diff --git a/schema/vc/eduPerson_202208_v4_4_0_sdjwt.json b/schema/vc/eduPerson_202208_v4_4_0_sdjwt.json new file mode 100644 index 0000000..e482a7f --- /dev/null +++ b/schema/vc/eduPerson_202208_v4_4_0_sdjwt.json @@ -0,0 +1,273 @@ +{ + "$id":"https://refeds.org/schemas/vc/eduPerson_202208_v4_4_0_sdjwt.json", + "$schema":"https://json-schema.org/draft/2020-12/schema", + "$comment":"This schema implements the eduPerson schema version 4.4.0 (2022-08) - https://wiki.refeds.org/display/STAN/eduPerson+%28202208%29+v4.4.0. This schema is maintained by REFEDs (https://refeds.org). The mission of REFEDS (the Research and Education FEDerations group) is to be the voice that articulates the mutual needs of research and education identity federations worldwide.", + "title":"eduPersonCredential", + "description":"Schema for verifiable credential claims describing a user in the context of eduPerson", + "type":"object", + "properties":{ + "eduperson_affiliation":{ + "type":"string", + "description":"eduPerson per Internet2 and EDUCAUSE", + "enum":[ + "faculty", + "student", + "staff", + "alum", + "member", + "affiliate", + "employee", + "library-walk-in" + ] + }, + "eduperson_entitlement":{ + "type":"string", + "description":"URI (either URN or URL) that indicates a set of rights to specific resources.", + "format":"uri" + }, + "eduperson_nickname":{ + "type":"string", + "description":"Person's nickname, or the informal name by which they are accustomed to be hailed." + }, + "eduperson_org_dn":{ + "type":"string", + "description":"The distinguished name (DN) of the directory entry representing the institution with which the person is associated.The directory entry pointed to by this dn should be represented in the X.521(2001) 'organization' object class The attribute set for organization is defined as follows: o (Organization Name, required}" + }, + "eduperson_org_unit_dn":{ + "type":"string", + "description":"The distinguished name(s) (DN) of the directory entries representing the person's Organizational Unit(s). May be multivalued, as for example, in the case of a faculty member with appointments in multiple departments or a person who is a student in one department and an employee in another." + }, + "eduperson_primary_affiliation":{ + "type":"string", + "description":"Specifies the person's primary relationship to the institution in broad categories such as student, faculty, staff, alum, etc" + }, + "eduperson_primary_org_unit_dn":{ + "type":"string", + "description":"The distinguished name (DN) of the directory entry representing the person's primary Organizational Unit(s)." + }, + "eduperson_principal_name":{ + "type":"string", + "description":"A scoped identifier for a person. It should be represented in the form 'user@scope' where 'user' is a name-based identifier for the person and where the 'scope' portion MUST be the administrative domain of the identity system where the identifier was created and assigned. Each value of 'scope' defines a namespace within which the assigned identifiers MUST be unique. Given this rule, if two eduPersonPrincipalName (ePPN) values are the same at a given point in time, they refer to the same person. There must be one and only one '@' sign in valid values of eduPersonPrincipalName.", + "pattern":"^\\S+@\\S+\\.\\S+$" + }, + "eduperson_principal_name_prior":{ + "type":"string", + "description":"Each value of this multi-valued attribute represents an ePPN (eduPersonPrincipalName) value that was previously associated with the entry. The values MUST NOT include the currently valid ePPN value. There is no implied or assumed order to the values. This attribute MUST NOT be populated if ePPN values are ever reassigned to a different entry (after, for example, a period of dormancy). That is, they MUST be unique in space and over time.", + "pattern":"^\\S+@\\S+\\.\\S+$" + }, + "eduperson_scoped_affiliation":{ + "type":"string", + "description":"Specifies the person's affiliation within a particular security domain in broad categories such as student, faculty, staff, alum, etc. The values consist of a left and right component separated by an '@' sign. The left component is one of the values from the eduPersonAffiliation controlled vocabulary.This right-hand side syntax of eduPersonScopedAffiliation intentionally matches that used for the right-hand side values for eduPersonPrincipalName. The 'scope' portion MUST be the administrative domain to which the affiliation applies. Multiple '@' signs are not recommended, but in any case, the first occurrence of the '@' sign starting from the left is to be taken as the delimiter between components. Thus, user identifier is to the left, security domain to the right of the first '@'. This parsing rule conforms to the POSIX 'greedy' disambiguation method in regular expression processing.", + "pattern":"^\\S+@\\S+\\.\\S+$" + }, + "eduperson_targeted_id":{ + "type":"string", + "description":"A persistent, non-reassigned, opaque identifier for a principal.", + "deprecated":true + }, + "eduperson_assurance":{ + "type":"array", + "description":"Set of URIs that assert compliance with specific standards for identity assurance.", + "anyof":{ + "type":"uri" + } + }, + "eduperson_unique_id":{ + "type":"string", + "description":"A long-lived, non re-assignable, omnidirectional identifier suitable for use as a principal identifier by authentication providers or as a unique external key by applications." + }, + "eduperson_orcid":{ + "type":"string", + "description":"ORCID iDs are persistent digital identifiers for individual researchers. Their primary purpose is to unambiguously and definitively link them with their scholarly work products. ORCID iDs are assigned, managed and maintained by the ORCID organization." + }, + "eduperson_analytics_tag":{ + "type":"string", + "description":"An opaque string that aggregates the use of a service by a set of subjects for the purpose of reporting or analytics by the originating organization." + }, + "eduperson_display_pronouns":{ + "type":"string", + "description":"Text representing the word(s) a person prefers as their personal pronoun(s). Multiple personal pronouns should include separators to support human readability, e.g., ‘Ashe’, ‘she/her/hers’, or ‘ella, ellas’, or ‘היא’, or ‘She/ella*, O /او , 她/她, היא’." + }, + "audio":{ + "type":"string", + "description":"RFC1274 notes that the proprietary format they recommend is 'interim' only." + }, + "cn":{ + "type":"string", + "description":"Common name. According to RFC4519, The 'cn' ('commonName' in X.500) attribute type contains names of an object. Each name is one value of this multi-valued attribute. If the object corresponds to a person, it is typically the person's full name." + }, + "description":{ + "type":"string", + "description":"Open-ended; whatever the person or the directory manager puts here. According to RFC4519, The 'description' attribute type contains human-readable descriptive phrases about the object. Each description is one value of this multi-valued attribute." + }, + "display_name":{ + "type":"string", + "description":"The name(s) that should appear in white-pages-like applications for this person. From RFC2798 description: 'preferred name of a person to be used when displaying entries.'" + }, + "facsimile_telephone_number":{ + "type":"array", + "description":"According to RFC4519: 'The 'facsimileTelephoneNumber' attribute type contains telephone numbers (and, optionally, the parameters) for facsimile terminals. Each telephone number is one value of this multi-valued attribute.'", + "anyof":{ + "type":[ + "string", + "null" + ], + "minLength":10, + "maxLength":20, + "pattern":"^(\\([0-9]{3}\\))?