2. Terminology#
- Årstrinn
Students grouped in year of the education they are attending to. Example is after kindergarten the persons starts in årstrinn 1. Then proceeds to årstrinn 2 the next year.
- Studieprogram
Program of study. A student is typically admitted to a particular studieprogram
- Kull
All students in a studieprogram admitted in a given year
- Klasse
A subdivision of a kull
3. Person#
3.1. Mandatory - person#
3.1.1. cn#
Attribute name | cn |
Short description | General node name with person-information |
Example | cn: Arnt Nordmann and/or cn: olanor123 |
Multivalued | Yes |
3.1.2. displayName#
Attribute name | displayName |
Short description | Person's preferred name. |
Example | displayName: Ola Nordmann |
Multivalued | No |
3.1.3. norEduPersonLegalName#
Attribute name | norEduPersonLegalName |
Short description | Person's legal name. Example can be person's name registered within Folkeregisteret. |
Example | norEduPersonLegalName: Arnt Ola Olsen Nordmann |
Multivalued | No |
3.1.4. givenName#
Attribute name | givenName |
Short description | Person's first name. |
Example | givenName: Ola |
Multivalued | Yes |
3.1.5. sn#
Attribute name | sn |
Short description | Person's surname. |
Example | sn: Nordmann and/or sn: Olsen Nordmann |
Multivalued | Yes |
3.1.6. eduPersonPrincipalName#
Attribute name | eduPersonPrincipalName |
Short description | Full Feide name. |
Example | eduPersonPrincipalName: olanor123@skotthyll.kommune.no |
Multivalued | No |
eduPersonPrincipalName
Is per definition non case sensitive.
OlaNor123@uin.no is the same Feide name as olanor123@uin.no.
Even though the eduPersonPrincipalName
is per definition non case sensitive,
it will be added to the Feide catalogue in lower case for the sake of compatibility with other systems
eduPersonPrincipalName
should never be reused by a new person.
The organization has to ensure that eduPersonPrincipalName
is unique. If
the organization chooses to reuse a eduPersonPrincipalName
which is not in active
use, the organization itself is responsible of making sure that this does not lead to any issues.
For instance, eduPersonPrincipalName
might have been used as an identifier in external systems/services, and
this is something the organization has to take into consideration.
eduPersonPrincipalName
is comprised of two parts: <user>@<realm>. Note that
when the domain name is used as realm, this should be subject to a domain that the host
organization is the registered owner for.
The first part of eduPersonPrincipalName
(before “@”) should equal uid
.
3.1.7. uid#
Attribute Name | uid |
Short description | The person's local username at the school-owner. |
Example | uid: olanor123 |
Multivalued | Yes |
Even though uid
is multivalued in the first place, one should only register
one value for this field. uid
is non case sensitive, but should be entered
into the catalogue in the same manner as eduPersonPrincipalName
, alas in lower case.
The first part of eduPersonPrincipalName
shall be comprised of uid
, before “@”.
3.1.8. norEduPersonNIN#
Attribute Name | norEduPersonNIN |
Short description | National identity number. |
Example | norEduPersonNIN: 28089533134 |
Multivalued | No |
norEduPersonNIN
Shall be a unique identification number issued by Folkeregisteret or Utlendingsdirektoratet (UDI):
National identity number
D-number
DUF-number
If a person does not have any of these numbers, no value should be registered within
norEduPersonNIN
for this person
A person can have a user in Feide without a value in norEduPersonNIN
.
This will not be an issue for most services, but for services that depend on
norEduPersonNIN
, the school-owner will have to find other solutions to
grant access to the service for the user.
Locally issued national identity numbers can be added to norEduPersonLIN_GO.
3.1.9. userPassword#
Attribute Name | userPassword |
Short description | Person's password for Feide login. |
Example | userPassword: {CRYPT}$6$ufxrIZTs$hl3ocEOAb01o3HC1yk1DUTD6aaHnH7xD5ZDFCH9xnoNUWZky6lt0/ |
Multivalued | Yes |
Even though userPassword
is multivalued in the first place, it is common to register
only one password in this field.
