2. Person#

2.1. Mandatory - person#

2.1.1. cn#

Attribute name cn
Short description General node-name with person's information.
Example cn: Arnt Ola Nordmann

and/or

cn: olanor123
Multivalued Yes

2.1.2. displayName#

Attribute name displayName
Short description Person's preferred name.
Example displayName: Ola Nordmann
Multivalued No

2.1.3. norEduPersonLegalName#

Attribute name norEduPersonLegalName
Short description Person's legal name. Example can be person's name registered within Folkeregisteret.
Example norEduPersonLegalName: Arnt Ola Olsen Nordmann
Multivalued No

2.1.4. givenName#

Attribute name givenName
Short description Person's first name.
Example givenName: Ola
Multivalued Yes

2.1.5. sn#

Attribute name sn
Short description Person's surname.
Example sn: Nordmann

and/or

sn: Olsen Nordmann
Multivalued Yes

2.1.6. eduPersonPrincipalName#

Attribute name eduPersonPrincipalName
Short description Full Feide-name.
Example eduPersonPrincipalName: olanor123@universitetet.no
Multivalued No

eduPersonPrincipalName Is per definition non case sensitive.

OlaNor123@uin.no is the same Feide name as olanor123@uin.no. Even though the eduPersonPrincipalName is per definition non case sensitive, it will be added to the Feide catalogue in lower case for the sake of compatibility with other systems.

eduPersonPrincipalName should never be reused by a new person. The organization has to ensure that eduPersonPrincipalName is unique. If the organization chooses to reuse a eduPersonPrincipalName which is not in active use, the organization itself is responsible to make sure that this does not lead to any issues. For instance, eduPersonPrincipalName might have been used as identifier in external systems/services, and this is something the organization has to take into consideration.

eduPersonPrincipalName is comprised of two parts: <user>@<realm>. Note that when the domain name is used as realm, this should be subject to a domain that the host organization is the registered owner for.

The first part of eduPersonPrincipalName (before “@”) should equal uid.

2.1.7. uid#

Attribute name uid
Short description The person's local username at the school owner.
Example uid: olanor123
Multivalued No

Even though uid is multivalued in the first place, one should only register one value for this field. uid is non case sensitive, but should be entered into the catalogue in the same manner as eduPersonPrincipalName, alas in lower case. The first part of eduPersonPrincipalName shall be comprised of uid, before “@”.

2.1.8. norEduPersonNIN#

Attribute name norEduPersonNIN
Short description National identity number.
Example norEduPersonNIN: 28088933134
Multivalued No

norEduPersonNIN Shall be a unique identification number issued by Folkeregisteret or Utlendingsdirektoratet (UDI) or Samordna Opptak: - National identity number - D-number - DUF-number - S-number/So-number (student-number issued by Samordna Opptak)

If a person does not have any of these numbers, no value should be registered within norEduPersonNIN for this person

A person can have a user in Feide without a value in norEduPersonNIN. This will not be an issue for most services, but for services which depends on norEduPersonNIN, the school owner will have to find other solutions to grant access to the service for the user.

2.1.9. mail#

Attribute name mail
Short description The person's email. Shall be a personal address.
Example mail: ola.nordmann@universitetet.no'

and/or

mail: olanor123@stud.universitetet.no
Multivalued Yes

mail Shall be a personal email that the user alone has access to.

Some services treats eduPersonPrincipalName as an email. They are not supposed to, but some uses the value to send the user invitations to resources, messages from other users and more. If the user’s email is different from the value in eduPersonPrincipalName, the host organization should consider if they will place this value as an email alias for the user in the email system. Depending on how visible the organization want this alias to be, it can also be added as a value to the mail attribute in Feide.

2.1.10. userPassword#

Attribute name userPassword
Short description Person's password for Feide login.
Example userPassword: {CRYPT}$6$ufxrIZTs$hl3ocEOAb01o3HC1yk1DUTD6aaHnH7xD5ZDFCH9xnoNUWZky6lt0/
Multivalued Yes

Even though userPassword is multivalued in the first place, it is common to register only one password in this field.

In this document, userPassword is set as a mandatory attribute because all users have to have one password at login. It’s worth mentioning that a password can be handled automatically by the catalogue system, and the need to handle this directly might not be needed. As long as each person can perform authentication towards the catalogue system, and thus Feide, with a concrete password.

2.1.11. eduPersonAffiliation#

Attribute name eduPersonAffiliation
Short description Roles at organization.
Example eduPersonAffiliation: member
eduPersonAffiliation: student

or

eduPersonAffiliation: faculty
eduPersonAffiliation: employee
eduPersonAffiliation: member
Multivalued Yes

eduPersonAffiliation contains information about the person’s general roles at the organization. Within figure 2 a small set of general roles have been presented as a hierarchy.