[0-9]{3}-[0-9]{4}$" + } + }, + "given_name":{ + "type":"string", + "description":"From RFC4519 description: 'The 'givenName' attribute type contains name strings that are the part of a person's name that is not their surname. Each string is one value of this multi-valued attribute.'" + }, + "home_phone":{ + "type":"array", + "description":"From RFC1274 description: 'The [homePhone] attribute type specifies a home telephone number associated with a person.'", + "anyof":{ + "type":[ + "string", + "null" + ], + "minLength":10, + "maxLength":20, + "pattern":"^(\\([0-9]{3}\\))?[0-9]{3}-[0-9]{4}$" + } + }, + "home_postal_address":{ + "type":"string", + "description":"From RFC1274 description: 'The Home postal address attribute type specifies a home postal address for an object. This should be limited to up to 6 lines of 30 characters each.' Semantics Home address. OrgPerson has a PostalAddress that complements this attribute." + }, + "initials":{ + "type":"string", + "description":"'The 'initials' attribute type contains strings of initials of some or all of an individual's names, except the surname(s). Each string is one value of this multi-valued attribute.'" + }, + "jpeg_photo":{ + "type":"string", + "description":"Follow inetOrgPerson definition of RFC2798: 'Used to store one or more images of a person using the JPEG File Interchange Format [JFIF].'" + }, + "locality_name":{ + "type":"string", + "description":"According to RFC4519, 'The 'l' ('localityName' in X.500) attribute type contains names of a locality or place, such as a city, county, or other geographic region. Each name is one value of this multi-valued attribute.'" + }, + "labeled_uri":{ + "type":"array", + "description":"Follow inetOrgPerson definition of RFC2079: 'Uniform Resource Identifier with optional label.'", + "anyof":{ + "type":"uri" + } + }, + "mail":{ + "type":"string", + "description":"From RFC4524: The 'mail' (rfc822mailbox) attribute type holds Internet mail addresses in Mailbox [RFC2821] form (e.g., user@example.com).", + "format":"email" + }, + "manager":{ + "type":"string", + "description":"From RFC4524: 'The 'manager' attribute specifies managers, by distinguished name, of the person (or entity).'" + }, + "mobile":{ + "type":"array", + "description":"From RFC4524: 'The 'mobile' (mobileTelephoneNumber) attribute specifies mobile telephone numbers (e.g., '+1 775 555 6789' associated with a person (or entity).'", + "anyof":{ + "type":[ + "string", + "null" + ], + "minLength":10, + "maxLength":20, + "pattern":"^(\\([0-9]{3}\\))?[0-9]{3}-[0-9]{4}$" + } + }, + "o":{ + "type":"string", + "description":"Standard name of the top-level organization (institution) with which this person is associated." + }, + "ou":{ + "type":"string", + "description":"Organizational unit(s). According to X.520(2000), 'The Organizational Unit Name attribute type specifies an organizational unit. When used as a component of a directory name it identifies an organizational unit with which the named object is affiliated.'" + }, + "pager":{ + "type":"array", + "description":"From RFC4524: 'The 'pager' (pagerTelephoneNumber) attribute specifies pager telephone numbers (e.g., '+1 775 555 5555') for an object.'", + "anyof":{ + "type":[ + "string", + "null" + ], + "minLength":10, + "maxLength":20, + "pattern":"^(\\([0-9]{3}\\))?[0-9]{3}-[0-9]{4}$" + } + }, + "postal_address":{ + "type":"string", + "description":"Campus or office address. inetOrgPerson has a homePostalAddress that complements this attribute. X.520(2000) reads: 'The Postal Address attribute type specifies the address information required for the physical postal delivery to an object.'" + }, + "postal_code":{ + "type":"string", + "description":"Follow X.500(2001): 'The postal code attribute type specifies the postal code of the named object. If this attribute value is present, it will be part of the object's postal address.' Zipcode in USA, postal code for other countries." + }, + "post_office_box":{ + "type":"string", + "description":"From RFC4519: 'The 'postOfficeBox' attribute type contains postal box identifiers that a Postal Service uses when a customer arranges to receive mail at a box on the premises of the Postal Service. Each postal box identifier is a single value of this multi-valued attribute.'" + }, + "preferred_language":{ + "type":"string", + "description":"Follow inetOrgPerson definition of RFC2798: 'preferred written or spoken language for a person.'" + }, + "see_also":{ + "type":"string", + "description":"From RFC4519: The 'seeAlso' attribute type contains the distinguished names of objects that are related to the subject object. Each related object name is one value of this multi-valued attribute." + }, + "sn":{ + "type":"string", + "description":"Surname or family name. From RFC4519: 'The 'sn' ('surname' in X.500) attribute type contains name strings for the family names of a person. Each string is one value of this multi-valued attribute.'" + }, + "st":{ + "type":"string", + "description":"Abbreviation for state or province name. Format: The values should be coordinated on a national level. If well-known shortcuts exist, like the two-letter state abbreviations in the US, these abbreviations are preferred over longer full names. From RFC4519: 'The 'st' ('stateOrProvinceName' in X.500) attribute type contains the full names of states or provinces. Each name is one value of this multi-valued attribute.'" + }, + "street":{ + "type":"string", + "description":"From RFC4519: 'The 'street' ('streetAddress' in X.500) attribute type contains site information from a postal address (i.e., the street name, place, avenue, and the house number). Each street is one value of this multi-valued attribute.'" + }, + "telephone_number":{ + "type":"array", + "description":"Office/campus phone number. Attribute values should comply with the international format specified in ITU Recommendation E.123: e.g., '+44 71 123 4567.'", + "anyof":{ + "type":[ + "string", + "null" + ], + "minLength":10, + "maxLength":20, + "pattern":"^(\\([0-9]{3}\\))?[0-9]{3}-[0-9]{4}$" + } + }, + "title":{ + "type":"string", + "description":"From RFC4519: 'The 'title' attribute type contains the title of a person in their organizational context. Each title is one value of this multi-valued attribute.' " + }, + "uid":{ + "type":"string", + "description":"From RFC4519: 'The 'uid' ('userid' in RFC1274) attribute type contains computer system login names associated with the object. Each name is one value of this multi-valued attribute.'" + }, + "unique_identifier":{ + "type":"string", + "description":"From RFC4524: 'The 'uniqueIdentifier' attribute specifies a unique identifier for an object represented in the Directory. The domain within which the identifier is unique and the exact semantics of the identifier are for local definition. For a person, this might be an institution- wide payroll number. For an organizational unit, it might be a department code.'" + }, + "user_password":{ + "type":"string", + "description":"This attribute identifies the entry's password and encryption method in the following format: {encryption method}encrypted password." + }, + "user_smime_certificate":{ + "type":"string", + "description":"An X.509 certificate specifically for use in S/MIME applications (see RFCs 2632, 2633 and 2634)." + }, + "x500unique_identifier":{ + "type":"string", + "description":"Defined originally in X.509(96) and included in RFC2256." + } + } +} \ No newline at end of file diff --git a/schema/vc/eduPerson_202208_v4_4_0_vcdm.json b/schema/vc/eduPerson_202208_v4_4_0_vcdm.json new file mode 100644 index 0000000..8f28544 --- /dev/null +++ b/schema/vc/eduPerson_202208_v4_4_0_vcdm.json @@ -0,0 +1,278 @@ +{ + "$id":"https://refeds.org/schemas/vc/eduPerson_202208_v4_4_0_vcdm.json", + "$schema":"https://json-schema.org/draft/2020-12/schema", + "$comment":"This schema implements the eduPerson schema version 4.4.0 (2022-08) - https://wiki.refeds.org/display/STAN/eduPerson+%28202208%29+v4.4.0. This schema is maintained by REFEDs (https://refeds.org). The mission of REFEDS (the Research and Education FEDerations group) is to be the voice that articulates the mutual needs of research and education identity federations worldwide.", + "title":"eduPersonCredential", + "description":"Schema for verifiable credential claims describing a user in the context of eduPerson", + "type":"object", + "properties":{ + "credentialSubject":{ + "type":"object", + "properties":{ + "eduperson_affiliation":{ + "type":"string", + "description":"eduPerson per Internet2 and EDUCAUSE", + "enum":[ + "faculty", + "student", + "staff", + "alum", + "member", + "affiliate", + "employee", + "library-walk-in" + ] + }, + "eduperson_entitlement":{ + "type":"string", + "description":"URI (either URN or URL) that indicates a set of rights to specific resources.", + "format":"uri" + }, + "eduperson_nickname":{ + "type":"string", + "description":"Person's nickname, or the informal name by which they are accustomed to be hailed." + }, + "eduperson_org_dn":{ + "type":"string", + "description":"The distinguished name (DN) of the directory entry representing the institution with which the person is associated.The directory entry pointed to by this dn should be represented in the X.521(2001) 'organization' object class The attribute set for organization is defined as follows: o (Organization Name, required}" + }, + "eduperson_org_unit_dn":{ + "type":"string", + "description":"The distinguished name(s) (DN) of the directory entries representing the person's Organizational Unit(s). May be multivalued, as for example, in the case of a faculty member with appointments in multiple departments or a person who is a student in one department and an employee in another." + }, + "eduperson_primary_affiliation":{ + "type":"string", + "description":"Specifies the person's primary relationship to the institution in broad categories such as student, faculty, staff, alum, etc" + }, + "eduperson_primary_org_unit_dn":{ + "type":"string", + "description":"The distinguished name (DN) of the directory entry representing the person's primary Organizational Unit(s)." + }, + "eduperson_principal_name":{ + "type":"string", + "description":"A scoped identifier for a person. It should be represented in the form 'user@scope' where 'user' is a name-based identifier for the person and where the 'scope' portion MUST be the administrative domain of the identity system where the identifier was created and assigned. Each value of 'scope' defines a namespace within which the assigned identifiers MUST be unique. Given this rule, if two eduPersonPrincipalName (ePPN) values are the same at a given point in time, they refer to the same person. There must be one and only one '@' sign in valid values of eduPersonPrincipalName.", + "pattern":"^\\S+@\\S+\\.\\S+$" + }, + "eduperson_principal_name_prior":{ + "type":"string", + "description":"Each value of this multi-valued attribute represents an ePPN (eduPersonPrincipalName) value that was previously associated with the entry. The values MUST NOT include the currently valid ePPN value. There is no implied or assumed order to the values. This attribute MUST NOT be populated if ePPN values are ever reassigned to a different entry (after, for example, a period of dormancy). That is, they MUST be unique in space and over time.", + "pattern":"^\\S+@\\S+\\.\\S+$" + }, + "eduperson_scoped_affiliation":{ + "type":"string", + "description":"Specifies the person's affiliation within a particular security domain in broad categories such as student, faculty, staff, alum, etc. The values consist of a left and right component separated by an '@' sign. The left component is one of the values from the eduPersonAffiliation controlled vocabulary.This right-hand side syntax of eduPersonScopedAffiliation intentionally matches that used for the right-hand side values for eduPersonPrincipalName. The 'scope' portion MUST be the administrative domain to which the affiliation applies. Multiple '@' signs are not recommended, but in any case, the first occurrence of the '@' sign starting from the left is to be taken as the delimiter between components. Thus, user identifier is to the left, security domain to the right of the first '@'. This parsing rule conforms to the POSIX 'greedy' disambiguation method in regular expression processing.", + "pattern":"^\\S+@\\S+\\.\\S+$" + }, + "eduperson_targeted_id":{ + "type":"string", + "description":"A persistent, non-reassigned, opaque identifier for a principal.", + "deprecated":true + }, + "eduperson_assurance":{ + "type":"array", + "description":"Set of URIs that assert compliance with specific standards for identity assurance.", + "anyof":{ + "type":"uri" + } + }, + "eduperson_unique_id":{ + "type":"string", + "description":"A long-lived, non re-assignable, omnidirectional identifier suitable for use as a principal identifier by authentication providers or as a unique external key by applications." + }, + "eduperson_orcid":{ + "type":"string", + "description":"ORCID iDs are persistent digital identifiers for individual researchers. Their primary purpose is to unambiguously and definitively link them with their scholarly work products. ORCID iDs are assigned, managed and maintained by the ORCID organization." + }, + "eduperson_analytics_tag":{ + "type":"string", + "description":"An opaque string that aggregates the use of a service by a set of subjects for the purpose of reporting or analytics by the originating organization." + }, + "eduperson_display_pronouns":{ + "type":"string", + "description":"Text representing the word(s) a person prefers as their personal pronoun(s). Multiple personal pronouns should include separators to support human readability, e.g., ‘Ashe’, ‘she/her/hers’, or ‘ella, ellas’, or ‘היא’, or ‘She/ella*, O /او , 她/她, היא’." + }, + "audio":{ + "type":"string", + "description":"RFC1274 notes that the proprietary format they recommend is 'interim' only." + }, + "cn":{ + "type":"string", + "description":"Common name. According to RFC4519, The 'cn' ('commonName' in X.500) attribute type contains names of an object. Each name is one value of this multi-valued attribute. If the object corresponds to a person, it is typically the person's full name." + }, + "description":{ + "type":"string", + "description":"Open-ended; whatever the person or the directory manager puts here. According to RFC4519, The 'description' attribute type contains human-readable descriptive phrases about the object. Each description is one value of this multi-valued attribute." + }, + "display_name":{ + "type":"string", + "description":"The name(s) that should appear in white-pages-like applications for this person. From RFC2798 description: 'preferred name of a person to be used when displaying entries.'" + }, + "facsimile_telephone_number":{ + "type":"array", + "description":"According to RFC4519: 'The 'facsimileTelephoneNumber' attribute type contains telephone numbers (and, optionally, the parameters) for facsimile terminals. Each telephone number is one value of this multi-valued attribute.'", + "anyof":{ + "type":[ + "string", + "null" + ], + "minLength":10, + "maxLength":20, + "pattern":"^(\\([0-9]{3}\\))?