In this document, userPassword
is set as a mandatory attribute because all users have to have one password at login.
It’s worth mentioning that a password can be handled automatically by the catalogue system, and the need to handle this
directly might not be needed. As long as each person can perform authentication towards the catalogue system, and thus
Feide, with a concrete password.
3.1.10. eduPersonOrgDN#
Attribute Name | eduPersonOrgDN |
Short description | Pointer to the LDAP node that contains information about the school-owner affiliated with the person. |
Example | eduPersonOrgDN: dc=Skotthyll,dc=kommune,dc=no |
Multivalued | No |
3.1.11. eduPersonOrgUnitDN#
Attribute Name | eduPersonOrgUnitDN |
Short description | Pointer to the LDAP node that contains information about the organizational unit(s) affiliated with the person. |
Example | eduPersonOrgDN: ou=Hylla skole,cn=organization,dc=Skotthyll,dc=kommune,dc=no |
Multivalued | Yes |
eduPersonOrgUnitDN
is mandatory for persons affiliated with a school. For those persons
that needs a Feide user on a day to day basis, but having no affiliation with a school, there shall not
be registered any value within eduPersonOrgUnitDN
3.1.12. eduPersonPrimaryOrgUnitDN#
Attribute Name | eduPersonPrimaryOrgUnitDN |
Short description | Pointer to the LDAP node that contains information about the organizational unit that the person has its main affiliation to. |
Example | eduPersonPrimaryOrgUnitDN: ou=Hylla skole,cn=organization,dc=Skotthyll,dc=kommune,dc=no |
Multivalued | No |
For clarification, the value used within eduPersonPrimaryOrgUnitDN
also has to be present within
eduPersonOrgUnitDN
3.1.13. eduPersonAffiliation#
Attribute Name | eduPersonAffiliation |
Short description | Roles at school-owner. |
Example | eduPersonAffiliation: member
eduPersonAffiliation: student or eduPersonAffiliation: faculty eduPersonAffiliation: employee eduPersonAffiliation: member |
Multivalued | Yes |
eduPersonAffiliation
contains information about the person’s general roles at the organization. Within figure 2 a
small set of general roles have been presented as a hierarchy.
A student will have all of these values:
eduPersonAffiliation: student
eduPersonAffiliation: member
A pedagogical employee will have all these values:
eduPersonAffiliation: faculty
eduPersonAffiliation: employee
eduPersonAffiliation: member
A non pedagogical employee will have all these values:
eduPersonAffiliation: staff
eduPersonAffiliation: employee
eduPersonAffiliation: member
The value “affiliate” is used to express that a person is affiliated with the organization, but without any formal contracts related to employment or a position as student(for example students attending a private school)
eduPersonAffiliation: affiliate
A person can have multiple roles, for instance both be an employee and a student:
eduPersonAffiliation: student
eduPersonAffiliation: staff
eduPersonAffiliation: employee
eduPersonAffiliation: member
Another example of multiple roles is when a person serves as both a principal and a teacher. In this case, the person holds the values of both staff and faculty.
