Attribute groups#

What information the service can receive about the end user is defined in the attribute groups that the service provider sets for the service in the customer portal (kunde.feide.no).

The attribute groups contain a set of attributes about the user and the organization sent from the host organization’s directory. The availability of the information depends on whether it is registered about the user in the host organization’s directory. Read about attributes and their availability in Feide documentation.

Before selecting attribute groups think about what information the service needs to know about the user and organization. Avoid requesting access to more information than the service needs to work. Some services only need to log in to ensure that there is a person associated with the education sector, while others need more to personalize the service for the user. If you find out later that the service needs more information about the user, you can add more attribute groups.

The ways in which applications can access this information differs between OpenID Connect and SAML. Read in OpenID Connect details about the relationship between SAML attributes and OpenID Connect claims and scopes.

Below is an overview of the information each attribute group contains.

Personal information#

Below are attribute groups with personal information about the user like name, user identifier, mail, mobile and preferred language.

Name (userinfo-name)#

Attribute name

givenName

Given name

sn

Surname

norEduPersonLegalName

Legal name

displayName

Display name

cn

Common name

OpenID Connect claim name

claim value

name

Display name

User identifiers at organization (userid-feide)#

Attribute name

eduPersonPrincipalNamePrior

Person’s previous Feide IDs at the organization

eduPersonPrincipalName

Person’s Feide IDs organization

uid

User name

eduPersonTargetedID

Service specific identifier

Only available with SAML configuration

eduPersonUniqueId

Long lived principal identifier

Only available with SAML configuration

OpenID Connect claim name, ID token

claim value

availability

https://n.feide.no/claims/eduPersonPrincipalName

See userinfo docs

when logged in to a Feide host organization

https://n.feide.no/claims/userid_sec

See userinfo docs

always, includes eduPersonPrincipalName only when logged in to a Feide host organization

These are claim names. They do not refer to pages on the web

OpenID connect claim name, userinfo

claim value

availability

dataporten-userid_sec (Deprecated)

See userinfo docs

always, includes eduPersonPrincipalName only when logged in to a Feide host organization

https://n.feide.no/claims/userid_sec

See userinfo docs

always, includes eduPersonPrincipalName only when logged in to a Feide host organization

https://n.feide.no/claims/eduPersonPrincipalName

See userinfo docs

when logged in to a Feide host organization

Mail (email)#

Attribute name

mail

Email

OpenID Connect claim name

claim value

email

Email

Mobile (userinfo-mobile)#

Attribute name

mobile

Mobile

No OpenID Connect claims for this attribute group. The extended userinfo endpoint can be used.

Preferred language (userinfo-language)#

Attribute name

preferredLanguage

Preferred language

No OpenID Connect claims for this attribute group. The extended userinfo endpoint can be used.

Identity number (userid-nin)#

The information in this attribute group is by the general public and Feide considered as semi-sensitive information. This attribute group is only released where actual need is demonstrated.

Therefore, it can only can be added to a service by Sikt. Send an email to kontakt@sikt.no and explain why the service requires this attribute group, and why it is not enough with another user identifier available through Feide.

Attribute name

norEduPersonNIN

Identity number assigned by public authorities

OpenID Connect claim name, ID token

claim value

availability

https://n.feide.no/claims/userid_sec

See userinfo docs

always, includes NIN only when logged in via ID-porten

https://n.feide.no/claims/nin

See userinfo docs

always

These are claim names. They do not refer to pages on the web.

OpenID connect claim name, userinfo

claim value

availability

dataporten-userid_sec (Deprecated)

See userinfo docs

always, includes NIN only when logged in via ID-porten

https://n.feide.no/claims/userid_sec

See userinfo docs

always, includes NIN only when logged in via ID-porten

https://n.feide.no/claims/nin

See userinfo docs

always

Identity assurance (userinfo-assurance)#

Attribute name

eduPersonAssurance

Identity assurance

For OpenID Connect, see acr and acr_values in the standard.

Roles, affiliations and groups#

Below are attribute groups with information about the user’s roles, affiliations and groups in their organization.

Organizational affiliations (groups-org)#

Information about the home organization, organization unit (school/department) and the person’s roles in the organization.