[0-9]{3}-[0-9]{4}$" + } + }, + "given_name":{ + "type":"string", + "description":"From RFC4519 description: 'The 'givenName' attribute type contains name strings that are the part of a person's name that is not their surname. Each string is one value of this multi-valued attribute.'" + }, + "home_phone":{ + "type":"array", + "description":"From RFC1274 description: 'The [homePhone] attribute type specifies a home telephone number associated with a person.'", + "anyof":{ + "type":[ + "string", + "null" + ], + "minLength":10, + "maxLength":20, + "pattern":"^(\\([0-9]{3}\\))?[0-9]{3}-[0-9]{4}$" + } + }, + "home_postal_address":{ + "type":"string", + "description":"From RFC1274 description: 'The Home postal address attribute type specifies a home postal address for an object. This should be limited to up to 6 lines of 30 characters each.' Semantics Home address. OrgPerson has a PostalAddress that complements this attribute." + }, + "initials":{ + "type":"string", + "description":"'The 'initials' attribute type contains strings of initials of some or all of an individual's names, except the surname(s). Each string is one value of this multi-valued attribute.'" + }, + "jpeg_photo":{ + "type":"string", + "description":"Follow inetOrgPerson definition of RFC2798: 'Used to store one or more images of a person using the JPEG File Interchange Format [JFIF].'" + }, + "locality_name":{ + "type":"string", + "description":"According to RFC4519, 'The 'l' ('localityName' in X.500) attribute type contains names of a locality or place, such as a city, county, or other geographic region. Each name is one value of this multi-valued attribute.'" + }, + "labeled_uri":{ + "type":"array", + "description":"Follow inetOrgPerson definition of RFC2079: 'Uniform Resource Identifier with optional label.'", + "anyof":{ + "type":"uri" + } + }, + "mail":{ + "type":"string", + "description":"From RFC4524: The 'mail' (rfc822mailbox) attribute type holds Internet mail addresses in Mailbox [RFC2821] form (e.g., user@example.com).", + "format":"email" + }, + "manager":{ + "type":"string", + "description":"From RFC4524: 'The 'manager' attribute specifies managers, by distinguished name, of the person (or entity).'" + }, + "mobile":{ + "type":"array", + "description":"From RFC4524: 'The 'mobile' (mobileTelephoneNumber) attribute specifies mobile telephone numbers (e.g., '+1 775 555 6789' associated with a person (or entity).'", + "anyof":{ + "type":[ + "string", + "null" + ], + "minLength":10, + "maxLength":20, + "pattern":"^(\\([0-9]{3}\\))?[0-9]{3}-[0-9]{4}$" + } + }, + "o":{ + "type":"string", + "description":"Standard name of the top-level organization (institution) with which this person is associated." + }, + "ou":{ + "type":"string", + "description":"Organizational unit(s). According to X.520(2000), 'The Organizational Unit Name attribute type specifies an organizational unit. When used as a component of a directory name it identifies an organizational unit with which the named object is affiliated.'" + }, + "pager":{ + "type":"array", + "description":"From RFC4524: 'The 'pager' (pagerTelephoneNumber) attribute specifies pager telephone numbers (e.g., '+1 775 555 5555') for an object.'", + "anyof":{ + "type":[ + "string", + "null" + ], + "minLength":10, + "maxLength":20, + "pattern":"^(\\([0-9]{3}\\))?[0-9]{3}-[0-9]{4}$" + } + }, + "postal_address":{ + "type":"string", + "description":"Campus or office address. inetOrgPerson has a homePostalAddress that complements this attribute. X.520(2000) reads: 'The Postal Address attribute type specifies the address information required for the physical postal delivery to an object.'" + }, + "postal_code":{ + "type":"string", + "description":"Follow X.500(2001): 'The postal code attribute type specifies the postal code of the named object. If this attribute value is present, it will be part of the object's postal address.' Zipcode in USA, postal code for other countries." + }, + "post_office_box":{ + "type":"string", + "description":"From RFC4519: 'The 'postOfficeBox' attribute type contains postal box identifiers that a Postal Service uses when a customer arranges to receive mail at a box on the premises of the Postal Service. Each postal box identifier is a single value of this multi-valued attribute.'" + }, + "preferred_language":{ + "type":"string", + "description":"Follow inetOrgPerson definition of RFC2798: 'preferred written or spoken language for a person.'" + }, + "see_also":{ + "type":"string", + "description":"From RFC4519: The 'seeAlso' attribute type contains the distinguished names of objects that are related to the subject object. Each related object name is one value of this multi-valued attribute." + }, + "sn":{ + "type":"string", + "description":"Surname or family name. From RFC4519: 'The 'sn' ('surname' in X.500) attribute type contains name strings for the family names of a person. Each string is one value of this multi-valued attribute.'" + }, + "st":{ + "type":"string", + "description":"Abbreviation for state or province name. Format: The values should be coordinated on a national level. If well-known shortcuts exist, like the two-letter state abbreviations in the US, these abbreviations are preferred over longer full names. From RFC4519: 'The 'st' ('stateOrProvinceName' in X.500) attribute type contains the full names of states or provinces. Each name is one value of this multi-valued attribute.'" + }, + "street":{ + "type":"string", + "description":"From RFC4519: 'The 'street' ('streetAddress' in X.500) attribute type contains site information from a postal address (i.e., the street name, place, avenue, and the house number). Each street is one value of this multi-valued attribute.'" + }, + "telephone_number":{ + "type":"array", + "description":"Office/campus phone number. Attribute values should comply with the international format specified in ITU Recommendation E.123: e.g., '+44 71 123 4567.'", + "anyof":{ + "type":[ + "string", + "null" + ], + "minLength":10, + "maxLength":20, + "pattern":"^(\\([0-9]{3}\\))?[0-9]{3}-[0-9]{4}$" + } + }, + "title":{ + "type":"string", + "description":"From RFC4519: 'The 'title' attribute type contains the title of a person in their organizational context. Each title is one value of this multi-valued attribute.' " + }, + "uid":{ + "type":"string", + "description":"From RFC4519: 'The 'uid' ('userid' in RFC1274) attribute type contains computer system login names associated with the object. Each name is one value of this multi-valued attribute.'" + }, + "unique_identifier":{ + "type":"string", + "description":"From RFC4524: 'The 'uniqueIdentifier' attribute specifies a unique identifier for an object represented in the Directory. The domain within which the identifier is unique and the exact semantics of the identifier are for local definition. For a person, this might be an institution- wide payroll number. For an organizational unit, it might be a department code.'" + }, + "user_password":{ + "type":"string", + "description":"This attribute identifies the entry's password and encryption method in the following format: {encryption method}encrypted password." + }, + "user_smime_certificate":{ + "type":"string", + "description":"An X.509 certificate specifically for use in S/MIME applications (see RFCs 2632, 2633 and 2634)." + }, + "x500unique_identifier":{ + "type":"string", + "description":"Defined originally in X.509(96) and included in RFC2256." + } + } + } + } +} \ No newline at end of file diff --git a/schema/vc/eduperson_ldif.json b/schema/vc/eduperson_ldif.json new file mode 100644 index 0000000..6601d35 --- /dev/null +++ b/schema/vc/eduperson_ldif.json @@ -0,0 +1,153 @@ +{ + "dn": "cn=eduPerson,cn=schema,cn=config", + "objectClass": "olcSchemaConfig", + "cn": "eduPerson", + "olcAttributeTypes": [ + { + "oid": "1.3.6.1.4.1.5923.1.1.1.1", + "NAME": "eduPersonAffiliation", + "DESC": "eduPerson per Internet2 and EDUCAUSE", + "EQUALITY": "caseIgnoreMatch", + "SUBSTR": "caseIgnoreSubstringsMatch", + "SYNTAX": "1.3.6.1.4.1.1466.115.121.1.15" + }, + { + "oid": "1.3.6.1.4.1.5923.1.1.1.2", + "NAME": "eduPersonNickname", + "DESC": "eduPerson per Internet2 and EDUCAUSE", + "EQUALITY": "caseIgnoreMatch", + "SUBSTR": "caseIgnoreSubstringsMatch", + "SYNTAX": "1.3.6.1.4.1.1466.115.121.1.15" + }, + { + "oid": "1.3.6.1.4.1.5923.1.1.1.3", + "NAME": "eduPersonOrgDN", + "DESC": "eduPerson per Internet2 and EDUCAUSE", + "EQUALITY": "distinguishedNameMatch", + "SYNTAX": "1.3.6.1.4.1.1466.115.121.1.12", + "SINGLE-VALUE": true + }, + { + "oid": "1.3.6.1.4.1.5923.1.1.1.4", + "NAME": "eduPersonOrgUnitDN", + "DESC": "eduPerson per Internet2 and EDUCAUSE", + "EQUALITY": "distinguishedNameMatch", + "SYNTAX": "1.3.6.1.4.1.1466.115.121.1.12" + }, + { + "oid": "1.3.6.1.4.1.5923.1.1.1.5", + "NAME": "eduPersonPrimaryAffiliation", + "DESC": "eduPerson per Internet2 and EDUCAUSE", + "EQUALITY": "caseIgnoreMatch", + "SUBSTR": "caseIgnoreSubstringsMatch", + "SYNTAX": "1.3.6.1.4.1.1466.115.121.1.15", + "SINGLE-VALUE": true + }, + { + "oid": "1.3.6.1.4.1.5923.1.1.1.6", + "NAME": "eduPersonPrincipalName", + "DESC": "eduPerson per Internet2 and EDUCAUSE", + "EQUALITY": "caseIgnoreMatch", + "SUBSTR": "caseIgnoreSubstringsMatch", + "SYNTAX": "1.3.6.1.4.1.1466.115.121.1.15", + "SINGLE-VALUE": true + }, + { + "oid": "1.3.6.1.4.1.5923.1.1.1.12", + "NAME": "eduPersonPrincipalNamePrior", + "DESC": "eduPerson per Internet2 and EDUCAUSE", + "EQUALITY": "caseIgnoreMatch", + "SUBSTR": "caseIgnoreSubstringsMatch", + "SYNTAX": "1.3.6.1.4.1.1466.115.121.1.15" + }, + { + "oid": "1.3.6.1.4.1.5923.1.1.1.7", + "NAME": "eduPersonEntitlement", + "DESC": "eduPerson per Internet2 and EDUCAUSE", + "EQUALITY": "caseExactMatch", + "SYNTAX": "1.3.6.1.4.1.1466.115.121.1.15" + }, + { + "oid": "1.3.6.1.4.1.5923.1.1.1.8", + "NAME": "eduPersonPrimaryOrgUnitDN", + "DESC": "eduPerson per Internet2 and EDUCAUSE", + "EQUALITY": "distinguishedNameMatch", + "SYNTAX": "1.3.6.1.4.1.1466.115.121.1.12", + "SINGLE-VALUE": true + }, + { + "oid": "1.3.6.1.4.1.5923.1.1.1.9", + "NAME": "eduPersonScopedAffiliation", + "DESC": "eduPerson per Internet2 and EDUCAUSE", + "EQUALITY": "caseIgnoreMatch", + "SYNTAX": "1.3.6.1.4.1.1466.115.121.1.15" + }, + { + "oid": "1.3.6.1.4.1.5923.1.1.1.10", + "NAME": "eduPersonTargetedID", + "DESC": "eduPerson per Internet2 and EDUCAUSE", + "EQUALITY": "caseIgnoreMatch", + "SYNTAX": "1.3.6.1.4.1.1466.115.121.1.15" + }, + { + "oid": "1.3.6.1.4.1.5923.1.1.1.11", + "NAME": "eduPersonAssurance", + "DESC": "eduPerson per Internet2 and EDUCAUSE", + "EQUALITY": "caseIgnoreMatch", + "SYNTAX": "1.3.6.1.4.1.1466.115.121.1.15" + }, + { + "oid": "1.3.6.1.4.1.5923.1.1.1.13", + "NAME": "eduPersonUniqueId", + "DESC": "eduPersonUniqueId per Internet2", + "EQUALITY": "caseIgnoreMatch", + "SYNTAX": "1.3.6.1.4.1.1466.115.121.1.15" + }, + { + "oid": "1.3.6.1.4.1.5923.1.1.1.16", + "NAME": "eduPersonOrcid", + "DESC": "ORCID researcher identifiers belonging to the principal", + "EQUALITY": "caseIgnoreMatch", + "SYNTAX": "1.3.6.1.4.1.1466.115.121.1.15" + }, + { + "oid": "1.3.6.1.4.1.5923.1.1.1.17", + "NAME": "eduPersonAnalyticsTag", + "DESC": "Arbitrary reporting value associated with a subject or transaction", + "EQUALITY": "caseExactMatch", + "SYNTAX": "1.3.6.1.4.1.1466.115.121.1.15" + }, + { + "oid": "1.3.6.1.4.1.5923.1.1.1.18", + "NAME": "eduPersonDisplayPronouns", + "DESC": "Human-readable set of pronouns", + "SYNTAX": "1.3.6.1.4.1.1466.115.121.1.15", + "SINGLE-VALUE": true + } + ], + "olcObjectClasses": [ + { + "oid": "1.3.6.1.4.1.5923.1.1.2", + "NAME": "eduPerson", + "DESC": "eduPerson (202208) - v4.4.0 - REFEDS Schema Board", + "AUXILIARY": true, + "MAY": [ + "eduPersonAffiliation", + "eduPersonNickname", + "eduPersonOrgDN", + "eduPersonOrgUnitDN", + "eduPersonPrimaryAffiliation", + "eduPersonPrincipalName", + "eduPersonPrincipalNamePrior", + "eduPersonEntitlement", + "eduPersonPrimaryOrgUnitDN", + "eduPersonScopedAffiliation", + "eduPersonTargetedID", + "eduPersonAssurance", + "eduPersonUniqueId", + "eduPersonOrcid", + "eduPersonDisplayPronouns" + ] + } + ] +} diff --git a/schema/vc/eduperson_schema.json b/schema/vc/eduperson_schema.json new file mode 100644 index 0000000..d9fccf2 --- /dev/null +++ b/schema/vc/eduperson_schema.json @@ -0,0 +1,476 @@ +{ + "id": "urn:geant:scim:schemas:eduperson:User", + "name": "SCIM schema for eduPerson", + "description": "Attributes to describe a user in the context of eduPerson", + "attributes": [ + { + "name": "eduPersonAffiliation", + "description": "eduPerson per Internet2 and EDUCAUSE", + "type": "string", + "multiValued": true, + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "canonicalValues": [ + "faculty", + "student", + "staff", + "alum", + "member", + "affiliate", + "employee", + "library-walk-in" + ], + "uniqueness": "none" + },{ + "name": "eduPersonEntitlement", + "description": "URI (either URN or URL) that indicates a set of rights to specific resources.", + "type": "string", + "multiValued": true, + "required": false, + "caseExact": true, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + },{ + "name": "eduPersonNickname", + "description": "Person's nickname, or the informal name by which they are accustomed to be hailed.", + "type": "string", + "multiValued": true, + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + },{ + "name": "eduPersonOrgDN", + "description": "The distinguished name (DN) of the directory entry representing the institution with which the person is associated.The directory entry pointed to by this dn should be represented in the X.521(2001) 'organization' object class The attribute set for organization is defined as follows: o (Organization Name, required}", + "type": "string", + "multiValued": false, + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + },{ + "name": "eduPersonOrgUnitDN", + "description": "The distinguished name(s) (DN) of the directory entries representing the person's Organizational Unit(s). May be multivalued, as for example, in the case of a faculty member with appointments in multiple departments or a person who is a student in one department and an employee in another.", + "type": "string", + "multiValued": true, + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + },{ + "name": "eduPersonPrimaryAffiliation", + "description": "Specifies the person's primary relationship to the institution in broad categories such as student, faculty, staff, alum, etc", + "type": "string", + "multiValued": false, + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + },{ + "name": "eduPersonPrimaryOrgUnitDN", + "description": "The distinguished name (DN) of the directory entry representing the person's primary Organizational Unit(s).", + "type": "string", + "multiValued": false, + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + },{ + "name": "eduPersonPrincipalName", + "description": "A scoped identifier for a person. It should be represented in the form 'user@scope' where 'user' is a name-based identifier for the person and where the 'scope' portion MUST be the administrative domain of the identity system where the identifier was created and assigned. Each value of 'scope' defines a namespace within which the assigned identifiers MUST be unique. Given this rule, if two eduPersonPrincipalName (ePPN) values are the same at a given point in time, they refer to the same person. There must be one and only one '@' sign in valid values of