Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


Table of Contents
excludeList of Attributes - Claims


Community User Identifier

NameeduTEAMS Community User Identifier

User’s Community Identifier is an opaque and non-revocable identifier (i.e. it cannot change over time) that follows the syntax of eduPersonUniqueId  attribute of eduPerson.

It consists of “uniqueID” part and fixed scope “”, separated by at sign. The uniqueID part contains up to 64 hexadecimal digits (a-f, 0-9)

SAML Attribute(s)

- (eduPersonUniqueId)

- urn:oasis:names:tc:SAML:attribute:subject-id

OIDC claim(s)sub (public)
OIDC claim locationThe claim is available in:

ID token
Userinfo endpoint
Introspection endpoint
OIDC scopeopenid
OrigineduTEAMS assigns this attribute to a user when they register on the Service

eduPerson defines the comparison rule caseIgnoreMatch for eduPersonUniqueID. 

Relying services are encouraged to validate the scope of this attribute against the values permitted for eduTEAMS. eduTEAMS makes exclusive use of scope“. 

The eduTEAMS identifier and username “” are test accounts reserved for testing and monitoring the proper functioning of the eduTEAMS Login. The Relying parties should not authorise it to access any valuable resources.


NameAffiliation within Home Organization

One or more home organisations (such as, universities, research institutions or private companies) this user is affiliated with. The syntax and semantics follows eduPersonScopedAffiliation attribute.

Following values are recommended for use to the left of the “@” sign:

  • Faculty

    The person is a researcher or teacher in their home organisation. 

    The exact interpretation is left to the home organization, but the intention is that the primary focus of the person in their home organisation is in research and/or education. 

    Note. This attribute value is for users in the academic sector

  • Industry-researcher

    The person is a researcher or teacher in their home organisation. 

    The exact interpretation is left to the home organisation, but the intention is that the primary focus of the person in their home organisation is in research and/or education. 

    Note. This attribute value is for users in the private sector.

  • Member

    Member is intended to include faculty, industry-researcher, staff, student and other persons with a full set of basic privileges that go with membership in the home organisation, as defined in eduPerson. 

    In contrast to faculty, among other things, this covers positions with managerial and service focus, such as service management or IT support.

  • Affiliate

    The affiliate value indicates that the holder has some definable affiliation to the home organisation NOT captured by any of faculty, industry-researcher, staff, student and/or member.

If a person has faculty or industry-researcher affiliation with a certain organisation, they have also the member affiliation. However, that does not apply in a reverse order. Furthermore, those persons who do not qualify to member have an affiliation of affiliate.

SAML Attribute(s)

urn:oid: (voPesonExternalAffiliation) - Experimental

OIDC claim(s)voperson_external_affiliation
OIDC claim locationThe claim is available in:

 ID token
Userinfo endpoint
☐ Introspection endpoint
OIDC scopevoperson_external_affiliation

To become a holder of the faculty, industry-researcher or member attribute values in eduTEAMS the user must have either 

  • Performed federated login to eduTEAMS using their home organisation’s credentials, during which the home organisation releases the related eduPersonAffiliation or eduPersonScopedAffiliation attribute, or 
  • Be assigned that value manually in eduTEAMS by a dedicated person in their home organisation 

To become a holder of the affiliate value, the user must either 

  • Use either of the two alternatives above, or
  • Demonstrate they control an e-mail address that belongs to the home organisation



The freshness of the attribute values is managed by asking users to refresh the value every 12 months using the procedure described above.

eduTEAMS asserts attribute values with different scopes. The Relying services are not supposed to do SAML scope check to this attribute.



eduTEAMS Username


The eduTEAMS username is a user selected, human-readable, revocable identifier (i.e. the user can change it). It is intended to be used when a unique identifier needs to be displayed in the user interface (e.g. wikis or Unix accounts).

It has the syntax of eduPersonPrincipalName, which consists of “user” part and a fixed scope “”, separated by the @ sign. The user part (syntax derived from Linux accounts) begins with a lowercase letter or an underscore, followed by lower case letters, digits, underscores, or dashes and should between 4 and 16 characters long. The following regular expression applies: (^[a-z0-9_-]{4,16}$)

The usernames beginning with an underscore are dedicated to eduTEAMS service IDs. (Experimental)

SAML Attribute(s)

urn:oid: (eduPersonPrincipalName)

OIDC claim(s)eduperson_principal_name
OIDC claim locationThe claim is available in:

 ID token
Userinfo endpoint
☐ Introspection endpoint
OIDC scopeeduperson_principal_name
OriginSet when a user registers on eduTEAMS




Revoked identifiers will not be reassigned.

Relying services are encouraged to validate the scope of this attribute against the values permitted for eduTEAMS. eduTEAMS will make exclusive use of scope “”. 

The eduTEAMS identifier and eduTEAMS username “ are test accounts reserved for testing and monitoring the proper functioning of the eduTEAMS Login. The Relying parties should not authorise it to access any valuable resources.

SSH Public Key


SSH Public Key  - Experimental

DescriptionSSH public key of the user
SAML Attribute(s)

urn:oid: (sshPublicKey)

OIDC claim(s)ssh_public_key
OIDC claim locationThe claim is available in:

 ID token
Userinfo endpoint
☐ Introspection endpoint
OIDC scopessh_public_key
OriginCreated and uploaded to eduTEAMS by the user.



ssh-ed25519 AAAAC3NqaC1lZDI1TTE5AAAAIJ4pfKk7hRdUVeMfrKdLYhxdKy92nVPuHDlVVvZMyqeP


This attribute is not deployed yet