Rapid Connect Integration

Previous Next

This tutorial is part of the Rapid Connect Series.

Back to Rapid Connect

Category: Intermediate

Difficulty: 3 out of 5

Duration: 30 minutes

1. Overview 2. Authentication Interaction 3. JSON Web Token and SAML 4. Standard Flow 5. Provided Claims and Attributes 6. Integration Examples 7. Integration 8. Skipping Discovery Service 9. Attribute Based Authorisation 10. Next Steps

Find a mistake? Let us know the issue here.

Last updated: 21 March 2025

Provided Claims and Attributes

The following claims are provided by AAF Rapid Connect:

Claim Definition
iss Identifies the principal that issued the JWT. For AAF Rapid Connect this is always https://rapid.aaf.edu.au in the production environment, and https://rapid.test.aaf.edu.au in the test environment.
iat Identifies the time at which the JWT was issued.
jti Provides a unique identifier for the JWT that can be used to prevent the JWT from being replayed.
nbf Identifies the time before which the JWT MUST NOT be accepted for processing.
exp Identifies the expiration time on or after which the JWT MUST NOT be accepted for processing.
typ Declare a type for the contents of this JWT Claims Set in an application-specific manner in contexts where this is useful to the application.
aud Identifies the audiences that the JWT is intended for. Each principal intended to process the JWT MUST identify itself with a value in audience claim. For Rapid Connect this is the value of your application's primary URL (provided as part of service registration).
sub Identifies the principal that is the subject of the JWT. For Rapid Connect this is the same value supplied as edupersontargetedid within https://aaf.edu.au/attributes as documented below.
https://aaf.edu.au/attributes Contains a set of personally identifiable information associated with sub as provided by the remote AAF connected identity provider.


Timestamps are defined by the specification as IntDate values, which are a JSON numeric value representing the number of seconds from 1970-01-01T0:0:0Z UTC until the specified UTC date/time.

The following attributes are available to Rapid Connect and the AAF recommends:

  • eduPersonTargetedID — This should be used as the primary identifier, to match an incoming user against an existing record in an application’s data store. This attribute is guaranteed to never change for a user.

  • displayName — This is the most appropriate name to show in the web interface, to identify the user and show that they are logged in. Do not rely on any specific format for displayName. Attempts to validate names will create problems for those users who do not fit the chosen patterns and this will invariably occur.

  • mail — Only collect if there is a need to message the user, or use as a secondary identifier.

  • eduPersonScopedAffiliation — Only collect if there is a need to identify the user’s organisation and their affiliation or position within their organisation.

  • eduPersonEntitlement — Only collect if there is a need to identify specific entitlements assigned to the user.

The AAF strongly recommends that eduPersonTargetedID is chosen as the primary identifier rather than email. Email addresses change on an irregular basis for numerous reasons. When they inevitably do change, users experience service disruption while manual remediation work is undertaken to update primary identifiers. Home institutions will invariably not communicate email addresses updates to external parties.

Though auEduPersonSharedToken is a core attribute, it is not recommended for general use or as a primary identifier. auEduPersonSharedToken is only useful in grid-computing environments, or to share user data or access rules across security domains or separate Service Providers.

Attribute Definition
authenticationMethod Defines the method(s) used to verify the person's identity.
cn (commonName) An individual's common name.
displayName This is the most appropriate name to show in the web interface, to identify the user and show that they are logged in. Do not rely on any specific format for displayName. Attempts to validate names will create problems for those users who do not fit the chosen patterns and this will invariably occur.
eduPersonOrcid ORCID iDs are persistent digital identifiers for individual researchers. Their primary purpose is to unambiguously and definitively link them with their scholarly work products. ORCID iDs are assigned, managed and maintained by the ORCID organization. Values MUST be valid ORCID identifiers in the ORCID-preferred URL representation. Each value represents an ORCID identifier registered with ORCID.org as belonging to the principal.
eduPersonEntitlement URI (either URN or URL) that indicates a set of rights to specific resources.
eduPersonPrincipalName eduPerson per Internet2 and EDUCAUSE.
eduPersonScopedAffiliation Specifies the person's relationship(s) to the institution in broad categories. Only collect if there is a need to identify the user's organisation and their affiliation or position within their organisation.
auEduPersonSharedToken A unique identifier enabling federation spanning services such as Grid and Repositories. Values of the identifier are generated using a set formula.[^1] Only collect if there is a need to share user data or access rules across security domains or separate Service Providers. This attribute is only useful in grid-computing environments.
eduPersonTargetedID A persistent, non-reassigned, privacy-preserving identifier for a user shared between an identity provider and service provider. An identity provider uses the appropriate value of this attribute when communicating with a particular service provider or group of service providers, and does not reveal that value to any other service provider except in limited circumstances.
eduPersonTargetedID This should be used as the primary identifier, to match an incoming user against an existing record in an application's data store. This attribute is guaranteed to never change for a user.
givenName Person's given or first name.
mail The person's public email address used to contact the person regarding matters related to their organisation. Only collect if there is a need to message the user, or use as a secondary identifier.
organizationName The standard name of the top-level organization (institution) with which this person is associated.
surname The person's surname.


[^1] The value has the following qualities:

  • unique
  • opaque
  • non-targeted
  • persistent
  • resolvable (only by an IdP that has supplied it)
  • not re-assignable
  • not mutable (refreshing the value is equivalent to creating a new identity)
  • permitted to be displayed
    • (Note: the value is somewhat display friendly, and may be appended to the displayName with a separating space, and used as a unique display name to be included in PKI Certificate DNs and as a resource ownership label, e.g. John Citizen ZsiAvfxa0BXULgcz7QXknbGtfxk)
  • portable


See the following links for complete information and definitions of the core, optional and conditional AAF attributes available:

Up Next:

6. Integration Examples