eduPersonPrincipalName.", + "type": "string", + "multiValued": false, + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + },{ + "name": "eduPersonPrincipalNamePrior", + "description": "Each value of this multi-valued attribute represents an ePPN (eduPersonPrincipalName) value that was previously associated with the entry. The values MUST NOT include the currently valid ePPN value. There is no implied or assumed order to the values. This attribute MUST NOT be populated if ePPN values are ever reassigned to a different entry (after, for example, a period of dormancy). That is, they MUST be unique in space and over time.", + "type": "string", + "multiValued": true, + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + },{ + "name": "eduPersonScopedAffiliation", + "description": "Specifies the person's affiliation within a particular security domain in broad categories such as student, faculty, staff, alum, etc. The values consist of a left and right component separated by an '@' sign. The left component is one of the values from the eduPersonAffiliation controlled vocabulary.This right-hand side syntax of eduPersonScopedAffiliation intentionally matches that used for the right-hand side values for eduPersonPrincipalName. The 'scope' portion MUST be the administrative domain to which the affiliation applies. Multiple '@' signs are not recommended, but in any case, the first occurrence of the '@' sign starting from the left is to be taken as the delimiter between components. Thus, user identifier is to the left, security domain to the right of the first '@'. This parsing rule conforms to the POSIX 'greedy' disambiguation method in regular expression processing.", + "type": "string", + "multiValued": true, + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + },{ + "name": "eduPersonTargetedID", + "description": "DEPRECATED", + "type": "string", + "multiValued": true, + "required": false, + "caseExact": true, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "server" + },{ + "name": "eduPersonAssurance", + "description": "Set of URIs that assert compliance with specific standards for identity assurance.", + "type": "string", + "multiValued": true, + "required": false, + "caseExact": true, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + },{ + "name": "eduPersonUniqueId", + "description": "A long-lived, non re-assignable, omnidirectional identifier suitable for use as a principal identifier by authentication providers or as a unique external key by applications.", + "type": "string", + "multiValued": false, + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "global" + },{ + "name": "eduPersonOrcid", + "description": "ORCID iDs are persistent digital identifiers for individual researchers. Their primary purpose is to unambiguously and definitively link them with their scholarly work products. ORCID iDs are assigned, managed and maintained by the ORCID organization.", + "type": "string", + "multiValued": true, + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "global" + },{ + "name": "eduPersonAnalyticsTag", + "description": "An opaque string that aggregates the use of a service by a set of subjects for the purpose of reporting or analytics by the originating organization.", + "type": "string", + "multiValued": true, + "required": false, + "caseExact": true, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + },{ + "name": "eduPersonDisplayPronouns", + "description": "Text representing the word(s) a person prefers as their personal pronoun(s). Multiple personal pronouns should include separators to support human readability, e.g., ‘Ashe’, ‘she/her/hers’, or ‘ella, ellas’, or ‘היא’, or ‘She/ella*, O /او , 她/她, היא’.", + "type": "string", + "multiValued": false, + "required": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + } + , + { + "name": "audio", + "description": "RFC1274 notes that the proprietary format they recommend is 'interim' only.", + "type": "string", + "multiValued": true, + "required": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + },{ + "name": "cn", + "description": "Common name. According to RFC4519, The 'cn' ('commonName' in X.500) attribute type contains names of an object. Each name is one value of this multi-valued attribute. If the object corresponds to a person, it is typically the person's full name.", + "type": "string", + "multiValued": true, + "required": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + },{ + "name": "description", + "description": "Open-ended; whatever the person or the directory manager puts here. According to RFC4519, The 'description' attribute type contains human-readable descriptive phrases about the object. Each description is one value of this multi-valued attribute.", + "type": "string", + "multiValued": true, + "required": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + },{ + "name": "displayName", + "description": "The name(s) that should appear in white-pages-like applications for this person. From RFC2798 description: 'preferred name of a person to be used when displaying entries.'", + "type": "string", + "multiValued": false, + "required": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + },{ + "name": "facsimileTelephoneNumber", + "description": "According to RFC4519: 'The 'facsimileTelephoneNumber' attribute type contains telephone numbers (and, optionally, the parameters) for facsimile terminals. Each telephone number is one value of this multi-valued attribute.'", + "type": "string", + "multiValued": true, + "required": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + },{ + "name": "givenName", + "description": "From RFC4519 description: 'The 'givenName' attribute type contains name strings that are the part of a person's name that is not their surname. Each string is one value of this multi-valued attribute.'", + "type": "string", + "multiValued": true, + "required": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + },{ + "name": "homePhone", + "description": "From RFC1274 description: 'The [homePhone] attribute type specifies a home telephone number associated with a person.'", + "type": "string", + "multiValued": true, + "required": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + },{ + "name": "homePostalAddress", + "description": "From RFC1274 description: 'The Home postal address attribute type specifies a home postal address for an object. This should be limited to up to 6 lines of 30 characters each.' Semantics Home address. OrgPerson has a PostalAddress that complements this attribute.", + "type": "string", + "multiValued": true, + "required": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + },{ + "name": "initials", + "description": "'The 'initials' attribute type contains strings of initials of some or all of an individual's names, except the surname(s). Each string is one value of this multi-valued attribute.'", + "type": "string", + "multiValued": true, + "required": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + },{ + "name": "jpegPhoto", + "description": "Follow inetOrgPerson definition of RFC2798: 'Used to store one or more images of a person using the JPEG File Interchange Format [JFIF].'", + "type": "string", + "multiValued": true, + "required": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + },{ + "name": "localityName", + "description": "According to RFC4519, 'The 'l' ('localityName' in X.500) attribute type contains names of a locality or place, such as a city, county, or other geographic region. Each name is one value of this multi-valued attribute.'", + "type": "string", + "multiValued": true, + "required": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + },{ + "name": "labeledURI", + "description": "Follow inetOrgPerson definition of RFC2079: 'Uniform Resource Identifier with optional label.'", + "type": "string", + "multiValued": true, + "required": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + },{ + "name": "mail", + "description": "From RFC4524: The 'mail' (rfc822mailbox) attribute type holds Internet mail addresses in Mailbox [RFC2821] form (e.g., user@example.com).", + "type": "string", + "multiValued": true, + "required": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + },{ + "name": "manager", + "description": "From RFC4524: 'The 'manager' attribute specifies managers, by distinguished name, of the person (or entity).'", + "type": "string", + "multiValued": true, + "required": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + },{ + "name": "mobile", + "description": "From RFC4524: 'The 'mobile' (mobileTelephoneNumber) attribute specifies mobile telephone numbers (e.g., '+1 775 555 6789' associated with a person (or entity).'", + "type": "string", + "multiValued": true, + "required": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + },{ + "name": "o", + "description": "Standard name of the top-level organization (institution) with which this person is associated.", + "type": "string", + "multiValued": true, + "required": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + },{ + "name": "ou", + "description": "Organizational unit(s). According to X.520(2000), 'The Organizational Unit Name attribute type specifies an organizational unit. When used as a component of a directory name it identifies an organizational unit with which the named object is affiliated.'", + "type": "string", + "multiValued": true, + "required": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + },{ + "name": "pager", + "description": "From RFC4524: 'The 'pager' (pagerTelephoneNumber) attribute specifies pager telephone numbers (e.g., '+1 775 555 5555') for an object.'", + "type": "string", + "multiValued": true, + "required": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + },{ + "name": "postalAddress", + "description": "Campus or office address. inetOrgPerson has a homePostalAddress that complements this attribute. X.520(2000) reads: 'The Postal Address attribute type specifies the address information required for the physical postal delivery to an object.'", + "type": "string", + "multiValued": true, + "required": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + },{ + "name": "postalCode", + "description": "Follow X.500(2001): 'The postal code attribute type specifies the postal code of the named object. If this attribute value is present, it will be part of the object's postal address.' Zipcode in USA, postal code for other countries.", + "type": "string", + "multiValued": true, + "required": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + },{ + "name": "postOfficeBox", + "description": "From RFC4519: 'The 'postOfficeBox' attribute type contains postal box identifiers that a Postal Service uses when a customer arranges to receive mail at a box on the premises of the Postal Service. Each postal box identifier is a single value of this multi-valued attribute.'", + "type": "string", + "multiValued": true, + "required": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + },{ + "name": "preferredLanguage", + "description": "Follow inetOrgPerson definition of RFC2798: 'preferred written or spoken language for a person.'", + "type": "string", + "multiValued": false, + "required": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + },{ + "name": "seeAlso", + "description": "From RFC4519: The 'seeAlso' attribute type contains the distinguished names of objects that are related to the subject object. Each related object name is one value of this multi-valued attribute.", + "type": "string", + "multiValued": true, + "required": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + },{ + "name": "sn", + "description": "Surname or family name. From RFC4519: 'The 'sn' ('surname' in X.500) attribute type contains name strings for the family names of a person. Each string is one value of this multi-valued attribute.'", + "type": "string", + "multiValued": true, + "required": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + },{ + "name": "st", + "description": "Abbreviation for state or province name. Format: The values should be coordinated on a national level. If well-known shortcuts exist, like the two-letter state abbreviations in the US, these abbreviations are preferred over longer full names. From RFC4519: 'The 'st' ('stateOrProvinceName' in X.500) attribute type contains the full names of states or provinces. Each name is one value of this multi-valued attribute.'", + "type": "string", + "multiValued": true, + "required": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + },{ + "name": "street", + "description": "From RFC4519: 'The 'street' ('streetAddress' in X.500) attribute type contains site information from a postal address (i.e., the street name, place, avenue, and the house number). Each street is one value of this multi-valued attribute.'", + "type": "string", + "multiValued": true, + "required": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + },{ + "name": "telephoneNumber", + "description": "Office/campus phone number. Attribute values should comply with the international format specified in ITU Recommendation E.123: e.g., '+44 71 123 4567.'", + "type": "string", + "multiValued": true, + "required": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + },{ + "name": "title", + "description": "From RFC4519: 'The 'title' attribute type contains the title of a person in their organizational context. Each title is one value of this multi-valued attribute.' ", + "type": "string", + "multiValued": true, + "required": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + },{ + "name": "uid", + "description": "From RFC4519: 'The 'uid' ('userid' in RFC1274) attribute type contains computer system login names associated with the object. Each name is one value of this multi-valued attribute.'", + "type": "string", + "multiValued": true, + "required": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + },{ + "name": "uniqueIdentifier", + "description": "From RFC4524: 'The 'uniqueIdentifier' attribute specifies a unique identifier for an object represented in the Directory. The domain within which the identifier is unique and the exact semantics of the identifier are for local definition. For a person, this might be an institution- wide payroll number. For an organizational unit, it might be a department code.'", + "type": "string", + "multiValued": true, + "required": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + },{ + "name": "userPassword", + "description": "This attribute identifies the entry's password and encryption method in the following format: {encryption method}encrypted password.", + "type": "string", + "multiValued": true, + "required": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + },{ + "name": "userSMIMECertificate", + "description": "An X.509 certificate specifically for use in S/MIME applications (see RFCs 2632, 2633 and 2634).", + "type": "string", + "multiValued": true, + "required": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + },{ + "name": "x500uniqueIdentifier", + "description": "Defined originally in X.509(96) and included in RFC2256.", + "type": "string", + "multiValued": false, + "required": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + } + ] +} diff --git a/schema/vc/example_eduidCredential.json b/schema/vc/example_eduidCredential.json new file mode 100644 index 0000000..671a604 --- /dev/null +++ b/schema/vc/example_eduidCredential.json @@ -0,0 +1,53 @@ +{ + "exp": 1775735208, + "vc": { + "@context": [ + "https://www.w3.org/2018/credentials/v1" + ], + "type": [ + "VerifiableCredential", + "eduidCredential" + ], + "credentialSubject": { + "sub": "8485502fb53e25d94f1f87892f68f45ab0489571e924fc3898b344067deab153@uvh.nl", + "given_name": "Fetze", + "family_name": "Alsvanouds", + "name": "Fetze Alsvanouds", + "schac_home_organisation": "uvh.nl", + "email": "falsvanouds@uvh@dev.eduwallet.nl", + "eduperson_scoped_affiliation": [ + "employee@uvh.nl", + "faculty@uvh.nl", + "member@uvh.nl" + ], + "eduperson_assurance": [ + "https://refeds.org/assurance", + "https://refeds.org/assurance/profile/cappuccino", + "https://refeds.org/assurance/ATP/ePA-1m" + ] + }, + "credentialStatus": { + "id": "https://status.dev.eduwallet.nl/eduid_revoke/1#8115", + "type": "StatusList2021Entry", + "statusPurpose": "revocation", + "statusListIndex": 8115, + "statusListCredential": "https://status.dev.eduwallet.nl/eduid_revoke/1" + }, + "credentialSchema": [ + { + "id": "https://refeds.org/eduperson20020201/eduperson_schema.json", + "type": "JsonSchema" + } + ] + }, + "issuer": { + "id": "did:web:uvh.dev.eduwallet.nl", + "name": "Universiteit of Harderwijk", + "description": "Universiteit of Harderwijk" + }, + "iss": "did:web:uvh.dev.eduwallet.nl", + "name": "eduID", + "description": "eduID Credential used by Universiteit of Harderwijk", + "sub": "did:key:z2dmzD81cgPx8Vki7JbuuMmFYrWPgYoytykUZ3eyqht1j9Kboo8S7gFXczPUESyh5HzNt6hm46rMhGTbv9dq7EYtHoUGoLiV4LawSGTkBGLFsfFuGEww5NCaS8wizjGtzbdgZTLhp2BmPsrcDzWTrqY8bcJ1qHV6eys5Ciz2kzWKyrpLwn", + "nbf": 1744631208 +} diff --git a/schema/vc/mkSchema.py b/schema/vc/mkSchema.py new file mode 100755 index 0000000..4a8842e --- /dev/null +++ b/schema/vc/mkSchema.py @@ -0,0 +1,153 @@ +#! /bin/python3 + +import sys +import json +from pathlib import Path + + +def loadJSON(json_file): + with open(json_file) as json_file: + return json.load(json_file) + +def p(message, writetolog=False): + if writetolog: + write_log(message) + else: + print(message) + +def pj(the_json, writetolog=False): + p(json.dumps(the_json, indent=4, sort_keys=False), writetolog) + + +def write_file(contents, filepath, mkpath=True, overwrite=False, type='txt'): + if mkpath: + Path(filepath).mkdir(parents=True, exist_ok=overwrite) + + if overwrite: + f = open(filepath, "w") + else: + f = open(filepath, "a") + + match type: + case 'yaml': + yaml.preserve_quotes = True + yaml.dump(contents, f) + case 'json': + f.write(json.dumps(contents,sort_keys=False, indent=4, ensure_ascii=False,separators=(',', ':'))) + case _: + # assume text + f.write(contents+"\n") + + f.close() + +def replace_capitals(s): + return ''.join(['' + ("_" + char.lower()) if char.isupper() else char for char in s]).strip() + +def covert_schemaname(attributeName): + # Attributes need to be rename to claims + # as a general rule of thumb: + # + # eduPerson, voPerson and Schac schema names are just lowercased ad get added an underscore + # + # for the attrbute name: if a captical is found, it is replaced with a lower and prefixed with an underscore. + # + # sp eduPersonScopedAffiliation becomes: eduperson_scoped_affiliation + # + s= attributeName + + if s.startswith('eduPerson'): + return ("eduperson" + fixName(replace_capitals(s[9:]))) + elif s.startswith('voPerson'): + return ("voperson" + fixName(replace_capitals(s[7:]))) + elif s.startswith('Schac'): + return ("schac" + fixName(replace_capitals(s[5:]))) + else: + return (fixName(replace_capitals(s))) + +def fixName(name): + return name.replace("_i_d", "_id").replace("_d_n", "_dn").replace("_u_r_i", "_uri").replace("_s_m_i_m_e", "_smime") + +def main(argv): + schemaFile = { + "vcdm2.0": "eduPerson_202208_v4_4_0_vcdm.json", + "sdjwt": "eduPerson_202208_v4_4_0_sdjwt.json" + } + + # Generate object properties based on SCIM schema proposal from marcvs (https://github.com/marcvs) + # https://github.com/REFEDS/eduperson/pull/25 + # + # the file from the scim schema was added temporarily as the pull request is not yet accepted in the main branch + # + # TODO: base this on eduperson-202208.md file + # + scimSchema = loadJSON('eduperson_schema.json') + object_props = {} + att = scimSchema['attributes'] + + for i in range(len(att)): + name = covert_schemaname(att[i]['name']) + + object_props[name] = { + "type": att[i]['type'], + "description": att[i]['description'], + } + # handle enums + if 'canonicalValues' in att[i].keys(): + object_props[name]['enum'] = att[i]['canonicalValues'] + + # TODO: validate these + # TODO: we still have several format and pattern definitions missing + match att[i]['name']: + case "mail": + object_props[name]['format'] = "email" + + case "eduPersonEntitlement": + object_props[name]['format'] = "uri" + + case "eduPersonPrincipalName" | "eduPersonPrincipalNamePrior" | "eduPersonScopedAffiliation": + object_props[name]['pattern'] = "^\\S+@\\S+\\.\\S+$" + + case "eduPersonTargetedID": + object_props[name]['description'] = 'A persistent, non-reassigned, opaque identifier for a principal.' + object_props[name]['deprecated'] = True + + case "eduPersonAssurance" | "labeledURI": + object_props[name]['type'] = "array" + object_props[name]['anyof'] = { "type": "uri" } + + case "homePhone" | "facsimileTelephoneNumber" | "mobile" | "pager" | "telephoneNumber": + object_props[name]['type'] = "array" + object_props[name]['anyof'] = { + "type": ["string", "null"], + "minLength": 10, + "maxLength": 20, + "pattern": "^(\\([0-9]{3}\\))?[0-9]{3}-[0-9]{4}$" + } + + for type,filename in schemaFile.items(): + + schema = { + "$id": "https://refeds.org/schemas/vc/" + filename, + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$comment": "This schema implements the eduPerson schema version 4.4.0 (2022-08) - https://wiki.refeds.org/display/STAN/eduPerson+%28202208%29+v4.4.0. This schema is maintained by REFEDs (https://refeds.org). The mission of REFEDS (the Research and Education FEDerations group) is to be the voice that articulates the mutual needs of research and education identity federations worldwide.", + "title": "eduPersonCredential", + "description": "Schema for verifiable credential claims describing a user in the context of eduPerson", + "type": "object", + "properties": { + "credentialSubject": { + "type": "object", + "properties": {} + } + } + } + + match type: + case "vcdm2.0": + schema["properties"]["credentialSubject"]["properties"] = object_props + case "sdjwt": + schema["properties"] = object_props + + write_file(schema, filename, mkpath=False, overwrite=True, type='json') + +if __name__ == "__main__": + main(sys.argv[1:]) \ No newline at end of file diff --git a/schema/vc/validateCredential.py b/schema/vc/validateCredential.py new file mode 100755 index 0000000..3836d4b --- /dev/null +++ b/schema/vc/validateCredential.py @@ -0,0 +1,31 @@ +#!/usr/bin/env python3 +#-*- coding: utf-8 -*- + +from jsonschema import validate +import argparse +import json + +def main(): + parser = argparse.ArgumentParser() + parser.add_argument('credential', help='The credential to process in json format') + parser.add_argument('schema', help='The schema file to use') + args = parser.parse_args() + + # Load the credential from a JSON file + with open(args.credential, 'r') as f: + credential = json.load(f) + + # Load the schema from a JSON file + with open(args.schema, 'r') as f: + schema = json.load(f) + + try: + validate(credential, schema) + except Exception as error: + print("Could not validate the credential against the schema:", error) + else: + print("The credential was valid as defined in the the schema") + +if __name__ == '__main__': + main() +