SAML Attributes
The SAML AttributeStatement
The attributes within the same assertion can come from different sources in the federative architecture of eIAM. On the one hand, attributes can originate directly from the identity provider who authenticated the user, on the other hand, attributes can originate from the eIAM-AM. The eIAM Trustbroker enriches the SAML assertion of the IdP with attributes from the eIAM-AM.Overview of the most important attributes
The following table shows an overview of the most important attributes for the application.
| Parameter/Attribute | Definition | Attribute Name="http://schemas.xmlsoap.org /ws/2005/05/identity/claims/name" | This identifier identifies the user's eIAM account in the eIAM root client for multi-client platforms (e.g. CMS FOITT, SharePoint Neo), as a superordinate ID must be used here for the official clients. This ID is always identical for the same user. Regardless of the IdP via which he was authenticated (ID linking provided). The attribute is only present in the SAML assertion AFTER a user has made an access request to an eIAM application for the first time. Since the attribute may be missing from a SAML assertion until the user has made an access request for an application. | Attribute Name="http://schemas.eiam.admin.ch/ ws/2013/12/identity/claims/role | Authorisations in the form of roles that the user has. In the form Application.Role The application shall use these attributes to consume the authorisations the user holds in the eIAM-AM and use them for access management. In the case of applications for a single office, the attribute contains all roles for all applications that the user has in the office's access client in the eIAM-AM. For multi-client platforms for several offices, the attribute contains all roles from all access clients in the eIAM-AM for the corresponding platform. | Attribute Name=http://schemas.eiam.admin.ch/ws/ 2013/12/identity/claims/displayName a:OriginalIssuer="IdP URL" | Display name of the user as listed in the IdP (not supplied by all IdPs). |
Attributes and the OriginalIssuer
One and the same attribute can occur several times in the SAML assertion. This seems confusing at first sight. This can be easily explained using the example of the attribute „http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname“. This attribute provides the first name of the user. However, this attribute can come from different sources. On one hand, the IdP used for authentication provides this attribute. On the other hand, eIAM-AM provides this attribute. The values supplied in this attribute can be identical or different. For example, the first name in the IdP may be "Max", but in eIAM-AM the administrator may set the first name of the user to "Maximilian". eIAM returns both values in the SAML assertion. The source of the attribute can be distinguished by the OriginalIssuer.
If the attribute is supplied with the same schema by the IdP and the eIAM-AM, it is up to the Relying Party to decide which value to use for the attribute. The same attribute in the IdP is usually better maintained than its counterpart in the eIAM-AM.
Attribut from IdP
<saml2:Attribute xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims" Name=„http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname“ a:OriginalIssuer="urn:eiam.admin.ch:idp:e-id:FED-LOGIN">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Max</saml2:AttributeValue>
</saml2:Attribute>
Attribut from eIAM-AM
<saml2:Attribute xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims" Name=„http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname“ a:OriginalIssuer="uri:eiam.admin.ch:feds">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Maximilian</saml2:AttributeValue>
</saml2:Attribute>
| OriginalIssuer | Definition | uri:eiam.admin.ch:feds | These attributes come from eIAM-AM | Other URI's | These attributes originate from the Identity Provider (IdP) the value for OriginalIssuer depends on the IdP used. |
All parameters/attributes in the SAML assertion.
The following table shows the total overview of all attributes in the SAML 2.0 assertion that are delivered by the eIAM-Web PEP to the service provider (Relying Party).
| OriginalIssuer | Definition | AttributeStatement | Contains the claims (entitlements) about the subject in the form of attributes. | Attribute Name="http://schemas. xmlsoap.org/ws/2005/05/identity/ claims/nameidentifier" | Internal eIAM attribute that provides a unique identifier of the user. Format: email The application SHOULD NOT use this identifier. | Attribute Name="http://schemas. eiam.admin.ch/ws/2013/12/identity /claims/e-id/profile/sessionProfileExtId" | The profileExtId of the profile in the eIAM-AM that the user is using in the current session. The application SHOULD use this attribute to consume the profileExtId of the user's profile that is currently being used by the user. This attribute is only supplied for applications for Federal Offices. This attribute is not supplied for multi-client platforms. | Attribute Name="http://schemas. xmlsoap.org/ws/2005/05/identity /claims/name" | This identifier identifies the user's eIAM account in the eIAM root client on multi-client platforms (e.g. CMS FOITT, SharePoint Neo), as a root client ID must be used here. This ID is always identical for the same user. This ID is always identical for the same user, regardless of which IdP he or she was authenticated via (ID linking assumed). The attribute is only available in the SAML assertion AFTER a user has made an access request to an eIAM application for the first time. Since the attribute may be missing from a SAML assertion until the user has made an access request for an application. | Attribute Name="http://schemas. xmlsoap.org/ws/2005/05/identity /claims/givenname" a:OriginalIssuer="IdP URL" | first name of the user as it appears in the IdP. | Attribute Name=http://schemas. xmlsoap.org/ws/2005/05/identity /claims/givenname a:OriginalIssuer="uri:eiam.admin .ch:feds" | First name of the user as it is kept in the eIAM-AM. Applications for Federal Offices, the value from the access client of the office is used. For multi-client platforms, the value from the user's eIAM account in the supermandant is used. | Attribute Name="http://schemas. xmlsoap.org/ws/2005/05/identity /claims/surname" a:OriginalIssuer="IdP URL" | Surname of the user as listed in the IdP. | Attribute Name="http://schemas. xmlsoap.org/ws/2005/05/identity /claims/surname" a:OriginalIssuer="uri:eiam.admin .ch:feds" | Last name of the user as it is kept in the eIAM-AM. For applications of an office, the value from the access client of the office is used. For multi-client platforms, the value from the user's eIAM account in the supermandant is used. | Attribute Name="http://schemas. xmlsoap.org/ws/2005/05/identity/ claims/dateofbirth" a:OriginalIssuer="uri:eiam.admin .ch:feds" | New (07.07.2024): User's date of birth as stored in eIAM-AM. This attribute can be supplied in the eIAM token at runtime. The subject's date of birth is only supplied if it has been verified. Verification is carried out by HR processes for internal employees of the Federal Administration, and for identity verifications in AGOV or CH-LOGIN. A self-reported, unver | Attributes Name="http://schemas. xmlsoap.org/ws/2005/05/identity /claims/emailaddress" a:OriginalIssuer="IdP URL" | Email address of the user as maintained in the IdP. | Attributes Name="http://schemas. xmlsoap.org/ws/2005/05/identity /claims/emailaddress" a:OriginalIssuer="uri:eiam.admin .ch:feds" | Email address of the user as maintained in the eIAM-AM. For applications for Federal Offices, the value from the access client of the office is used. For multi-client platforms, the value from the user's eIAM account in the supermandant is used. | Attributes Name="http://schemas. eiam.admin.ch/ws/2013/12/identity /claims/displayName" a:OriginalIssuer="IdP URL" | DisplayName as maintained in the IdP (if supplied by the IdP). If the IdP does not supply this attribute by itself as a stand-alone attribute, it will be composed by the eIAM Trustbroker using the values from the attributes http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname and http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname in order to always be able to supply an appropriate attribute. | Attributes Name="http://schemas. eiam.admin.ch/ws/2013/12/identity /claims/displayName" a:OriginalIssuer="uri:eiam.admin .ch:feds" | Display name of the user as it is managed in the eIAM-AM. For applications for Federal Offices, the value from the access client of the office is used. For multi-client platforms, the