SAML: Standard identifier and attributes

For SAML standard identifiers and attributes, we distinguish between two application types.
  1. Specialist applications these are characterized by the fact that they are tailor-made as individual software according to the requirements of a single customer.
  2. Platform applications are prefabricated products (standard software), which are developed for a large quantity of potential customers.

For specialist applications (federal office applications)

Providing attributes to Specialist applications follows the principle of "as few as possible, as many as necessary". So, for eIAM standard integrations as a specialist application, you will get the identifier and attributes described below.
If your specialist application requires a different identifier, or additional attributes not listed here, then please address this and list your needs in the eIAM dossier.

Identifier

For eIAM standard integration, the SAML assertion (token) sent to the specialist application contains the following subject (attribute NameID in the Subject-Tag):

NameID content taken from attributeAttribute formatDescription
http://schemas.eiam.admin.ch/ws/2013/12/
identity/claims/e-id/userExtId 		urn:oasis:names:tc:SAML:2.0:
nameid-format:persistent 		The userExtId of the Access Client. This value is unique, unchangeable and is used as part of standard integrations with Access Management.
http://schemas.xmlsoap.org/ws/2005/05/
identity/claims/name 		urn:oasis:names:tc:SAML:2.0:
nameid-format:persistent 		The loginId of the root client. This value is unique, unchangeable and is used in the context of standard integrations without Access Management (Authentication Only).

AuthnClassContextRef

The AuthnClassContextRef Tag (ACCR) in the SAML assertion describes how the user was authenticated at the identity provider. To simplify this for the specialist application, instead of sending the authentication method that was used (e.g. Kerberos, password, etc.), the SAML assertion contains the quality of authentication (QoA). For details about the concept and possible levels see:
Quality of Authentication (QoA)

This is provided in the AuthnStatement like this (Example for urn:qoa.eiam.admin.ch:names:tc:ac:classes:40):


Standard attribute set

For the standard attribute set, the following rules apply:
  • All attributes will come from the root client unless noted otherwise. This ensures that the provided data is in compliance with the reported QoA level of the authentication.
  • All attributes provided are from eIAM and will have originalIssuer="uri:eiam.admin.ch:feds", no attributes from IdP will be provided in the standard attribute set.
List of provided attributes in standard attribute set:

ContentExampleAttribute NameComment
Value of Subject NameID 123456789 http://schemas.xmlsoap.org/ws/2005/05/
identity/claims/nameidentifier 		Same value as the Subject NameID, This is for specialist application which cannot read the content of Subject NameID
Display Name Smith Johns FOITT http://schemas.eiam.admin.ch/ws/2013/12/
identity/claims/displayName 		Must only be used to display the user and must not be interpreted.
In enterprise context this attribute has the format "last name & first name & OE".
In eGov context this attribute has the format "last name & first name".
First name John
http://schemas.xmlsoap.org/ws/2005/05/
identity/claims/givenname 		Data is taken from eIAM root client.
Last name Smith http://schemas.xmlsoap.org/ws/2005/05/
identity/claims/surname 		Data is taken from eIAM root client.
eMail address john.smith@
bit.admin.ch
http://schemas.xmlsoap.org/ws/2005/05/
identity/claims/emailaddress 		Data is taken from eIAM root client.
Language DE http://schemas.eiam.admin.ch/ws/2013/12/
identity/claims/language 		Data is taken from eIAM root client.
Roles in current profile of current specialist application * FOPH-emweb.ALLOW
FOPH-embeb.Admin 		http://schemas.eiam.admin.ch/ws/2013/12/
identity/claims/e-id/profile/role 		All the roles the user has in the currently selected profile (multi-valued).
If the user has multiple profiles the user has to choose a profile he wants to work with before.
*Not available with the Authenication Only integration pattern.


For a full reference of attributes, please see:
SAML Attributes

For platform applications

Providing attributes to platform applications follow the principle of "as few as possible, as many as necessary". So, for eIAM standard integrations as a platform application, you will get the identifier and attributes described below.

If your platform application requires a different identifier, or additional attributes not listed here, then please address this and list your needs in the eIAM dossier.

Identifier

For eIAM standard integration, the SAML assertion (token) sent to the platform application contains the following subject (attribute NameID in the Subject-Tag):

NameID content taken from attributeAttribute formatDescription
http://schemas.xmlsoap.org/ws/2005/05/
identity/claims/name 		urn:oasis:names:tc:SAML:2.0:
nameid-format:persistent 		The loginId of the root client. This value is unique and immutable.

AuthnClassContextRef

The AuthnClassContextRef Tag (ACCR) in the SAML assertion describes how the user was authenticated at the identity provider. To simplify this for the platform application, instead of sending the authentication method that was used (e.g. Kerberos, password, etc.), the SAML assertion contains the quality of authentication (QoA). For details about the concept and possible levels see:
Quality of Authentication (QoA)

This is provided in the AuthnStatement like this (Example for urn:qoa.eiam.admin.ch:names:tc:ac:classes:40):


Standard attribute set

For the standard attribute set, the following rules apply:
  • All attributes will come from the root client unless noted otherwise. This ensures that the provided data is in compliance with the reported QoA level of the authentication.
  • All attributes provided are from eIAM and will have originalIssuer="uri:eiam.admin.ch:feds", no attributes from IdP will be provided.
List of provided attributes in standard attribute set:

ContentExampleAttribute NameComment
Value of Subject NameID CH12345678 http://schemas.xmlsoap.org/ws/2005/05/
identity/claims/nameidentifier 		Same value as the Subject NameID, This is for platform application which cannot read the content of Subject NameID
Display Name Smith John FOITT http://schemas.eiam.admin.ch/ws/2013/12/
identity/claims/displayName 		Must only be used to display the user and must not be interpreted.
In enterprise context this attribute has the format "last name & first name & OE".
In eGov context this attribute has the format "last name & first name".
First name John
http://schemas.xmlsoap.org/ws/2005/05/
identity/claims/givenname 		Data is taken from eIAM root client.
Last name Smith http://schemas.xmlsoap.org/ws/2005/05/
identity/claims/surname 		Data is taken from eIAM root client.
eMail address john.smith@
bit.admin.ch
http://schemas.xmlsoap.org/ws/2005/05/
identity/claims/emailaddress 		Data is taken from eIAM root client.
Language DE http://schemas.eiam.admin.ch/ws/2013/
12/identity/claims/language 		Data is taken from eIAM root client.
Roles in all profile of current platform application * 100\3913491\
SharePoint-BUND.
SharePointUser


2300\33339631\
SharePoint-BK.SharePointUser		 http://schemas.eiam.admin.ch/ws/2013/
12/identity/claims/e-id/profile/role 		This attribute is multi-valued and contains the roles the user currently has, prefixed with the clientExtId and profileExtId of the access client this assigned role was found.


Format is <clientExtId>\<profileExtId>\<application>.<role>.
*Not available with the Authenication Only integration pattern.

For a full reference of attributes, please see:

SAML Attributes