User attributes
This list includes the attributes available for users when logging in using login.helsinki.fi single sign-on service or from LDAP. All attributes are not available for all users.
Columns
- LDAP: Marked if attribute is not available in LDAP.
- SAML name: Attribute is available from IdP using SAML2 protocol.
- OIDC claim name: Attribute is available from IdP using OIDC protocol.
FriendlyName / LDAP | Multivalued | Value / Example | LDAP | SAML name1 | OIDC claim name | OIDC type | OIDC scopes | |
cn | Yes2 | "FirstName Surname" | urn:oid:2.5.4.3 | cn | Array | |||
displayName | No | "FirstName Surname" | urn:oid:2.16.840.1.113730.3.1.241 | name | String | profile | ||
eduPersonAffiliation | Yes | Role in the organization student/faculty/staff/employee/member/affiliate3 | urn:oid:1.3.6.1.4.1.5923.1.1.1.1 | eduPersonAffiliation | Array | |||
eduPersonAssurance | Yes | Identity assurance according to REFEDS Assurance Framework | urn:oid:1.3.6.1.4.1.5923.1.1.1.11 | eduPersonAssurance | Array | |||
eduPersonEntitlement | Yes | Rights to specific resources | No | urn:oid:1.3.6.1.4.1.5923.1.1.1.7 | eduPersonEntitlement | Array | ||
eduPersonPrimaryAffiliation | No | Primary role in the organization3 | urn:oid:1.3.6.1.4.1.5923.1.1.1.5 | eduPersonPrimaryAffiliation | String | |||
eduPersonPrincipalName | No | "uid@helsinki.fi" | urn:oid:1.3.6.1.4.1.5923.1.1.1.6 | eduPersonPrincipalName | String | |||
eduPersonScopedAffiliation | Yes | "<eduPersonAffiliaction>@helsinki.fi" | No | urn:oid:1.3.6.1.4.1.5923.1.1.1.9 | eduPersonScopedAffiliation | Array | ||
employeeNumber | No | SAP-HR employee number | urn:oid:2.16.840.1.113730.3.1.3 | employeeNumber | String | |||
funetEduPersonEPPNTimeStamp | No | Date when user account was created | urn:oid:1.3.6.1.4.1.16161.1.1.24 | funetEduPersonEPPNTimeStamp | String | |||
funetEduPersonLearnerId | No | National learner ID | urn:oid:1.3.6.1.4.1.16161.1.1.27 | funetEduPersonLearnerId | String | |||
funetEduPersonStudentCategory | Yes | Student categories: bachelor/master/licentiate/doctor/visiting-student/exchange-student etc. | urn:oid:1.3.6.1.4.1.16161.1.1.20 | funetEduPersonStudentCategory | Array | |||
| gecos | No | UNIX: firstname lastname | ||||||
| gidNumber | No | UNIX: primary group id | ||||||
givenName | Yes2 | First name | urn:oid:2.5.4.42 | given_name | String | profile | ||
| homeDirectory | No | UNIX: home directory path | ||||||
| hy247EmployeeNumber | No | Employee number for HY247 users | urn:mace:funet.fi:helsinki.fi:hy247EmployeeNumber | hy247EmployeeNumber | String | |||
| hyAccountType | No | urn:oid:1.3.6.1.4.1.18869.1.1.1.33 | hyAccountType | String | ||||
| hyAccountingCode | No | Accounting code (will be removed in the future) | ||||||
hyGroupCn4 | Yes | User groups (LDAP:ssa memberOf) | No | urn:mace:funet.fi:helsinki.fi:hyGroupCn | hyGroupCn | Array | ||
hyLicenseLevelMicrosoft | No | Microsoft license for the user | urn:mace:funet.fi:helsinki.fi:hyLicenseLevelMicrosoft | hyLicenseLevelMicrosoft | String | |||
| hyOrganizationPrimaryUnit | No | Organisation registry code for primary organisation unit (ensisijainen organisaatioyksikkö). Value is 1 if not known. | urn:oid:1.3.6.1.4.1.18869.1.1.1.56 | hyOrganizationPrimaryUnit | String | |||
| hyPersonADExpiryDate | No | AD account expiry date | ||||||
| hyPersonEducationCode | Yes | Student's degree programme codes from Sisu. | urn:oid:1.3.6.1.4.1.18869.1.1.1.58 | hyPersonEducationCode | Array | |||
| hyPersonEmployerCode | Yes | Employee's payroll unit code from SAP HR (palkanmaksuyksikkö). | urn:oid:1.3.6.1.4.1.18869.1.1.1.29 | hyPersonEmployerCode | Array | |||
| hyPersonKamuIdentifier | No | Kamu service identifier | urn:oid:1.3.6.1.4.1.18869.1.1.1.61 | hyPersonKamuIdentifier | String | |||
| hyPersonLicenses | Yes | Liceses (currently only Microsoft) | urn:oid:1.3.6.1.4.1.18869.1.1.1.49 | hyPersonLicenses | Array | |||
| hyPersonPersonnelUnit | Yes | Employee's and others personnel unit code from SAP HR (henkilöstöyksikkö) | urn:oid:1.3.6.1.4.1.18869.1.1.1.59 | hyPersonPersonnelUnit | Array | |||
