SRAM provides information to integrated applications in the form of attributes which describe properties of users or collaborations. Some of the data used to populate these attributes are provided by a user's home institution, while others are provided by the SRAM platform.

In keeping with the privacy policy, SRAM releases the minimum set of attributes necessary for authentication and authorization. Applications only receive attributes which concern the collaboration(s) to which the application is connected.

Below is a comprehensive table of the user attributes provided to applications by SRAM for use in authentication and authorization logic. The protocol used by the application to integrate with SRAM may have an effect on the received attributes and their schema.

Are there multiple attributes listed for a given protocol? This means that SRAM provides the same value in more than one attribute.

This is useful for certain applications which may prefer to use a given attribute over another.

User attributes


AttributeDescriptionExample(s)SAMLOIDCLDAPSCIM

Platform identifier

Unique, non-reassignable identifier suitable for use as a globally-unique external key. Best non-human readable identifier for a user.

Consists of a hash value (random hex string) scoped to SRAM.

Use this as your main identifier for users.

9f3a7c1e6b2d4a8f5c0e9b71d3a6f4c2e8b1d5a7@sram.surf.nl
  • eduPersonUniqueId

    • urn:oid:1.3.6.1.4.1.5923.1.1.1.13 

  • subject-id
    • urn:oasis:names:tc:SAML:attribute:subject-id
  • voPersonID
    • urn:oid:1.3.6.1.4.1.25178.4.1.6
  • sub 
    • scope: openid
  • voperson_id
    • scope: voperson_id

  • eduPersonUniqueId
  • cn


Short platform identifier

DEPRECATED

Human-readable platform identifier. This is a scoped version of the short username.

Available for SAML and OIDC only.

This attribute is deprecated and may be removed in future. 


jvermeer@sram.surf.nl

  • eduPersonPrincipalName
    • urn:oid:1.3.6.1.4.1.5923.1.1.1.6
  • eduperson_principal_name
    • scope: eduperson_principal_name
  • not available
    • may be created by concatenation of userName + @sram.surf.nl
  • not available
    • may be created by concatenation of userName + @sram.surf.nl
Short username

Short, human-readable username, provided by SRAM.

jvermeer

  • uid
    • urn:oid:0.9.2342.19200300.100.1.1
  • uid
    • scope: uid
  • uid
Name

Full name for display purposes, possibly including titles.

Johannes Vermeer

  • cn
    • urn:oid:2.5.4.3
  • displayName
    • urn:oid:2.16.840.1.113730.3.1.241
  • name
    • scope: profile
  • displayName
First name

First name

Johannes

  • givenName 
    • urn:oid:2.5.4.42
  • given_name
    • scope: profile
  • givenName
Surname

Last name

Vermeer

  • sn
    • urn:oid:2.5.4.4
  • family_name
    • scope: profile
  • sn
Email address

Primary email address

Avoid using email address as your primary user identifier. Use platform identifier instead.

johannes.vermeer@example.org

  • mail
    • urn:oid:0.9.2342.19200300.100.1.3
  • email
    • scope: email
  • mail
Platform affiliation

SRAM platform affiliation. This attribute is currently filled with a static value: member@sram.surf

member@sram.surf

  • eduPersonScopedAffiliation
    • urn:oid:1.3.6.1.4.1.5923.1.1.1.9
  • eduperson_scoped_affiliation
    • scope: eduperson_scoped_affiliation

  • eduPersonScopedAffiliation

Memberships: collaborations, collaboration groups, application groups

Membership of collaborations, collaboration groups, and application groups, expressed following AARC-G069 guidelines.

Syntax: urn:mace:surf.nl:sram:group:<orgname>:<coname>:<groupname>

In the case of application groups, the <groupname> is prefixed with the <application_shortname> and a hyphen.

Ex. membership in a collaboration:

  • urn:mace:surf.nl:sram:group:example_org:delftlandscapes

Ex. membership in a group inside a collaboration:

  • urn:mace:surf.nl:sram:group:example_org:delftlandscapes:admins

Ex. membership in an application group inside a collaboration

  • urn:mace:surf.nl:sram:group:example_org:delftlandscapes:painterchat-admins
  • eduPersonEntitlement
    • urn:oid:1.3.6.1.4.1.5923.1.1.1.7
  • eduperson_entitlement
    • scope: eduperson_entitlement

Note that this attribute is provided in the group schema and references (per group) the SCIM User identifier User.eduPersonUniqueID

Collaboration label(s)

Label(s) which are assigned to the user's collaboration(s) by the collaboration's providing organisation. The syntax is similar to that of collaboration and group memberships. 

Syntax: urn:mace:surf.nl:sram:label:<orgname>:<coname>:<label>

urn:mace:surf.nl:sram:label:example_org:delftlandscapes:contract-12345

  • eduPersonEntitlement
    • urn:oid:1.3.6.1.4.1.5923.1.1.1.7
  • eduperson_entitlement
    • scope: eduperson_entitlement
  • businessCategory
SSH public key

Public SSH key which the user has configured to log into back-end systems.

Only present if supplied by the user.

See SSH ciphers

  • sshPublicKey
    • urn:oid:1.3.6.1.4.1.24552.500.1.1.1.13
  • ssh_public_key
    • scope: ssh_public_key
  • sshPublicKey
Institutional identifier

User's identifier in their home institution.

Only present if supplied by the user's home institution.

j.vermeer@example.org  

  • voPersonExternalID
    • urn:oid:1.3.6.1.4.1.25178.4.1.5
  • voperson_external_id
    • scope: voperson_external_id
  • voPersonExternalId
Institutional affiliation

User's role(s) in their home institution.

Only present if supplied by the user's home institution.

employee@example.org

  • voPersonExternalAffiliation
    • urn:oid:1.3.6.1.4.1.25178.4.1.11
  • voperson_external_affiliation
    • scope:voperson_external_affiliation
  • voPersonExternalAffiliation
Status

Status of the user; possible values are active and expired (for users whose membership has expired or who are inactive).

Available for LDAP and SCIM only.

active 
  • not available
    • users able to authenticate via SAML are always active
  • not available
    • users able to authenticate via OIDC are always active
  • voPersonStatus 
Inactive days

Approximate number of days since the user has authenticated to either SRAM or an SRAM connected application via SAML or OIDC, rounded down. 

Value can be one of:

  • 1, 2, 3, 4, 5, 6 
  • 7, 14, 21, 28
  • 30, 60, 90, 120, 150, 180, 210, 240, 270, 300, 330, 360
  • 365, 730, 1095, ...

Available for LDAP and SCIM only.

14 

  • not available
    • users able to authenticate via SAML always have zero inactive days
  • not available
    • users able to authenticate via OIDC always have zero inactive days
  • sramInactiveDays

Other attributes

In addition to the user attributes mentioned above, SRAM provides additional attributes about collaborations, groups, and/or applications via LDAP and/or SCIM: