Home-IdP Requirements#
For the NFDI AAI to work properly, the edu-ID all Community AAIs require adequate support by each Home-IdP.
Attribute Queries#
Attribute Queries are currently only mandatory for the German edu-ID, but also very beneficial for all Community AAIs. Attribute Queries enable these entities to run deprovisioning flows. (This is also possible without Attribte Queries, but then, users will be contacted, possible confused, maybe upset, in regular intervals).
Please follow the DFN documentation for safely enabling AQs, while safely complying with DSGVO and the German Datenschutz.
Attribute Requirements#
These attributes are required to be released by the Home-IdPs, so that users can reasonably use the services at the Community AAI. Precise requirements may differ between different Instances and Software Products used to implement a Community AAI.
Personalized#
https://refeds.org/category/personalized
| Identity Attribute Type | SAML Attribute | OpenID Connect Claim |
|---|---|---|
| Organization | schacHomeOrganization [SCHAC] | schac_home_organization |
| user identifier | subject-id [SAMLSubId] | sub (shared) + iss |
| person name | All of - displayName [eduPerson] - givenName [eduPerson] - sn [eduPerson] |
All of - name - given_name - family_name |
| email address | mail [eduPerson] | email [OIDC-COre] |
| Affiliation | eduPersonScopedAffiliation [eduPerson] | eduperson_scoped_affiliation |
| Assurance | eduPersonAssurance [eduPerson] | One of - eduperson_assurance - asr |
Pseudonomous#
https://refeds.org/category/pseudonymous
The REFEDS Pseydonymous profile may be acceptable, if the Community AAI provides a means to query the user for a Name (displayName, or givenName + sn), and a (verified!) email address.
| Identity Attribute Type | SAML Attribute | OpenID Connect Claim |
|---|---|---|
| Organization | schacHomeOrganization [SCHAC] | schac_home_organization |
| pseudonymous pairwise user identifier | pariwise-id [SAMLSubId] | sub (pairwise) + iss |
| Affiliation | eduPersonScopedAffiliation [eduPerson] | eduperson_scoped_affiliation |
| Assurance | eduPersonAssurance [eduPerson] | One of - eduperson_assurance - asr |
Anonymous: Not sufficient#
The anonymous profile https://refeds.org/category/anonymous does not provide a number of sufficient attributes. For specific combinations of Community-AAI and Community-Service, an exception may technically work. Please consult your Community-AAI contact.
Attributes in different protocols#
Attributes can be expressed in different protocols. We maintain a mapping for SAML, OIDC, LDAP and SCIM. The list is available upon request.
Last change: Dec 04, 2025 14:26:28