2. Terminology#

Årstrinn

Students grouped in year of the education they are attending to. Example is after kindergarten the persons starts in årstrinn 1. Then proceeds to årstrinn 2 the next year.

Studieprogram

Program of study. A student is typically admitted to a particular studieprogram

Kull

All students in a studieprogram admitted in a given year

Klasse

A subdivision of a kull

3. Person#

3.1. Mandatory - person#

3.1.1. cn#

Attribute name cn
Short description General node name with person-information
Example cn: Arnt Nordmann
and/or
cn: olanor123
Multivalued Yes

3.1.2. displayName#

Attribute name displayName
Short description Person's preferred name.
Example displayName: Ola Nordmann
Multivalued No

3.1.3. norEduPersonLegalName#

Attribute name norEduPersonLegalName
Short description Person's legal name. Example can be person's name registered within Folkeregisteret.
Example norEduPersonLegalName: Arnt Ola Olsen Nordmann
Multivalued No

3.1.4. givenName#

Attribute name givenName
Short description Person's first name.
Example givenName: Ola
Multivalued Yes

3.1.5. sn#

Attribute name sn
Short description Person's surname.
Example sn: Nordmann
and/or
sn: Olsen Nordmann
Multivalued Yes

3.1.6. eduPersonPrincipalName#

Attribute name eduPersonPrincipalName
Short description Full Feide name.
Example eduPersonPrincipalName: olanor123@skotthyll.kommune.no
Multivalued No

eduPersonPrincipalName Is per definition non case sensitive.

OlaNor123@uin.no is the same Feide name as olanor123@uin.no. Even though the eduPersonPrincipalName is per definition non case sensitive, it will be added to the Feide catalogue in lower case for the sake of compatibility with other systems

eduPersonPrincipalName should never be reused by a new person. The organization has to ensure that eduPersonPrincipalName is unique. If the organization chooses to reuse a eduPersonPrincipalName which is not in active use, the organization itself is responsible of making sure that this does not lead to any issues. For instance, eduPersonPrincipalName might have been used as an identifier in external systems/services, and this is something the organization has to take into consideration.

eduPersonPrincipalName is comprised of two parts: <user>@<realm>. Note that when the domain name is used as realm, this should be subject to a domain that the host organization is the registered owner for.

The first part of eduPersonPrincipalName (before “@”) should equal uid.

3.1.7. uid#

Attribute Name uid
Short description The person's local username at the school-owner.
Example uid: olanor123
Multivalued Yes

Even though uid is multivalued in the first place, one should only register one value for this field. uid is non case sensitive, but should be entered into the catalogue in the same manner as eduPersonPrincipalName, alas in lower case. The first part of eduPersonPrincipalName shall be comprised of uid, before “@”.

3.1.8. norEduPersonNIN#

Attribute Name norEduPersonNIN
Short description National identity number.
Example norEduPersonNIN: 28089533134
Multivalued No

norEduPersonNIN Shall be a unique identification number issued by Folkeregisteret or Utlendingsdirektoratet (UDI):

  • National identity number

  • D-number

  • DUF-number

If a person does not have any of these numbers, no value should be registered within norEduPersonNIN for this person

A person can have a user in Feide without a value in norEduPersonNIN. This will not be an issue for most services, but for services that depend on norEduPersonNIN, the school-owner will have to find other solutions to grant access to the service for the user.

Locally issued national identity numbers can be added to norEduPersonLIN_GO.

3.1.9. userPassword#

Attribute Name userPassword
Short description Person's password for Feide login.
Example userPassword: {CRYPT}$6$ufxrIZTs$hl3ocEOAb01o3HC1yk1DUTD6aaHnH7xD5ZDFCH9xnoNUWZky6lt0/
Multivalued Yes

Even though userPassword is multivalued in the first place, it is common to register only one password in this field.

In this document, userPassword is set as a mandatory attribute because all users have to have one password at login. It’s worth mentioning that a password can be handled automatically by the catalogue system, and the need to handle this directly might not be needed. As long as each person can perform authentication towards the catalogue system, and thus Feide, with a concrete password.

