2. Person#
2.1. Mandatory - person#
2.1.1. cn#
Attribute name | cn |
Short description | General node-name with person's information. |
Example | cn: Arnt Ola Nordmann and/or cn: olanor123 |
Multivalued | Yes |
2.1.2. displayName#
Attribute name | displayName |
Short description | Person's preferred name. |
Example | displayName: Ola Nordmann |
Multivalued | No |
2.1.3. norEduPersonLegalName#
Attribute name | norEduPersonLegalName |
Short description | Person's legal name. Example can be person's name registered within Folkeregisteret. |
Example | norEduPersonLegalName: Arnt Ola Olsen Nordmann |
Multivalued | No |
2.1.4. givenName#
Attribute name | givenName |
Short description | Person's first name. |
Example | givenName: Ola |
Multivalued | Yes |
2.1.5. sn#
Attribute name | sn |
Short description | Person's surname. |
Example | sn: Nordmann and/or sn: Olsen Nordmann |
Multivalued | Yes |
2.1.6. eduPersonPrincipalName#
Attribute name | eduPersonPrincipalName |
Short description | Full Feide-name. |
Example | eduPersonPrincipalName: olanor123@universitetet.no |
Multivalued | No |
eduPersonPrincipalName
Is per definition non case sensitive.
OlaNor123@uin.no is the same Feide name as olanor123@uin.no.
Even though the eduPersonPrincipalName
is per definition non case sensitive,
it will be added to the Feide catalogue in lower case for the sake of compatibility with other systems.
eduPersonPrincipalName
should never be reused by a new person.
The organization has to ensure that eduPersonPrincipalName
is unique. If
the organization chooses to reuse a eduPersonPrincipalName
which is not in active
use, the organization itself is responsible to make sure that this does not lead to any issues.
For instance, eduPersonPrincipalName
might have been used as identifier in external systems/services, and
this is something the organization has to take into consideration.
eduPersonPrincipalName
is comprised of two parts: <user>@<realm>. Note that
when the domain name is used as realm, this should be subject to a domain that the host
organization is the registered owner for.
The first part of eduPersonPrincipalName
(before “@”) should equal uid
.
2.1.7. uid#
Attribute name | uid |
Short description | The person's local username at the school owner. |
Example | uid: olanor123 |
Multivalued | No |
Even though uid
is multivalued in the first place, one should only register
one value for this field. uid
is non case sensitive, but should be entered
into the catalogue in the same manner as eduPersonPrincipalName
, alas in lower case.
The first part of eduPersonPrincipalName
shall be comprised of uid
, before “@”.
2.1.8. norEduPersonNIN#
Attribute name | norEduPersonNIN |
Short description | National identity number. |
Example | norEduPersonNIN: 28088933134 |
Multivalued | No |
norEduPersonNIN
Shall be a unique identification number issued by Folkeregisteret or Utlendingsdirektoratet (UDI)
or Samordna Opptak:
- National identity number
- D-number
- DUF-number
- S-number/So-number (student-number issued by Samordna Opptak)
If a person does not have any of these numbers, no value should be registered within
norEduPersonNIN
for this person
A person can have a user in Feide without a value in norEduPersonNIN
.
This will not be an issue for most services, but for services which depends on
norEduPersonNIN
, the school owner will have to find other solutions to
grant access to the service for the user.
2.1.9. mail#
Attribute name | |
Short description | The person's email. Shall be a personal address. |
Example | mail: ola.nordmann@universitetet.no' and/or mail: olanor123@stud.universitetet.no |
Multivalued | Yes |
mail
Shall be a personal email that the user alone has access to.
Some services treats eduPersonPrincipalName
as an email. They are not supposed to, but some uses the value
to send the user invitations to resources, messages from other users and more. If the user’s email is different from the
value in eduPersonPrincipalName
, the host organization should consider if they will place this value as an email
alias for the user in the email system. Depending on how visible the organization want this alias to be, it can also
be added as a value to the mail
attribute in Feide.
