SAML Identity Provider as a Service

Easy. Secured. Trusted. Inexpensive.

Get started

Docs

SAML stuff

Supported attributes

The following SAML attributes are supported for all hosted Identity Providers:

  • sn (urn:oid:2.5.4.4)

    Contains the user's surname.

  • givenName (urn:oid:2.5.4.42)

    Contains the user's given name.

  • displayName (urn:oid:2.16.840.1.113730.3.1.241)

    Name of the person in a form the user (or his or her organization) probably wants to be shown.

  • mail (urn:oid:0.9.2342.19200300.100.1.3)

    Preferred address for the "to:" field of email to be sent to this person. The address in this attribute cannot be assumed to represent an organizationally-assigned contact address for a user established as part of a strong identity-proofing process.

  • eduPersonPrincipalName (urn:oid:1.3.6.1.4.1.5923.1.1.1.6)

    A single value of the form user@scope, where scope is a DNS-like subdomain representing the security domain of the user ("foobar.example.org" or own domain of the organization added to the Identity Provider on admin page) and user is an arbitrary persistent key which unambiguously maps to a person within an organization.

  • eduPersonTargetedID (urn:oid:1.3.6.1.4.1.5923.1.1.1.10)

    A single string value of no more than 256 characters that uniquely identifiers a user in an opaque, privacy-preserving fashion. The value will be different for a given user for each service provider to which a value is sent, to prevent correlation of activity between service providers.

  • eduPersonScopedAffiliation (urn:oid:1.3.6.1.4.1.5923.1.1.1.9)

    Multiple values of the form value@scope, where scope is a DNS-like subdomain representing the organization or sub-organization of the affiliation ("foobar.example.org" or own domain of the organization added to the Identity Provider on admin page) and value is one of:

    • member
    • student
    • employee
    • faculty
    • staff
    • alum
    • affiliate
    • library-walk-in

    Affiliation is a high-level expression of the relationship of the user to the university or organization specified in the scope. A user can possess many affiliations, though some values are mutually exclusive. This attribute is often made available to any service provider, and is a good way to filter or block users of a given general type. In particular, "member" is an indication that the user is somebody with relatively official standing with a university at the present time, and does not apply to guests, other temporary accounts, terminated employees, unpaid/unregistered students, and other exceptional cases.

  • schacHomeorganizationType (urn:oid:1.3.6.1.4.1.5923.1.1.1.9)

    The type of the organization, one of the following values:

    • school
    • university
    • other
    • business

Test attribute release

Use attributes.eduid.ubuntunet.net for testing which attributes are released about a user. This is a real Service Provider, it knows all eduid.ubuntunet.net Identity Providers.

Entity Categories

Your Identity Provider supports the Research and Scholarship Entity Category
When your users access a Service Provider which has the Research and Scholarship Entity Category the following attributes are released if consent is also given:

  • eduPersonPrincipalName
  • displayName
  • mail
  • eduPersonScopedAffiliation

Scopes

Your Identity Provider has a default scope under the main domain. It is perfectly fine but for production usage we recommend to use a domain name that belongs to your organization. Before we start using your domain name as a scope, we verify that it exists and it is under your control. Please create a TXT record in your domain name's DNS zone with the content of the hash you can find in the IdP's edit page.

Custom Service Providers

You can add any Service Provider exclusively for your Identity Provider, without participating any federation. It is a good option for testing purposes, or if a Service Provider is not part of the federation as your Identity Provider is.


User management

Registering users

You, as an administrator, can add users one by one, or upload the information about them in a CSV file. All fields are required, and after the user is created, the username cannot be modified.

Passwords

You cannot set a password for a user. When you register or activate a user, a token will be sent to the user directly by email, using whic he or she can set their password. All passwords are strongly hashed and kept securely.

Setting user status

If a user is enabled, he or she can login via the Identity Provider, if disabled, it is not allowed. A user with disabled status can be enabled again anytime, but after one year, the user is removed from the user list.

Deleting users

If you delete a user, all data except from their username gets deleted immediately and irrevocably. The username is added to an internal list of deleted user identifiers in order to prevent future reassignment.


Identity Federations

We know the following federations (approx. 8500 Service Providers). If you can't find the one you want to collaborate with, please do not hesitate to contact us.

Federation Contact URL Contact email
eduGAIN https://mds.edugain.org/edugain-v2.xml edugain-ops@geant.org
eduID.africa https://www.eduid.africa/ eduid-operations@ren.africa