Home-IdP Requirements#
For the NFDI AAI to work properly, the edu-ID Proxy and all Community AAIs require adequate support by each Home-IdP.
Attribute Queries#
Attribute Queries are mandatory for the German edu-ID, and also very beneficial for all Community AAIs. Attribute Queries enable these entities to run deprovisioning flows. (This is also possible without Attribte Queries, but then, users will be contacted, possible confused, maybe upset, in regular intervals).
Please follow this DFN documentation on attribute queries for safely enabling AQs, while safely complying with DSGVO and the German Datenschutz.
Attribute Requirements#
The following sets of attributes are required to be released by the Home-IdPs, so that users can reasonably use the services at the Community AAI. For simpler configuration, we have defined these Entity Categories for which the following attribute sets (Personalised (preferred) or Pseudonomous) MUST be released. Configuration examples for Shibboleth IdPs can be found in the DFN Trust and Identity Wiki. See also the current version of the Infrastructure Attribute Policy, section 3.
It is strongly recommended to configure the attribute release both for the NFDI Community AAIs and the edu-ID Proxy based on Entity Categories:
- Community AAIs: Entity Category http://aai.dfn.de/category/nfdi-member, see config example for Shibboleth IdPs
- DFN edu-ID: Entity Category http://aai.dfn.de/category/dfn-edu-id, see config exemple for Shibboleth IdPs
Please note: The attribute profiles listed below refer only to the Community AAIs. The edu-ID Proxy requires a slightly different profile.
Personalized#
https://refeds.org/category/personalized
| Identity Attribute Type | SAML Attribute | OpenID Connect Claim |
|---|---|---|
| Organization | schacHomeOrganization [SCHAC] | schac_home_organization |
| user identifier | subject-id [SAMLSubId] | sub (shared) + iss |
| person name | All of - displayName [eduPerson] - givenName [eduPerson] - sn [eduPerson] |
All of - name - given_name - family_name |
| email address | mail [eduPerson] | email [OIDC-COre] |
| Affiliation | eduPersonScopedAffiliation [eduPerson] | eduperson_scoped_affiliation |
| Assurance | eduPersonAssurance [eduPerson] | One of - eduperson_assurance - asr |
Pseudonomous#
https://refeds.org/category/pseudonymous
The REFEDS Pseydonymous profile may be acceptable, if the Community AAI provides a means to query the user for a Name (displayName, or givenName + sn), and a (verified!) email address.
| Identity Attribute Type | SAML Attribute | OpenID Connect Claim |
|---|---|---|
| Organization | schacHomeOrganization [SCHAC] | schac_home_organization |
| pseudonymous pairwise user identifier | pariwise-id [SAMLSubId] | sub (pairwise) + iss |
| Affiliation | eduPersonScopedAffiliation [eduPerson] | eduperson_scoped_affiliation |
| Assurance | eduPersonAssurance [eduPerson] | One of - eduperson_assurance - asr |
Anonymous: Not sufficient#
The anonymous profile https://refeds.org/category/anonymous does not provide a number of sufficient attributes. For specific combinations of Community-AAI and Community-Service, an exception may technically work. Please consult your Community-AAI contact.
Attributes in different protocols#
Attributes can be expressed in different protocols. We maintain a mapping for SAML, OIDC, LDAP and SCIM. The list is available upon request.
Last change: Mar 09, 2026 14:53:15