2.1.10. userPassword#
Attribute name | userPassword |
Short description | Person's password for Feide login. |
Example | userPassword: {CRYPT}$6$ufxrIZTs$hl3ocEOAb01o3HC1yk1DUTD6aaHnH7xD5ZDFCH9xnoNUWZky6lt0/ |
Multivalued | Yes |
Even though userPassword
is multivalued in the first place, it is common to register
only one password in this field.
In this document, userPassword
is set as a mandatory attribute because all users have to have one password at login.
It’s worth mentioning that a password can be handled automatically by the catalogue system, and the need to handle this
directly might not be needed. As long as each person can perform authentication towards the catalogue system, and thus
Feide, with a concrete password.
2.1.11. eduPersonAffiliation#
Attribute name | eduPersonAffiliation |
Short description | Roles at organization. |
Example | eduPersonAffiliation: member eduPersonAffiliation: student or eduPersonAffiliation: faculty eduPersonAffiliation: employee eduPersonAffiliation: member |
Multivalued | Yes |
eduPersonAffiliation
contains information about the person’s general roles at the organization. Within figure 2 a
small set of general roles have been presented as a hierarchy.
A student will have all of these values:
eduPersonAffiliation: student
eduPersonAffiliation: member
A pedagogical employee will have all these values:
eduPersonAffiliation: faculty
eduPersonAffiliation: employee
eduPersonAffiliation: member
A non pedagogical employee will have all these values:
eduPersonAffiliation: staff
eduPersonAffiliation: employee
eduPersonAffiliation: member
The value “affiliate” is used to express that a person is affiliated to the organization, but without any formal contracts related to employment or a position as student(for example students attending a private school)
eduPersonAffiliation: affiliate
A person can have multiple roles, for instance both be an employee and a student:
eduPersonAffiliation: student
eduPersonAffiliation: staff
eduPersonAffiliation: employee
eduPersonAffiliation: member
Another example of multiple roles is when a person serves as both a principal and a teacher. In this case, the person holds the values of both staff and faculty.
eduPersonAffiliation: staff
eduPersonAffiliation: faculty
eduPersonAffiliation: employee
eduPersonAffiliation: member
2.1.12. eduPersonOrgDN#
Attribute name | eduPersonOrgDN |
Short description | Pointer to the LDAP node that contains information about the organization affiliated with the person. |
Example | eduPersonOrgDN: o=universitetet, dc=no |
Multivalued | No |
2.1.13. schacHomeOrganization#
Attribute name | schacHomeOrganization |
Short description | Realm (last part of eduPersonPrincipalName) to the organization that the person is affiliated to. |
Example | schacHomeOrganization: universitetet.no |
Multivalued | No |
2.1.14. norEduPersonAuthnMethod#
Attribute name | norEduPersonAuthnMethod (Only mandatory when used with strong authentication) |
Short description | List over methods for strong authentication which are available for the person. |
Example | norEduPersonAuthnMethod: urn:mace:feide.no:auth:method:sms +4712345678 label=Work%20phone |
Multivalued | Yes |
This attribute is mandatory for persons logging into services with strong authentication. Valid values are constructed
in this manner: <identifier for method> <method-data specific for the person> <optional "note">
Identifier for SMS: urn:mace:feide.no:auth:method:sms
Identifier for Approver/Authenticator: urn:mace:feide.no:auth:method:ga
Method for authentication can be marked with an optional note to show a user friendly text, and provide separation for
the different methods. The marking label=
shall only be present when there is a note, and it shall not be empty.
Examples:
When using one time password for sms:
norEduPersonAuthnMethod: urn:mace:feide.no:auth:method:sms +4712345678 label=Work%20phone
When using the method one time password on sms, without note:
norEduPersonAuthnMethod: urn:mace:feide.no:auth:method:sms +4712345678
When using the method Approver/Authenticator:
urn:mace:feide.no:auth:method:ga eyEUJfe...WERIW label=Authenticator%20(Feide)
2.1.15. norEduPersonServiceAuthnLevel#
Attribute name | norEduPersonServiceAuthnLevel (Can be used with strong authentication, and is not mandatory) |
Short description | Specifies for which services that requires strong authentication |
Example | norEduPersonServiceAuthnLevel: urn:mace:feide.no:spid:12345 urn:mace:feide.no:auth:level:fad08:3 and/or norEduPersonServiceAuthnLevel: urn:mace:feide.no:spid:all urn:mace:feide.no:auth:level:fad08:3 |
Multivalued | Yes |
This attribute provides the possibility to list which services a single person can utilize strong authentication for. This can for instance be useful for persons that have extended rights to one or more services. Valid values are:
urn:mace:feide.no:spid:<Feide-id for service><level of authentication>
: Is set for a single service that the person will log in to using strong authentication. Feide-id for service is provided by contacting support@feide.no.urn:mace:feide.no:spid:all <level of authentication>
: Is set if the person shall log in to all services using strong authentication.
