https://safire.ac.za/namespace/claims

The https://safire.ac.za/namespace/claims namespace is used to define some claims provider identifiers for use with Active Directory Federation Services (AD FS) and Microsoft Entra ID (formerly Azure AD). Whilst well defined, these are non-standard claims that are likely not interoperable outside of SAFIRE.

A non-normative schema for the namespace is available at https://safire.ac.za/namespace/claims.xsd.

https://safire.ac.za/namespace/claims namespace registry

PrefixUse/Description
https://safire.ac.za/namespace/claimsUsed for claims provider identifiers in AD FS or Azure AD
https://safire.ac.za/namespace/claims/unscopedAffiliationSingletonSpace delimited singleton representation of eduPersonAffiliation, utilising the same limited vocabulary (defined here as safire:AffiliationVocabularyType).
https://safire.ac.za/namespace/claims/unscopedAffiliationSingleton/… 1Suffixed singleton that will be merged as-is into eduPersonAffiliation, utilising the same limited vocabulary (defined here as safire:AffiliationVocabularyType).
https://safire.ac.za/namespace/claims/scopedAffiliationSingletonSpace delimited singleton representation of eduPersonScopedAffiliation, utilising the same limited vocabulary.
https://safire.ac.za/namespace/claims/scopedAffiliationSingleton/… 1Suffixed singleton that will be merged as-is into eduPersonScopedAffiliation, utilising the same limited vocabulary.
https://safire.ac.za/namespace/claims/primaryAffiliationSingletonSingleton representation of eduPersonPrimaryAffiliation, utilising the same limited vocabulary. Not actually required, but here for completeness.
https://safire.ac.za/namespace/claims/entitlementSingletonSpace delimited singleton representation of eduPersonEntitlement.
https://safire.ac.za/namespace/claims/entitlementSingleton/… 1Suffixed singleton that will be merged as-is into eduPersonEntitlement.

Examples

Note that mixing suffixed and unsuffixed singleton namespace is not recommended and may have undefined behaviour.

Unsuffixed singletons

A SAML attribute statement containing the following attribute:

<saml:Attribute
    Name="https://safire.ac.za/namespace/claims/unscopedAffiliationSingleton"
    NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>
    <saml:AttributeValue>member staff</saml:AttributeValue>
</saml:Attribute>

will be re-mapped to:

<saml:Attribute
    Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"
    NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>
    <saml:AttributeValue>member</saml:AttributeValue>
    <saml:AttributeValue>staff</saml:AttributeValue>
</saml:Attribute>

Suffixed singletons

The suffixed singletons can be specified multiple times, so long as each suffix is unique. Thus, a SAML attribute statement containing the following attributes:

<saml:Attribute
    Name="https://safire.ac.za/namespace/claims/unscopedAffiliationSingleton/01"
    NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>
    <saml:AttributeValue>member</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute
    Name="https://safire.ac.za/namespace/claims/unscopedAffiliationSingleton/02"
    NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>
    <saml:AttributeValue>staff</saml:AttributeValue>
</saml:Attribute>

will be re-mapped to:

<saml:Attribute
    Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"
    NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>
    <saml:AttributeValue>member</saml:AttributeValue>
    <saml:AttributeValue>staff</saml:AttributeValue>
</saml:Attribute>

  1. “…” represents any suffix matching the pattern [a-zA-Z0-9]{1,10} (and explicitly excluding another “/”). ↩︎ ↩︎ ↩︎

South African Identity Federation