Whenever a user attempts to access a connected service, WAYF forwards information about him to the service from the institution or identity provider where he authenticates. Each service receives only the minimum amount of user information required for the service provider to be able to deliver the service.
WAYF supports forwarding the kinds of user information, or attributes, listed below. Each attribute is defined – wrt. usage and form – by the standardisation body maintaining the schema to which the attribute belongs. The list below has a link to the authoritative definition of each attribute, and details any special usage within WAYF. The set of supported attributes is expanded as needed.
Values of attributes marked with an asterisk (*) WAYF’s identity providers MUST supply; other attributes they are free to supply to the extent that services utilised need them. Values of attributes marked with a double asterisk (**) have been approved by WAYF and are delivered by WAYF on behalf of the identity providers. For attributes marked with an obelisk (†) WAYF calculates those values not supplied by the identity provider himself, to the extent that the latter supplies a basis from which to calculate it, in the form of a value of a different attribute.
On the wire, WAYF will name the attributes either like in the list below or using the so-called URN:OID format. Each service provider can choose himself which of the two name formats WAYF will use in communicating with his service. The attribute names themselves can also be customised to a particular service.
- cn* full name
- cvrNumberIdentifier** Danish Business Registry (‘CVR’) number WAYF forwards to the governmental “Statens SSO” SP.
- displayName† display name WAYF will be set to the value of cn if not supplied by the identity provider himself.
- eduPersonAffiliation† roles with the identity provider WAYF supplements based on the value of eduPersonPrimaryAffiliation.
- eduPersonAssurance* reliability of identity has a value of 3 for a verified user authenticated using multiple factors; a value of 2 if a verified user authenticated with a single factor; and a value of 1 if the user has not been verified at all by the identity provider – these definitions inspired by but not identical to those of NIST 800-63-2. Other than that, the user organisation may send additional values (possibly more at the same time) defined in specific frameworks for identity assurance, notably REFEDS Assurance Framework, which is becoming the standard for identity assurance internationally within research and higher education.
- eduPersonEntitlement special rights at the service
- eduPersonPrimaryAffiliation* primary role with the identity provider in WAYF generally is staff for users on the identity provider's payroll; faculty and employee are not in systematic use. If the user has multiple roles, his organisation should send here tha value that will grant him access to most resources, then send this value and his other values in eduPersonAffiliation.
- eduPersonPrincipalName* user ID within the organisation must never see a particular value re-assigned to a different person by the organisation once issued; or else someone could potentially gain access to someone else's online data, in violation of GDPR:5(1)f.
- eduPersonScopedAffiliation† roles at the identity provider's domain(s) in WAYF is also interpreted as the user's role within a group named @(group ID).org.dk, where org.dk is a domain of the identity provider's. WAYF supplements the set of values based on the values of eduPersonAffiliation and that of schacHomeOrganization.
- eduPersonTargetedID** persistent user ID at the service in WAYF has the format WAYF-DK-(hash value), and is generated by WAYF from the value of eduPersonPrincipalName.
- entryUUID unique serial number of the user's record in the identity provider's user registry needed by the governmental “Statens SSO” SP and corresponding to ObjectGUID of a Microsoft AD.
- gn* given names when NemID is the identity provider is set to the value of cn minus the last name in that value.
- isMemberOf group memberships within the identity provider
- mail e-mail addresses cannot be used for identifying users, as WAYF does not guarantee its values being persistent nor unique to the user – or the service provider risks violating GDPR:5(1)f. Also read here why e-mail addresses are better avoided as user identifiers.
- mobile cell phone number WAYF can forward to the governmental “Statens SSO” SP if to be used there as a second factor.
- norEduPersonLIN local identification number with the identity provider
- organizationName* display name for the identity provider
- preferredLanguage preferred languages
- sn* surnames when NemID is the identity provider is set to the last name in the value of cn.
- schacCountryOfCitizenship countries of citizenship
- schacHomeOrganization** identity provider's unique ID must be a DNS domain controlled by the identity provider.
- schacHomeOrganizationType** type of identity provider's organisation is higherEducationalInstitution if the organisation offers chiefly further-education programmes, educationalInstitution for other educational institutions, universityHospital for university hospitals, NRENAffiliate for the WAYF Orphanage and other for all other identity providers.
- schacPersonalUniqueCode unique code is used for transporting the European Student Identifier.
- schacPersonalUniqueID national unique ID contains the user's Danish CPR number, with the value formatted like urn:mace:terena.org:schac:personalUniqueID:dk:CPR:(CPR-no.-without-hyphen). CPR no. is only released to public-sector data responsibles, and only to such approved by the user organisation requesting the receiving service connected to WAYF.
- schacDateOfBirth† date of birth if not supplied by the identity provider WAYF will calculate from the value of schacPersonalUniqueID.
- schacYearOfBirth† year of birth if not supplied by the identity provider WAYF will calculate from the value of schacPersonalUniqueID.
- uid† raw user ID with the identity provider WAYF will set to the local part of eduPersonPrincipalName in case the identity provider doesn't supply the value himself.