MUNI Unified Login

Supported claims and scopes

The preferred way of integration with MUNI Unified Login is the OpenID Connect (OIDC) protocol. For services in eduID.cz or eduGAIN federation and for apps which do not support OIDC, we offer connection by SAML2.

Personal attributes

Display name

Definition	eduPerson 2020-01 - Standards-and-Specs - REFEDS wiki
Description	name which should be displayed to user
Example	John Doe
SAML2 name	displayName
SAML2 mapping	urn:oid:2.16.840.1.113730.3.1.241

Full name

Definition	eduPerson 2020-01 - Standards-and-Specs - REFEDS wiki
Description	full name (without academic titles)
Example	John Richard Doe
SAML2 name	cn (commonName)
SAML2 mapping	urn:oid:2.5.4.3

Full name incl. academic titles

Definition	OpenID Connect Core
Description	full name including academic titles
Example	John Richard Doe, M.D.
OIDC scope	profile
OIDC claim	name

First name

Definition	eduPerson 2020-01 - Standards-and-Specs - REFEDS wiki
Description	first name(-s)
Example	John
OIDC scope	profile
OIDC claim	given_name
SAML2 name	givenName
SAML2 mapping	urn:oid:2.5.4.42

Last name

Definition	eduPerson 2020-01 - Standards-and-Specs - REFEDS wiki
Description	last name(-s)
Example	Doe
OIDC scope	profile
OIDC claim	family_name
SAML2 name	sn (surname)
SAML2 mapping	urn:oid:2.5.4.4

Contact information

E-mail

Definition	eduPerson 2020-01 - Standards-and-Specs - REFEDS wiki
Description	preferred university or other email address
Example	1973@mail.muni.cz john.doe@example.org
OIDC scope	email
OIDC claim	email
SAML2 name	mail
SAML2 mapping	urn:oid:0.9.2342.19200300.100.1.3

Identifiers

Targeted ID

Definition	eduPerson 2020-01 - Standards-and-Specs - REFEDS wiki
Description	targeted identifier which is unique for every user-service pair, in the NameID format (see SAML 2.0) this is the preferred way of identifying users
Example	<saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" NameQualifier="https://idp2.ics.muni.cz/idp/shibboleth" SPNameQualifier="https://sp.example.com/" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">OTQ4NDE0MjFmYjVhNGQ4M2UzMDE=</saml:NameID>
SAML2 name	eduPersonTargetedID
SAML2 mapping	urn:oid:1.3.6.1.4.1.5923.1.1.1.10

Unique ID

Definition	eduPerson 2020-01 - Standards-and-Specs - REFEDS wiki
Description	unique, long-lived, non re-assignable identifier in the form uniqueID@scope
Example	2fe269ee87e93bf6009c7813b1f6b2bf02fb0b441fa2f5080acc62374361610f@muni.cz
SAML2 name	eduPersonUniqueId
SAML2 mapping	urn:oid:1.3.6.1.4.1.5923.1.1.1.13

User-friendly ID

Definition	eduPerson 2020-01 - Standards-and-Specs - REFEDS wiki
Description	human-friendly identifier in the form username@scope, at MU it has the same properties as eduPersonUniqueId (see eduPersonAssurance)
Example	1973@muni.cz
OIDC scope	openid
OIDC claim	sub
SAML2 name	eduPersonPrincipalName
SAML2 mapping	urn:oid:1.3.6.1.4.1.5923.1.1.1.6

Personal number (UČO)

Definition	unstructuredName [eduID.cz]
Description	personal number (UČO)
Example	1973
OIDC scope	profile
OIDC claim	preferred_username
SAML2 name	unstructuredName or uid
SAML2 mapping	urn:oid:1.2.840.113549.1.9.2 nebo urn:oid:0.9.2342.19200300.100.1.1