value from the user's eIAM account in the supermandant is used. | Attributes Name="http://schemas. eiam.admin.ch/ws/2013/12/identity /claims/language" a:OriginalIssuer="IdP URL" | Preferred language of the user as maintained in the IdP (if supplied by the IdP) | Attributes Name="http://schemas. eiam.admin.ch/ws/2013/12/identity /claims/language" a:OriginalIssuer="uri:eiam.admin .ch:feds" | Preferred language of the user as maintained in the eIAM-AM. For applications for Federal Offices, the value from the access client of the office is used. For multi-client platforms, the value from the user's eIAM account in the supermandant is used. | Attribute Name="http://schemas. eiam.admin.ch/ws/2013/12/identity /claims/fp/homeName" | Name of the "home organisation" of the electronic identity with which the user was authenticated from the point of view of the eIAM eIAM. Basically identifies the identity provider with whose electronic identity the accessing subject has authenticated. Possible values are: - e-ID CH-LOGIN => CH-LOGIN Password (SMS) - Active Directory Bund => Windows User in the Federal Administration Network (Kerberos) - Admin PKI => Location-independent user with Admin PKI (smartcard / certificate) | Attribute Name="http://schemas. eiam.admin.ch/ws/2013/12/identity /claims/fp/homeRealm" | URI of the Home Realm to which the SAML 2.0 AuthnRequest for the authentication of the user was sent by the eIAM Trustbroker and where the authentication of the user was performed. Possible values are: - urn:eiam.admin.ch:idp:e-id:CH-LOGIN => CH-LOGIN Password (SMS) - https://idp-kerb-eiam-a.adr.admin.ch/auth/saml2/sso => Windows user in the Federal Administration network (Kerberos) - https://idp-cert.gate-a.eiam.admin.ch/auth/saml2/sso => Location independent user with Admin PKI (Smartcard / Certificate) | Attribute Name="http://schemas. eiam.admin.ch/ws/2013/12/identity /claims/admin-dir/adminEmployeeNumber" | The attribute "adminEmployeeNumber" from the "Admin Directory Bund". The personnel number of the Federal Administration employee. This attribute can only be supplied by the IdP for Kerberos authentication and by the IdP for Swiss Government PKI authentication. A prerequisite for this attribute to be supplied is a successful mapping to the Admin Directory Record using the identifier of the electronic identity. | Attribute Name="http://schemas. eiam.admin.ch/ws/2013/12/identity /claims/admindir/adminDept" | The attribute "adminDept" from the "Admin Directory Bund". The office or general secretariat for which the Federal Administration employee works. [This attribute can only be supplied by the IdP for Kerberos authentication and by the IdP for Swiss Government PKI authentication. The prerequisite for this attribute to be delivered is a successful mapping to the Admin Directory Record using the identifier of the electronic identity and that the attribute is maintained in the Admin Directory for the user. | Attribute Name="http://schemas. eiam.admin.ch/ws/2013/12/identity /claims/admindir/ou" | The attribute "ou" from the "Admin Directory Bund" (AdminDir). The organisational unit for which the employee of the Federal Administration works. [This attribute can only be supplied by the IdP for Kerberos authentication and by the IdP for Swiss Government PKI authentication. The prerequisite for this attribute to be supplied is a successful mapping to the Admin Directory Record using the identifier of the electronic identity and that the attribute is maintained in the Admin Directory for the user. | Attribute Name="http://schemas. eiam.admin.ch/ws/2013/12/identity /claims/admindir/uid" | The attribute "uid" in the Admin Directory Bund. UniqueId of the employee who works for the Federal Administration (X number or U number). This attribute can only be supplied by the IdP for Kerberos authentication and by the IdP for Swiss Government PKI authentication. The prerequisite for this attribute to be supplied is a successful mapping to the Admin Directory Record using the identifier of the electronic identity and that the attribute is maintained in the Admin Directory for the user. | Attribute Name="http://schemas. eiam.admin.ch/ws/2013/12/identity /claims/fp/federated" | Boolean (true/false) Informs whether or not the statement from the eIAM Trustbroker was made via a federation with an IdP. In eIAM the value is always "true". | Attribute Name="http://schemas. eiam.admin.ch/ws/2013/12/identity /claims/role" | Authorisations in the form of roles that the user has. In the form ApplicationA.Role1 ApplicationA.Role2 ApplicationB.Role1 Authorisations in the form of roles that the user has. In the form ApplicationA.Role1 ApplicationA.Role2 The application SHOULD use this attribute to consume the authorisations the user holds in the eIAM-AM and use them for access management. This attribute thus contains the user's "net authorisation roles" from all applications in the specific access client (usually an office or general secretariat) of eIAM-AM. For applications for Federal Offices, the attribute contains the authorisation roles of all applications the user has in the Access client in eIAM-AM. For multi-client platforms, the attribute contains all roles from all Access clients in the eIAM-AM for the corresponding platform | Attribute Name="http://schemas. eiam.admin.ch/ws/2013/12/identity /claims/e-id/profile/role" | Authorisations in the form of roles which the user has and from which profile in which Access client these originate. For applications for Federal Offices in the form: profileExtId\Application.Role. For multi-client platforms in the form: clientExtId\profileExtId\Application.Role The multi-client platform SHOULD use this attribute if it is to distinguish from which eIAM-AM Access client the user has received which authorisation roles. For specialist applications of a single office, the attribute contains all roles the user has in the Access client of the office in the eIAM-AM. The "clientExtId" is not included in this case, as this is unique. For multi-client platforms, the attribute contains all roles from all access clients in the eIAM-AM for the corresponding platform. But not other roles for other applications. For example, the roles from all Sharepoint sites of the user are delivered. But not roles for other applications. | Attribute Name=" http://schemas. eiam.admin.ch/ws/2013/12/identity /claims/e-id/profile/unitExtId" | Combination of profileExtId of the profile the user is using in the current session and the unitExtId of the unit to which the profile is assigned. In the form: profileExtId\unitExtId This attribute is not supplied with multi-client platforms | Attribute Name="http://schemas. eiam.admin.ch/ws/2013/12/identity /claims/e-id/profile/profileName" | The profile name of the user's profile(s) from which roles were fetched for the assertion. For applications of a client in the form: profileExtId\profileName. For multi-client platforms in the form: clientExtId\profileExtId\profileName For applications of a single office, the attribute contains the name of the profile in the Access client of the office to which the RP is assigned. The "clientExtId" is not included in this case, as it is unique. For multi-client platforms, the attribute contains the names of the profiles from all access clients in the eIAM-AM for the corresponding platform. The "clientExtId" is given as an additional identifier. | Attribute Name="http://schemas. eiam.admin.ch/ws/2013/12/identity /claims/e-id/userExtId | userExtId of the user in the Access client For applications for Federal Offices, the attribute contains the userExtId of the user's account in the Access client in the eIAM-AM. For multi-client platforms, the attribute contains the userExtId of the user's eIAM account in the eIAM supermandant. | Attribute Name="http://schemas. eiam.admin.ch/ws/2014/11/identity /claims/e-id/client/userExtId" | One or more combinations of clientExtId and userExtId of the user or users from whose profiles roles were fetched for the as-sertion. In the form: clientExtId\userExtId [The value of the attribute contains all combinations of clientEx-tId and userExtId of the user from all accounts in the access clients in which the user has roles for the platform. | Attribute Name="http://schemas. eiam.admin.ch/ws/2014/11/identity /claims/e-id/client/clientName" | The name of the client or clients from which roles for the issued assertion were fetched. In the form: clientExtId\clientName The attribute is only supplied for multi-client platforms. For multi-client platforms, the attribute contains the names of the clients from which roles were fetched for the corresponding platform. | Attribute Name="http://schemas. eiam.admin.ch/ws/2013/12/identity /claims/e-id/clientExtId" | The clientExtId of the client from which the account used in the user's current session originates. For applications for Federal