3.1.10. eduPersonOrgDN#

Attribute Name eduPersonOrgDN
Short description Pointer to the LDAP node that contains information about the school-owner affiliated with the person.
Example eduPersonOrgDN: dc=Skotthyll,dc=kommune,dc=no
Multivalued No

3.1.11. eduPersonOrgUnitDN#

Attribute Name eduPersonOrgUnitDN
Short description Pointer to the LDAP node that contains information about the organizational unit(s) affiliated with the person.
Example eduPersonOrgDN: ou=Hylla skole,cn=organization,dc=Skotthyll,dc=kommune,dc=no
Multivalued Yes

eduPersonOrgUnitDN is mandatory for persons affiliated with a school. For those persons that needs a Feide user on a day to day basis, but having no affiliation with a school, there shall not be registered any value within eduPersonOrgUnitDN

3.1.12. eduPersonPrimaryOrgUnitDN#

Attribute Name eduPersonPrimaryOrgUnitDN
Short description Pointer to the LDAP node that contains information about the organizational unit that the person has its main affiliation to.
Example eduPersonPrimaryOrgUnitDN: ou=Hylla skole,cn=organization,dc=Skotthyll,dc=kommune,dc=no
Multivalued No

For clarification, the value used within eduPersonPrimaryOrgUnitDN also has to be present within eduPersonOrgUnitDN

3.1.13. eduPersonAffiliation#

Attribute Name eduPersonAffiliation
Short description Roles at school-owner.
Example eduPersonAffiliation: member
eduPersonAffiliation: student

or

eduPersonAffiliation: faculty
eduPersonAffiliation: employee
eduPersonAffiliation: member
Multivalued Yes

eduPersonAffiliation contains information about the person’s general roles at the organization. Within figure 2 a small set of general roles have been presented as a hierarchy.

A student will have all of these values:

  • eduPersonAffiliation: student

  • eduPersonAffiliation: member

A pedagogical employee will have all these values:

  • eduPersonAffiliation: faculty

  • eduPersonAffiliation: employee

  • eduPersonAffiliation: member

A non pedagogical employee will have all these values:

  • eduPersonAffiliation: staff

  • eduPersonAffiliation: employee

  • eduPersonAffiliation: member

The value “affiliate” is used to express that a person is affiliated with the organization, but without any formal contracts related to employment or a position as student(for example students attending a private school)

  • eduPersonAffiliation: affiliate

A person can have multiple roles, for instance both be an employee and a student:

  • eduPersonAffiliation: student

  • eduPersonAffiliation: staff

  • eduPersonAffiliation: employee

  • eduPersonAffiliation: member

Figure showing the role hierarchy for eduPersonAffiliation values. Shows a tree structure with different branches for affiliation values. There are four branches off the root - "member", "affiliate", "alum" and "library-walk-in". The branches for "affiliate", "alum" and "library-walk-in" have no additional affiliations. The "member" affiliation has two child branches - "student" and "employee". The "employee" branch has two additional child branches - "faculty" and "staff". The "student" branch does not have any additional branches.

Figure 2 : Role hierarchy#

3.1.14. eduPersonEntitlement#

Attribute Name eduPersonEntitlement
Short description Information about rights, roles and groups that this person has.
Example Example for årstrinn:
eduPersonEntitlement:
urn:mace:feide.no:go:grep:http://psi.udir.no/laereplan/aarstrinn/aarstrinn6

Example for studieprogram:
eduPersonEntitlement:
urn:mace:feide.no:go:grep:http://psi.udir.no/ontologi/utdanningsprogram/studiespesialisering

Example for basis-group:
eduPersonEntitlement:
urn:mace:feide.no:go:group:b::NO975278964:6A:2014-08-01:2015-06-15:student:Klasse%206A

Example for educational group:
eduPersonEntitlement:
urn:mace:feide.no:go:group:u:NOR1211:NO974558386:3aaa%2F3nh:2014-08-01:2015-06-15:student:Norsk%20hovedm%C3%A5l%20VG3

Example for other group:
eduPersonEntitlement:
urn:mace:feide.no:go:group:a::NO974558386:3fysa%2Flb3:2014-08-01:2014-12-31:student:Labgruppe%203%20Fysikk%20VG3

Example for group-IDs:
eduPersonEntitlement:
urn:mace:feide.no:go:groupid:b:NO975278964:6a:2014-08-01:2015-06-15
eduPersonEntitlement:
urn:mace:feide.no:go:groupid:u:NO974558386:3aaa%2F3nh:2014-08-01:2015-06-15
eduPersonEntitlement:
urn:mace:feide.no:go:groupid:a:NO974558386:3fysa%2Flb3:2014-08-01:2014-12-31
Multivalued Yes

eduPersonEntitlement contains specific rights or roles that the person has. This can be expressed as a job code or specific rights related to a specific service. As long as any such information is present for a person, the general recommendation is that this is registered within eduPersonEntitlement

Values used in the field for eduPersonEntitlement shall be valid URIs(Uniform Resource Identifier). We recommend the use of URNs(Uniform Resource Name).

