edugain-discuss AT lists.geant.org
Subject: An open discussion list for topics related to the eduGAIN interfederation service.
List archive
- From: Peter Schober <peter.schober AT univie.ac.at>
- To: edugain-discuss AT lists.geant.org
- Subject: Re: [eduGAIN-discuss] ESI attributes best-practice question
- Date: Fri, 29 Oct 2021 12:19:16 +0200
- Organization: ACOnet
Valeriu,
* Valeriu Vraciu <valeriu AT roedu.net> [2021-10-29 09:44]:
> Particularly, the construction of European Student Identifier (ESI) as it is
> suggested at [1] is in debate, the second form seems to be suitable
> (urn:schac:personalUniqueCode:int:esi:<sHO>:<code>), but we are seeking for
> information about what other federations recommended to their constituency,
> mainly regarding what to use for <code> part in above form, or/and if there
> are any country-level regulations dealing with this so uniqueness is somehow
> guaranteed if the other form
> (urn:schac:personalUniqueCode:int:esi:<country-code>:<code>) is used.
In Austria we have nationally unique matriculation numbers[1] from a
namespace managed by the Federal Ministry of Education, Science and
Research. This was the obvious choice for the construction of ESIs of
the form <country-code>:<code>.
But not all Austrian institutions that need to produce ESIs are
recieving these matriculation numbers from the ministry (so they can't
be re-issuing those to students) and those have to use the <sHO>:<code>
form.
I.e., our institutions can't all use the same value scheme.
We created a local "profile" of the ESI specification (in German only):
https://wiki.univie.ac.at/display/federation/European+Student+Identifier
That just says "If you have matriculation numbers from the federation
ministry use them for construction of the ESI. (Only) If you don't,
use <sHO>:<code> with anything locally available as <code>."
(That profile initially included a third option based on another
nationally unique identifier[3] that institutions are increasingly
also provisioning into their IDM systems. But there was sufficient
resistance from the deployer community to even mention/"allow" this as
a possibility -- even if values were additionally hashed -- that we
removed this option from our local "profile"/guidance document. YMMV.)
Of course institutions are only formally bound by the actual ESI
specification, not by our local profile thereof, but it helps us to
provide support[2] (including instructions for configuring the
Shibboleth IDP software to produce ESIs) and it helps the the local
community to have simple rules that everyone can follow.
HTH,
-peter
[1] These never change for a given person and every person should only
ever get one assigned. Though sometimes errors are being made,
e.g. by a person being assigned (a second) one by mistake when
s*he already has (another, earlier). Then "fixing" the mistake
later leads to an effective change.
[2] E.g. as part of our IDP configuration documentation:
https://wiki.univie.ac.at/display/federation/IDP+4+Attribute+resolution#IDP4Attributeresolution-EuropeanStudentIdentifier
https://wiki.univie.ac.at/display/federation/Erasmus
[3] The so-called "Sector-Specific Personal Identifier", which is
"targeted" and differs per defined "sector" (not per SP, as we
know from e.g. SAML PairwiseID or SAML 2.0 Persistent NameIDs):
https://en.wikipedia.org/wiki/National_identification_number#Austria
- [eduGAIN-discuss] ESI attributes best-practice question, Valeriu Vraciu, 29-Oct-2021
- Re: [eduGAIN-discuss] ESI attributes best-practice question, Christos Kanellopoulos, 29-Oct-2021
- Re: [eduGAIN-discuss] ESI attributes best-practice question, Mijo Djerek, 29-Oct-2021
- Re: [eduGAIN-discuss] ESI attributes best-practice question, Peter Schober, 10/29/2021
Archive powered by MHonArc 2.6.19.