Offices, the attribute contains the clientEx-tId of the office to which the application is assigned. For multi-client platforms, the attribute contains the clientEx-tID of the eIAM root client (clientExtId=100). | Attribute Name="http://schemas. eiam.admin.ch/ws/2013/12/identity /claims/e-id/loginId" | The loginId of the user. [For specialist applications of a single office, the attribute contains the loginId of the user in the client of the office in the eIAM-AM to which the specialist application is assigned. For multi-client platforms, the attribute contains the loginId of the user in the eIAM supermandant. | Attribute Name="http://schemas. eiam.admin.ch/ws/2013/12/identity /claims/e-id/profile/unitName | The name of the unit to which the profile the user is using in the current session is assigned. [For single-office applications, the attribute contains the name of the unit to which the user's profile is assigned. For multi-client platforms, this attribute is not provided. | Attribute Name="http://schemas. eiam.admin.ch/ws/2013/12/identity /claims/e-id/unitExtId" | The unitExtId of the unit in the eIAM-AM to which the profile is assigned that the user is currently using. For single office applications, the attribute contains the name of the unit to which the user's profile in use is assigned. For multi-client platforms, this attribute is not included. | Attribute Name="http://schemas. eiam.admin.ch/ws/2013/12/identity /claims/e-id/unitName" | The unitName of the unit in the eIAM-AM access client to which the profile used by the user in the current session is assigned. [For single office applications, the attribute contains the name of the unit to which the user's profile in use is assigned. For multi-client platforms, this attribute is not provided. | Attribute Name="http://schemas. eiam.admin.ch/ws/2013/12/identity /claims/e-id/profile/defaultProfileExtId" | The profileExtId of the user's default profile in the Access Man-danten in eIAM-AM. [In the case of single office applications, the attribute contains the profileExtId of the default profile of the user in the access client to which the application is assigned. For multi-client platforms, this attribute is not included. | Attribute Name="http://schemas. eiam.admin.ch/ws/2014/11/identity /claims/e-id/mode" | The search mode used to collect the user's role information for the SAML assertion in the eIAM-AM. This attribute is missing for single office applications. For multi-client platforms, this attribute is set to the value "MultiClient" | Attribute Name="http://schemas. eiam.admin.ch/ws/2015/03/identity /claims/e-id/pep/sourceNetwork" | The network from which the client accessed the SAML assertion from the PEP when it was requested. Possible values are: - BV => Access from the blue network zone (networks of the Federal Administration) - INTERNET => Access from the red network zone (Internet, KTV, others) - KTV => Access from the cantonal network. Whereby the distinction between Internet and cantonal network is only made if a separate load balancer for the cantonal network was explicitly ordered by the project. | Attribute Name="http://schemas. eiam.admin.ch/ws/2021/06/ identity/claims/cis/adminGlobalID" | In the enterprise context this attribute contains the adminGlobalId issued by CIS (Central Identity Store). This identifier enables application to find the users identity data also directly on the DRP (Data retrieval point). | Attribute Name="http://schemas. eiam.admin.ch/ws/2024/05/ identity/claims/cis/adminOrganizationUID" | New (13.11.2024): User's organisational unit in the enterprise context as maintained in CIS. The ‘Central Identity Store’ (CIS) provides the ‘adminOrganizationUID’ attribute. This is a stable identifier that remains stable even if an organisational unit is renamed. For certain applications, it is important to know in which organisational unit the subject accessing the target application is managed in order to make decisions within the application about this. | AuthnContext | Contains information about how the user was authenticated on the Identity Provider (IdP). | AuthnContextClassRef | Contains information about the authentication method used to authenticate the user on the IdP. Based on this value MUST the application decides whether the strength of the user's authentication is sufficient to access the resource. ContextClassRefs used by eIAM: urn.oasis.names.tc.SAML.2.0.ac.classes.Kerberos |