo-assurance)#
Attribute name |
|
|---|---|
Identity assurance |
For OpenID Connect, see acr and acr_values in the standard.
Roles, affiliations and groups#
Below are attribute groups with information about the user’s roles, affiliations and groups in their organization.
Organizational affiliations (groups-org)#
Information about the home organization, organization unit (school/department) and the person’s roles in the organization.
For OpenID Connect, see organization groups and organization unit groups in the groups API.
Attribute name |
|
|---|---|
Affiliation at home organization |
|
Primary affiliation at home organization |
|
Affiliation and institution at home organization |
|
Unique identifier of home organization |
|
List of schools |
|
Name of organization units |
|
Email address of organizational unit |
|
Organization number |
|
Realm of home organization |
|
Name of home organization |
|
Legal name of home organization |
|
Organization email address |
|
Distinguished name of organization unit |
|
Distinguished name of primary organization unit |
|
Postal address of educational unit |
|
Telephone number of organizational unit |
|
Acronym for the organizational unit |
|
Common name of home organization |
|
EduPersonOrgDN used in universities and university colleges and EduPersonOrgDN in primary and secondary schools. |
Distinguished name of home organization |
eduPersonOrgDN:norEduOrgUniqueIdentifier used in universities and university colleges and eduPersonOrgDN:norEduOrgUniqueIdentifier in primary and secondary schools. |
Unique identifier of home organization |
Telephone number of home organization |
|
Home page of home organization |
|
Acronym for the educational institution |
|
Version of norEdu specification of home organization |
Education groups (groups-edu)#
For primary, lower and upper secondary schools, this provides access to grade, basis groups, teaching groups and other groups registered in the attribute eduPersonEntitlement.
For users in higher education, this gives access to groups from the Common Student System (Felles studentsystem).
OpenID Connect service configurations can get information about education groups from the groups API. See groups for primary and secondary education and groups for higher education. The API provides a higher level view of the information in eduPersonEntitlement discussed below.
Groups in eduPersonEntitlement#
For users in primary, lower and upper secondary schools, group data is registered in the eduPersonEntitlement attribute.
These are eduPersonEntitlement values starting with urn:mace:feide.no:go:grep: and urn:mace:feide.no:go:group:.
The values starting with urn:mace:feide.no:go:grep: describe the grade, education program and program area of the
student. For primary and lower secondary school this contains the grade level. For upper secondary
school, this contains grade level, education program and program area.
More information about Grep values in Feide can be found here.
The eduPersonEntitlement values starting with urn:mace:feide.no:go:group: contain the basis groups, teaching groups
and other groups for both students and teachers in primary, lower and upper secondary schools.
Example of Group: urn:mace:feide.no:go:group:b::NO975278964:6a:2014-08-01:2015-06-15:student:Klasse%206A
More information about registration of group values in Feide can be found here.
Group entitlements from Common Student System (FS)#
This is only available to OpenID Connect service configurations.
FS is the Common Student System (Felles studentsystem). It is a study administration system developed for universities, scientific colleges and national university colleges. FS is developed by Unit – The Norwegian Directorate for ICT and Joint Services in Higher Education and Research.
Feide has an agreement with Unit for obtaining the following group information for users in higher education: subjects, classes, years and programs.
To get this access to this group data, Sikt must enable it for your service. Send a request to kontakt@sikt.no with name of the service and why the service needs information about groups from FS.
Group members’ identifiers (groups-memberids)#
Identifiers of other members of the user’s groups
This allows the service to retrieve information about teachers and students in a group, without each student having logged in beforehand.
This is only available to OpenID Connect service configurations.
To get this information in the attribute group, Sikt need to add this to the service. Send a request to kontakt@sikt.no containing the name of the service and why the service needs information about groups.
More information about receiving this information, read about the group API.
Custom prefix (userinfo-entitlement)#
Custom prefixes for the eduPersonEntitlement attribute.
Not commonly used attributes#
Other groups (groups-other)#
Ad hoc groups. They can be managed from Feide Innsyn. OpenID Connect service configurations can get information about them from the groups API.
Date of birth (userinfo-birthdate)#
Attribute name |
|
|---|---|
Date of birth |
|
Year of birth |
No OpenID Connect claims for this attribute group. The extended userinfo endpoint can be used.
Title (userinfo-title)#
Attribute name |
|
|---|---|
Title in the organization |
No OpenID Connect claims for this attribute group. The extended userinfo endpoint can be used.
Other phone number (userinfo-phone)#
Attribute name |
|
|---|---|
Telephone number |
|
Home telephone number |
No OpenID Connect claims for this attribute group. The extended userinfo endpoint can be used.
Local identity number (userid-lin)#
Attribute name |
|
|---|---|
Local identity number, i.e. student or employee number |
No OpenID Connect claims for this attribute group. The extended userinfo endpoint can be used.
ORCID researcher identifier (userid-orcid)#
Attribute name |
|
|---|---|
ORCID researcher identifier |
No OpenID Connect claims for this attribute group. The extended userinfo endpoint can be used.
Special attribute groups#
Access to information outside of the login session (system-all-users)#
This special scope allows services using the client credentials flow to fetch user/group information without a user needing to log in, commonly used for provisioning