Attribute Based Authorisation
Released attributes can be utilised to make authorisation decisions within an application.
Below are the core attributes that can be released by the AAF Identity Provider (IdP) to a Service Provider (SP) using SAML:
For a live example of attribute release for your institution, sign in to AAF Validator.
The core attributes that can be utilised for authorisation by a SP include:
Attribute Name |
Notes on Usage |
displayName |
- Should only be used if a user's preferred name is necessary for a wiki or other collaboration platform.
|
eduPersonAffiliation |
- Enables an organisation to assert its relationship with the user.
- Provides a user (member of an organisation, or a specific school or faculty within it) access to a resource on a site licence basis.
- Should be used when the SP does not need confirmation of the security domain of the user.
|
eduPersonScopedAffiliation |
- Used to authorise users based on their affiliation/s in their home organisation.
- Should be used when the SP does not need confirmation of the security domain of the user.
|
eduPersonEntitlement |
- Indicates a user's set of rights to specific resources.
- The SP can invite some or all IdPs to express that value for those users who satisfy the definition.
- The SP can delegate responsibility for authorisation of access to a particular resource to the IdP.
|
mail |
- Should only be used when a SP needs to communicate with the end user.
- This may apply when an applicant needs to be informed whether their access to a research database has been granted or denied.
|
homeOrganization |
- Can be used when the SP needs to identify the Home Institution of a user.
|