eduPersonAffiliation: staff
eduPersonAffiliation: faculty
eduPersonAffiliation: employee
eduPersonAffiliation: member
3.1.14. eduPersonEntitlement#
Attribute Name | eduPersonEntitlement |
Short description | Information about rights, roles and groups that this person has. |
Example | Example for årstrinn: eduPersonEntitlement: urn:mace:feide.no:go:grep:http://psi.udir.no/laereplan/aarstrinn/aarstrinn6 Example for studieprogram: eduPersonEntitlement: urn:mace:feide.no:go:grep:http://psi.udir.no/ontologi/utdanningsprogram/studiespesialisering Example for basis-group: eduPersonEntitlement: urn:mace:feide.no:go:group:b::NO975278964:6A:2014-08-01:2015-06-15:student:Klasse%206A Example for teaching group: eduPersonEntitlement: urn:mace:feide.no:go:group:u:NOR1211:NO974558386:3aaa%2F3nh:2014-08-01:2015-06-15:student:Norsk%20hovedm%C3%A5l%20VG3 Example for other group: eduPersonEntitlement: urn:mace:feide.no:go:group:a::NO974558386:3fysa%2Flb3:2014-08-01:2014-12-31:student:Labgruppe%203%20Fysikk%20VG3 Example for group-IDs: eduPersonEntitlement: urn:mace:feide.no:go:groupid:b:NO975278964:6a:2014-08-01:2015-06-15 eduPersonEntitlement: urn:mace:feide.no:go:groupid:u:NO974558386:3aaa%2F3nh:2014-08-01:2015-06-15 eduPersonEntitlement: urn:mace:feide.no:go:groupid:a:NO974558386:3fysa%2Flb3:2014-08-01:2014-12-31 |
Multivalued | Yes |
eduPersonEntitlement
contains specific rights or roles that the person has. This can be expressed as a job code or
specific rights related to a specific service. As long as any such information is present for a person, the general
recommendation is that this is registered within eduPersonEntitlement
Values used in the field for eduPersonEntitlement shall be valid URIs(Uniform Resource Identifier). We recommend the use of URNs(Uniform Resource Name).
If new URN values for eduPersonEntitlement
are created, these shall be registered within a
register that is administered by Feide.
Requests for issuing namespace is sent to email: support@feide.no
For lower education, information about a person’s årstrinn, studieprogram, program area and class
shall be registered within the attribute eduPersonEntitlement
, using codes from utdanningsdirektoratets
Grep framework.
årstrinn, studieprogram and program area are mandatory, meaning that the attribute shall be present and
shall have content.
Students in lower education are not affiliated with a studieprogram and program area, and shall not have
these filled out. Grep codes shall be prefixed with the string “urn:mace:feide.no:go:grep:”. The person’s information
regarding årstrinn, studieprogram and program area is not connected to every school, but the sum of
the person’s values with all the schools they are affiliated with. See
Registration of Grep codes in eduPersonEntitlement for detailed
information.
Information regarding person’s affiliations to groups shall be registered in the attribute eduPersonEntitlement
.
Student and teacher affiliations to basis-groups/classes and teaching groups are mandatory, and must be filled out.
Affiliations to other types of groups can be filled out. Group information shall be prefixed with the string
“urn:mace:feide.no:go:group:”. The person’s information about groups is constructed in such a way that it is
connected to each school the person belongs to. See
Registration of group information in eduPersonEntitlement for
detailed information.
Information about person’s group-IDs shall be registered in the attribute eduPersonEntitlement
. It is
mandatory to fill out the group identifiers to groups that the person belongs to as described in the section above.
group-IDs shall be prefixed with the string “urn:mace:feide.no:go:groupid:” and have strict demands for how it is
constructed. See
Registration of group-IDs in eduPersonEntitlement. for detailed
information.
3.1.15. norEduPersonAuthnMethod#
Attribute Name | norEduPersonAuthnMethod (Only mandatory when used with strong authentication) |
Short description | List of methods for strong authentication which are available for the person. |
Example | norEduPersonAuthnMethod: urn:mace:feide.no:auth:method:sms +4712345678 label=Work%20phone and/or norEduPersonAuthnMethod: urn:mace:feide.no:auth:method:ga eyEUJfe...WERIW |
Multivalued | Yes |
This attribute is mandatory for persons logging into services with strong authentication. Valid values are constructed
in this manner: <identifier for method> <method-data specific for the person> <optional "note">
Identifier for SMS: urn:mace:feide.no:auth:method:sms
Identifier for Approver/Authenticator: urn:mace:feide.no:auth:method:ga
Method for authentication can be marked with an optional note to show a user friendly text, and provide separation for
the different methods. The marking label=
shall only be present when there is a note, and it shall not be empty.