If new URN values for eduPersonEntitlement are created, these shall be registered within a register that is administered by Feide. Requests for issuing namespace is sent to email: support@feide.no

For lower education, information about a person’s årstrinn, studieprogram, program area and class shall be registered within the attribute eduPersonEntitlement, using codes from utdanningsdirektoratets Grep framework. årstrinn, studieprogram and program area are mandatory, meaning that the attribute shall be present and shall have content. Students in lower education are not affiliated with a studieprogram and program area, and shall not have these filled out. Grep codes shall be prefixed with the string “urn:mace:feide.no:go:grep:”. The person’s information regarding årstrinn, studieprogram and program area is not connected to every school, but the sum of the person’s values with all the schools they are affiliated with. See Registration of Grep codes in eduPersonEntitlement for detailed information.

Information regarding person’s affiliations to groups shall be registered in the attribute eduPersonEntitlement. Student and teacher affiliations to basis-groups/classes and educational groups are mandatory, and must be filled out. Affiliations to other types of groups can be filled out. Group information shall be prefixed with the string “urn:mace:feide.no:go:group:”. The person’s information about groups is constructed in such a way that it is connected to each school the person belongs to. See Registration of group information in eduPersonEntitlement for detailed information.

Information about person’s group-IDs shall be registered in the attribute eduPersonEntitlement. It is mandatory to fill out the group identifiers to groups that the person belongs to as described in the section above. group-IDs shall be prefixed with the string “urn:mace:feide.no:go:groupid:” and have strict demands for how it is constructed. See Registration of group-IDs in eduPersonEntitlement. for detailed information.

3.1.15. norEduPersonAuthnMethod#

Attribute Name norEduPersonAuthnMethod (Only mandatory when used with strong authentication)
Short description List of methods for strong authentication which are available for the person.
Example norEduPersonAuthnMethod:
urn:mace:feide.no:auth:method:sms +4712345678 label=Work%20phone

and/or

norEduPersonAuthnMethod:
urn:mace:feide.no:auth:method:ga eyEUJfe...WERIW
Multivalued Yes

This attribute is mandatory for persons logging into services with strong authentication. Valid values are constructed in this manner: <identifier for method> <method-data specific for the person> <optional "note">

Identifier for SMS: urn:mace:feide.no:auth:method:sms

Identifier for Approver/Authenticator: urn:mace:feide.no:auth:method:ga

Method for authentication can be marked with an optional note to show a user friendly text, and provide separation for the different methods. The marking label= shall only be present when there is a note, and it shall not be empty.

Examples:

When using one time password for sms:

  • norEduPersonAuthnMethod: urn:mace:feide.no:auth:method:sms +4712345678 label=Work%20phone

When using the method one time password on sms, without note:

  • norEduPersonAuthnMethod: urn:mace:feide.no:auth:method:sms +4712345678

When using the method Approver/Authenticator:

  • urn:mace:feide.no:auth:method:ga eyEUJfe...WERIW label=Authenticator%20(Feide)

3.1.16. norEduPersonServiceAuthnLevel#

Attribute Name norEduPersonServiceAuthnLevel (Can be used with strong authentication, and is not mandatory)
Short description Specifies which services that requires strong authentication
Example norEduPersonServiceAuthnLevel:
urn:mace:feide.no:spid:12345 urn:mace:feide.no:auth:level:fad08:3

and/or

norEduPersonServiceAuthnLevel:
urn:mace:feide.no:spid:all urn:mace:feide.no:auth:level:fad08:3
Multivalued Yes

This attribute provides the possibility to list which services a single person can utilize strong authentication for. This can for instance be useful for persons that have extended rights to one or more services. Valid values are:

  • urn:mace:feide.no:spid:<Feide-id for service> <level of authentication>: Is set for a single service that the person will log in to using strong authentication. The Feide-id for a service can be found below the service logo on the page of the service in the customer portal.

  • urn:mace:feide.no:spid:all <level of authentication>: Is set if the person shall log in to all services using strong authentication.

For strong authentication through Feide, the uri for authentication level is: urn:mace:feide.no:auth:level:fad08:3