For strong authentication through Feide, the uri for authentication level is:
urn:mace:feide.no:auth:level:fad08:3
2.2. Recommended - person#
2.2.1. eduPersonEntitlement#
Attribute name | eduPersonEntitlement |
Short description | Information about rights, roles and groups that this person has. |
Example | eduPersonEntitlement: urn:mace:feide.no:sigma:confusa:admin and/or eduPersonEntitlement: urn:mace:feide.no:stillingskode:stat:1011 and/or eduPersonEntitlement: http://example.org/contracts/HEd123 |
Multivalued | Yes |
eduPersonEntitlement
contains specific rights or roles that the person has. This can be expressed as a job code or
specific rights related to a specific service. As long as any such information is present for a person, the general
recommendation is that this is registered within eduPersonEntitlement
Values used in the field for eduPersonEntitlement shall be valid URIs(Uniform Resource Identifier). We recommend the use of URNs(Uniform Resource Name).
If new URN values for eduPersonEntitlement
are created, these shall be registered within a
register that is administered by Feide.
Requests for issuing namespace are sent to email: support@feide.no
2.2.2. eduPersonOrgUnitDN#
Attribute name | eduPersonOrgUnitDN |
Short description | Pointer to the LDAP node that contains information about the organizational unit(s) affiliated with the person. |
Example | eduPersonOrgUnitDN: ou=IHK,cn=organization,dc=universitetet, dc=no |
Multivalued | Yes |
2.2.3. eduPersonPrimaryAffiliation#
Attribute name | eduPersonPrimaryAffiliation |
Short description | Primary role at the organization. |
Example | eduPersonPrimaryAffiliation: student or eduPersonPrimaryAffiliation: employee |
Multivalued | No |
eduPersonPrimaryAffiliation
Defines the person’s primary role at the organization. For instance this can be
valuable if a person acts as both student and employee at the organization. For valid values, see more information
above eduPersonAffiliation
. It should be noted that the value used, also has to be set within
eduPersonAffiliation
.
2.2.4. eduPersonPrimaryOrgUnitDN#
Attribute name | eduPersonPrimaryOrgUnitDN |
Short description | Pointer to the LDAP node that contains information about the organizational unit that the person has its main affiliation to. |
Example | eduPersonPrimaryOrgUnitDN: ou=IHK,cn=organization,dc=universitetet, dc=no |
Multivalued | No |
2.2.5. eduPersonScopedAffiliation#
Attribute name | eduPersonScopedAffiliation |
Short description | Person's role and institution. |
Example | eduPersonScopedAffiliation: employee@universitetet.no and/or eduPersonScopedAffiliation: employee@332244.universitetet.no and/or eduPersonScopedAffiliation: student@123321.universitetet.no |
Multivalued | Yes |
2.2.6. eduPersonOrcid#
Attribute name | eduPersonOrcid |
Short description | ORCIDs are identifiers for researchers and connects them to their publications. |
Example | eduPersonOrcid: https://orcid.org/0000-0002-1825-0097 |
Multivalued | Yes |
2.2.7. mobile#
Attribute name | mobile |
Short description | Mobile number connected to this person. |
Example | mobile: +47 40404040 |
Multivalued | Yes |
mobile
shall be a personal mobile-number only used by the person itself.
2.2.8. preferredLanguage#
Attribute name | preferredLanguage |
Short description | The person's preferred language, defined by ISO 639-3 og BCP 47. |
Example | preferredLanguage: nn or preferredLanguage: nb |
Multivalued | No |