Examples:
When using one time password for sms:
norEduPersonAuthnMethod: urn:mace:feide.no:auth:method:sms +4712345678 label=Work%20phone
When using the method one time password on sms, without note:
norEduPersonAuthnMethod: urn:mace:feide.no:auth:method:sms +4712345678
When using the method Approver/Authenticator:
urn:mace:feide.no:auth:method:ga eyEUJfe...WERIW label=Authenticator%20(Feide)
3.1.16. norEduPersonServiceAuthnLevel#
Attribute Name | norEduPersonServiceAuthnLevel (Can be used with strong authentication, and is not mandatory) |
Short description | Specifies which services that requires strong authentication |
Example | norEduPersonServiceAuthnLevel: urn:mace:feide.no:spid:12345 urn:mace:feide.no:auth:level:fad08:3 and/or norEduPersonServiceAuthnLevel: urn:mace:feide.no:spid:all urn:mace:feide.no:auth:level:fad08:3 |
Multivalued | Yes |
This attribute provides the possibility to list which services a single person can utilize strong authentication for. This can for instance be useful for persons that have extended rights to one or more services. Valid values are:
urn:mace:feide.no:spid:<Feide-id for service> <level of authentication>
: Is set for a single service that the person will log in to using strong authentication. The Feide-id for a service can be found below the service logo on the page of the service in the customer portal.urn:mace:feide.no:spid:all <level of authentication>
: Is set if the person shall log in to all services using strong authentication.
For strong authentication through Feide, the uri for authentication level is:
urn:mace:feide.no:auth:level:fad08:3
3.2. Recommended - person#
3.2.1. mail#
Attribute Name | |
Short description | The person's email. Shall be a personal address. |
Example | mail: ola.nordmann@elev.skotthyll.kommune.no and/or mail: arnt1990@gmail.com |
Multivalued | Yes |
mail
Shall be a personal email that the user alone has access to.
Some services treats eduPersonPrincipalName
as an email. They are not supposed to, but some use the value
to send the user invitations to resources, messages from other users and more. If the user’s email is different from the
value in eduPersonPrincipalName
, the host organization should consider if they will place this value as an email
alias for the user in the email system. Depending on how visible the organization want this alias to be, it can also
be added as a value to the mail
attribute in Feide.
3.2.2. mobile#
Attribute Name | mobile |
Short description | Mobile number connected to this person. |
Example | mobile: +47 40404040 |
Multivalued | Yes |
mobile
shall be a personal mobile number that the user alone uses.
3.2.3. preferredLanguage#
Attribute Name | preferredLanguage |
Short description | The person's preferred language, defined by ISO 639-3 og BCP 47. |
Example | preferredLanguage: nn or preferredLanguage: nb |
Multivalued | No |
3.2.4. schacHomeOrganization#
Attribute Name | schacHomeOrganization |
Short description | Realm to the organization that the person affiliates to. |
Example | schacHomeOrganization: skotthyll.kommune.no |
Multivalued | No |
3.2.5. eduPersonPrimaryAffiliation#
Attribute Name | eduPersonPrimaryAffiliation |
Short description | Primary role at the school-owner. |
Example | eduPersonPrimaryAffiliation: student or eduPersonPrimaryAffiliation: employee |
Multivalued | No |
eduPersonPrimaryAffiliation
Defines the person’s primary role at the organization. For instance this can be
valuable if a person acts as both student and employee at the organization. For valid values, see more information on
page 10 (eduPersonAffiliation
). It should be noted that all values within Figure 2 can be used, but the value used
must also be set within eduPersonAffiliation
.
3.2.6. eduPersonScopedAffiliation#
Attribute Name | eduPersonScopedAffiliation |
Short description | Person's role and institution. |
Example | eduPersonScopedAffiliation: employee@NO179530458.skotthyll.kommune.no og eduPersonScopedAffiliation: employee@skotthyll.kommune.no |
Multivalued | Yes |
For persons affiliated to a school, eduPersonScopedAffiliation
defines the person’s role at the school, and which
school this applies to. Construction for eduPersonScopedAffiliation
is:
<role>@<norEduOrgUnitUniqueIdentifier>.<realm>
and
<role>@<realm>
Role must be one of the values in eduPersonAffiliation
, and realm represents the right side(after @) in
eduPersonPrincipalName