A student will have all of these values:

  • eduPersonAffiliation: student

  • eduPersonAffiliation: member

A pedagogical employee will have all these values:

  • eduPersonAffiliation: faculty

  • eduPersonAffiliation: employee

  • eduPersonAffiliation: member

A non pedagogical employee will have all these values:

  • eduPersonAffiliation: staff

  • eduPersonAffiliation: employee

  • eduPersonAffiliation: member

The value “affiliate” is used to express that a person is affiliated to the organization, but without any formal contracts related to employment or a position as student(for example students attending a private school)

  • eduPersonAffiliation: affiliate

A person can have multiple roles, for instance both be an employee and a student:

  • eduPersonAffiliation: student

  • eduPersonAffiliation: staff

  • eduPersonAffiliation: employee

  • eduPersonAffiliation: member

Another example of multiple roles is when a person serves as both a principal and a teacher. In this case, the person holds the values of both staff and faculty.

  • eduPersonAffiliation: staff

  • eduPersonAffiliation: faculty

  • eduPersonAffiliation: employee

  • eduPersonAffiliation: member

Figure showing the role hierarchy for eduPersonAffiliation values. Shows a tree structure with different branches for affiliation values. There are four branches off the root - "member", "affiliate", "alum" and "library-walk-in". The branches for "affiliate", "alum" and "library-walk-in" have no additional affiliations. The "member" affiliation has two child branches - "student" and "employee". The "employee" branch has two additional child branches - "faculty" and "staff". The "student" branch does not have any additional branches.

Figure 2 : Role hierarchy#

2.1.12. eduPersonOrgDN#

Attribute name eduPersonOrgDN
Short description Pointer to the LDAP node that contains information about the organization affiliated with the person.
Example eduPersonOrgDN: o=universitetet, dc=no
Multivalued No

2.1.13. schacHomeOrganization#

Attribute name schacHomeOrganization
Short description Realm (last part of eduPersonPrincipalName) to the organization that the person is affiliated to.
Example schacHomeOrganization: universitetet.no
Multivalued No

2.1.14. norEduPersonAuthnMethod#

Attribute name norEduPersonAuthnMethod
(Only mandatory when used with strong authentication)
Short description List over methods for strong authentication which are available for the person.
Example norEduPersonAuthnMethod:
urn:mace:feide.no:auth:method:sms +4712345678 label=Work%20phone
Multivalued Yes

This attribute is mandatory for persons logging into services with strong authentication. Valid values are constructed in this manner: <identifier for method> <method-data specific for the person> <optional "note">

Identifier for SMS: urn:mace:feide.no:auth:method:sms Identifier for Approver/Authenticator: urn:mace:feide.no:auth:method:ga

Method for authentication can be marked with an optional note to show a user friendly text, and provide separation for the different methods. The marking label= shall only be present when there is a note, and it shall not be empty.

Examples:

When using one time password for sms:

  • norEduPersonAuthnMethod: urn:mace:feide.no:auth:method:sms +4712345678 label=Work%20phone

When using the method one time password on sms, without note:

  • norEduPersonAuthnMethod: urn:mace:feide.no:auth:method:sms +4712345678

When using the method Approver/Authenticator:

  • urn:mace:feide.no:auth:method:ga eyEUJfe...WERIW label=Authenticator%20(Feide)

2.1.15. norEduPersonServiceAuthnLevel#

Attribute name norEduPersonServiceAuthnLevel
(Can be used with strong authentication, and is not mandatory)
Short description Specifies for which services that requires strong authentication
Example norEduPersonServiceAuthnLevel:
urn:mace:feide.no:spid:12345 urn:mace:feide.no:auth:level:fad08:3

and/or

norEduPersonServiceAuthnLevel:
urn:mace:feide.no:spid:all urn:mace:feide.no:auth:level:fad08:3
Multivalued Yes

This attribute provides the possibility to list which services a single person can utilize strong authentication for. This can for instance be useful for persons that have extended rights to one or more services. Valid values are:

  • urn:mace:feide.no:spid:<Feide-id for service><level of authentication>: Is set for a single service that the person will log in to using strong authentication. Feide-id for service is provided by contacting support@feide.no.

  • urn:mace:feide.no:spid:all <level of authentication>: Is set if the person shall log in to all services using strong authentication.

For strong authentication through Feide, the uri for authentication level is: urn:mace:feide.no:auth:level:fad08:3