This attribute group gives access to the following group types in the OpenID Connect groups API:

Attribute name

eduPersonAffiliation

Affiliation at home organization

eduPersonPrimaryAffiliation

Primary affiliation at home organization

eduPersonScopedAffiliation

Affiliation and institution at home organization

eduPersonOrgUnitDN:norEduOrgUnitUniqueIdentifier

Unique identifier of home organization

feideSchoolList

List of schools

eduPersonOrgUnitDN:ou

Name of organization units

eduPersonOrgUnitDN:mail

Email address of organizational unit

eduPersonOrgDN:norEduOrgNIN

Organization number

schacHomeOrganization

Realm of home organization

eduPersonOrgDN:o

Name of home organization

eduPersonOrgDN:eduOrgLegalName

Legal name of home organization

eduPersonOrgDN:mail

Organization email address

eduPersonOrgUnitDN

Distinguished name of organization unit

eduPersonPrimaryOrgUnitDN

Distinguished name of primary organization unit

eduPersonOrgUnitDN:postalAddress

Postal address of educational unit

eduPersonOrgUnitDN:telephoneNumber

Telephone number of organizational unit

eduPersonOrgUnitDN:norEduOrgAcronym

Acronym for the organizational unit

eduPersonOrgDN:cn

Common name of home organization

EduPersonOrgDN used in universities and university colleges and EduPersonOrgDN in primary and secondary schools.

Distinguished name of home organization

eduPersonOrgDN:norEduOrgUniqueIdentifier used in universities and university colleges and eduPersonOrgDN:norEduOrgUniqueIdentifier in primary and secondary schools.

Unique identifier of home organization

eduPersonOrgDN:telephoneNumber

Telephone number of home organization

eduPersonOrgDN:eduOrgHomePageURI

Home page of home organization

eduPersonOrgDN:norEduOrgAcronym

Acronym for the educational institution

eduPersonOrgDN:norEduOrgSchemaVersion

Version of norEdu specification of home organization

Education groups (groups-edu)#

For primary, lower and upper secondary schools, this provides access to grade, basis groups, teaching groups and other groups registered in the attribute eduPersonEntitlement.

For users in higher education, this gives access to groups from the Common Student System (Felles studentsystem).

This attribute group gives access to the following group types in the OpenID Connect groups API:

Groups in eduPersonEntitlement#

For users in primary, lower and upper secondary schools, group data is registered in the eduPersonEntitlement attribute.

These are eduPersonEntitlement values starting with urn:mace:feide.no:go:grep: and urn:mace:feide.no:go:group:.

The values starting with urn:mace:feide.no:go:grep: describe the grade, education program and program area of the student. For primary and lower secondary school this contains the grade level. For upper secondary school, this contains grade level, education program and program area.

More information about Grep values in Feide can be found here.

The eduPersonEntitlement values starting with urn:mace:feide.no:go:group: contain the basis groups, teaching groups and other groups for both students and teachers in primary, lower and upper secondary schools.

Example of Group: urn:mace:feide.no:go:group:b::NO975278964:6a:2014-08-01:2015-06-15:student:Klasse%206A

More information about registration of group values in Feide can be found here.

Group entitlements from Common Student System (FS)#

This is only available to OpenID Connect service configurations.

FS is the Common Student System (Felles studentsystem). It is a study administration system developed for universities, scientific colleges and national university colleges. FS is developed by Unit – The Norwegian Directorate for ICT and Joint Services in Higher Education and Research.

Feide has an agreement with Unit for obtaining the following group information for users in higher education: subjects, classes, years and programs.

To get this access to this group data, Sikt must enable it for your service. Send a request to kontakt@sikt.no with name of the service and why the service needs information about groups from FS.

Group members’ identifiers (groups-memberids)#

Identifiers of other members of the user’s groups

This allows the service to retrieve information about teachers and students in a group, without each student having logged in beforehand.

This is only available to OpenID Connect service configurations.

To get this information in the attribute group, Sikt need to add this to the service. Send a request to kontakt@sikt.no containing the name of the service and why the service needs information about groups.

More information about receiving this information, read about the group API.

Custom prefix (userinfo-entitlement)#

Custom prefixes for the eduPersonEntitlement attribute.

Not commonly used attributes#

Other groups (groups-other)#

Ad hoc groups. They can be managed from Feide Innsyn. OpenID Connect service configurations can get information about them from the groups API.

Date of birth (userinfo-birthdate)#

Attribute name

norEduPersonBirthDate

Date of birth

feideYearOfBirth

Year of birth

No OpenID Connect claims for this attribute group. The extended userinfo endpoint can be used.

Title (userinfo-title)#

Attribute name

title

Title in the organization

No OpenID Connect claims for this attribute group. The extended userinfo endpoint can be used.

Other phone number (userinfo-phone)#

Attribute name

telephoneNumber

Telephone number

homePhone

Home telephone number

No OpenID Connect claims for this attribute group. The extended userinfo endpoint can be used.

Local identity number (userid-lin)#

Attribute name

norEduPersonLIN

Local identity number, i.e. student or employee number

No OpenID Connect claims for this attribute group. The extended userinfo endpoint can be used.

ORCID researcher identifier (userid-orcid)#

Attribute name

eduPersonOrcid

ORCID researcher identifier

No OpenID Connect claims for this attribute group. The extended userinfo endpoint can be used.

Special attribute groups#

Access to information outside of the login session (system-all-users)#

This special scope allows services using the client credentials flow to fetch user/group information without a user needing to log in, commonly used for provisioning