Affiliation

Scoped affiliation

Definition	eduPerson 2020-01 - Standards-and-Specs - REFEDS wiki
Description	affiliation with MU, possible values: member@muni.cz (student or employee) student@muni.cz employee@muni.cz (employee) faculty@muni.cz (academic employee) staff@muni.cz (non-academic employee) alum@muni.cz (alumnus) affiliate@muni.cz (external contractor or former student) order is not guaranteed
Example	alum@muni.cz employee@muni.cz staff@muni.cz member@muni.cz
OIDC scope	eduperson_scoped_affiliation
OIDC claim	eduperson_scoped_affiliation
SAML2 name	eduPersonScopedAffiliation
SAML2 mapping	urn:oid:1.3.6.1.4.1.5923.1.1.1.9

Unscoped affiliation

Definition	eduPerson 2020-01 - Standards-and-Specs - REFEDS wiki
Description	affiliation with university, the value of eduPersonScopedAffiliation without scope, order is not guaranteed
Example	alum employee staff member
SAML2 name	eduPersonAffiliation
SAML2 mapping	urn:oid:1.3.6.1.4.1.5923.1.1.1.1

Entitlements and group memberships

Definition	eduPerson 2020-01 - Standards-and-Specs - REFEDS wiki
Description	user entitlements based on group membership in Perun, order is not guaranteed
Example	urn:geant:muni.cz:group:MU:Group%20name#idm.ics.muni.cz urn:geant:muni.cz:res:admin#idm.ics.muni.cz
OIDC scope	eduperson_entitlement
OIDC claim	eduperson_entitlement
SAML2 name	eduPersonEntitlement
SAML2 mapping	urn:oid:1.3.6.1.4.1.5923.1.1.1.7

Mefaperson (reserved for Mefanet)

Definition	Mefaperson - MEFANET
Description	affiliation to Mefanet network
Example	lf.muni.cz
SAML2 name	mefanet
SAML2 mapping	http://www.mefanet.cz/mefaperson/

Organization

Assurance

Definition	eduPerson 2020-01 - Standards-and-Specs - REFEDS wiki
Description	user assurance level, values from REFEDS AF, order is not guaranteed
Example	https://refeds.org/assurance https://refeds.org/assurance/ID/unique https://refeds.org/assurance/ID/eppn-unique-no-reassign https://refeds.org/assurance/IAP/local-enterprise https://refeds.org/assurance/ATP/ePA-1m https://refeds.org/assurance/ATP/ePA-1d https://refeds.org/assurance/IAP/low
SAML2 name	eduPersonAssurance
SAML2 mapping	urn:oid:1.3.6.1.4.1.5923.1.1.1.11

Organization name

Definition	eduPerson 2020-01 - Standards-and-Specs - REFEDS wiki
Description	static value
Example	Masarykova univerzita
SAML2 name	o (organizationName)
SAML2 mapping	urn:oid:2.5.4.10

Organization scope

Definition	https://wiki.refeds.org/download/attachments/44957731/SCHAC%2B1.5.0.pdf?version=3&modificationDate=1429202342624&api=v2
Description	static value
Example	muni.cz
SAML2 name	schacHomeOrganization
SAML2 mapping	urn:oid:1.3.6.1.4.1.25178.1.2.9

Organization type

Definition	https://wiki.refeds.org/download/attachments/44957731/SCHAC%2B1.5.0.pdf?version=3&modificationDate=1429202342624&api=v2
Description	static value, order is not guaranteed
Example	urn:schac:homeOrganizationType:cz:university urn:schac:homeOrganizationType:int:university
SAML2 name	schacHomeOrganizationType
SAML2 mapping	urn:oid:1.3.6.1.4.1.25178.1.2.10

Other

Preferred language

Definition	eduPerson 2020-01 - Standards-and-Specs - REFEDS wiki
Description	language chosen at login screen
Example	en
OIDC scope	profile
OIDC claim	locale
SAML2 name	preferredLanguage
SAML2 mapping	urn:oid:2.16.840.1.113730.3.1.39

Offline access

Definition	OpenID Connect Core
Description	Right to obtain refresh tokens
OIDC scope	offline_access

Sources

Information for web server administrators