| hyPersonSecurityTestExpiryDate | No | Person's security test expiry date. | urn:oid:1.3.6.1.4.1.18869.1.1.1.60 | hyPersonSecurityTestExpiryDate | String | |||
hyPersonSisuId | No | Sisu service identifier | urn:oid:1.3.6.1.4.1.18869.1.1.1.48 | hyPersonSisuId | String | |||
| hyPersonStudentFacultyCode | Yes | Student's organisation codes from Sisu. | urn:oid:1.3.6.1.4.1.18869.1.1.1.57 | hyPersonStudentFacultyCode | Array | |||
hyPersonStudentId | No | Student number | urn:mace:funet.fi:helsinki.fi:hyPersonStudentId | hyPersonStudentId | String | |||
| hyProfitUnit | No | Profit unit / financial code for most users (tulosyksikkö) | ||||||
| loginShell | No | UNIX: login shell | ||||||
Yes2 | Email address | urn:oid:0.9.2342.19200300.100.1.3 | String | |||||
| memberOf4 | Yes | User groups (nimellä hyGroupCn SAML/OIDC) | ||||||
nationalIdentificationNumber | No | Finnish Personal Identity Code | urn:oid:1.2.246.21 |
|
| |||
ou | Yes | Changing in the near future: Should be organization unit name. Currently includes H- and A-codes. | urn:oid:2.5.4.11 | ou | Array | |||
preferredLanguage | No | Possible values: fi/en/sv | urn:oid:2.16.840.1.113730.3.1.39 | preferredLanguage | String | |||
schacDateOfBirth | No | Date of birth in YYYYMMDD-format, e.g. 19901231 | urn:oid:1.3.6.1.4.1.25178.1.2.3 | schacDateOfBirth | String | |||
schacExpiryDate | No | Account expiration date. | urn:oid:1.3.6.1.4.1.1466.115.121.1.24 | schacExpiryDate | String | |||
schacGender | No | Possible values: 0 (Not known), 1 (Male), 2 (Female), 3 (Not specified). | urn:oid:1.3.6.1.4.1.25178.1.2.2 | schacGender | String | |||
schacHomeOrganization | No | “helsinki.fi” | urn:oid:1.3.6.1.4.1.25178.1.2.9 | schacHomeOrganization | String | |||
schacHomeOrganizationType | Yes2 | “urn:schac:homeOrganizationType:fi:university” | urn:oid:1.3.6.1.4.1.25178.1.2.10 | schacHomeOrganizationType | Array | |||
schacPersonalUniqueCode | Yes | University of Helsinki student number in Haka specified format. ESI (European Student Identifier) in national format. | urn:oid:1.3.6.1.4.1.25178.1.2.14 | schacPersonalUniqueCode | Array | |||
schacPersonalUniqueID | Yes | Finnsh Personal Identity Code or similar unique identifier in Haka-specified format. | urn:oid:1.3.6.1.4.1.25178.1.2.15 | schacPersonalUniqueID1 | Array | |||
sn | Yes2 | Surname | urn:oid:2.5.4.4 | family_name | String | profile | ||
uid | Yes2 | User account name / identifier | urn:oid:0.9.2342.19200300.100.1.1 | uid | String | |||
| uidNumber | No | UNIX: uid id |
We use Haka's funetEduPerson schema for attributes included in it. Check the schema specification for more information https://wiki.eduuni.fi/display/CSCHAKA/funetEduPersonSchema2dot5.
- Technical name for the attribute used in SAML messages.
- Multivalued in the attribute schema, but single valued in the University of Helsinki, at least for now.
- Check Haka federation convertion for more information about the values: https://wiki.eduuni.fi/display/CSCHAKA/funetEduPersonSchema2dot5#funetEduPersonSchema2dot5-eduPersonAffiliation
- hyGroupCn (memberOf) includes all user's IAM groups: https://helpdesk.it.helsinki.fi/ohjeet/muut-ohjeet/ryhmienhallintatyokalu-iam
Recommendations
User identifiers
See https://wiki.helsinki.fi/xwiki/bin/view/SO/User%20management/login.helsinki.fi/#HUseridentifiers
Organisation attributes
hyOrganizationPrimaryUnit - Ensisijainen organisaatioyksikkö in finnish
Person’s primary organisational unit at the University, using the code of the organisational register. This attribute is never empty, but the value can be 1, if not known. If you do not know which organisation attribute should be used in your system, use this one.
hyProfitUnit - Tulosyksikkö in finnish
Person's profit unit using financial structure. The aim is to calculate the information for all users, but for a small number of users, this may be empty. For example, if the student’s agreement or right to study has already expired.
hyPersonEmployerCode - Työntekijän palkanmaksuyksiköt in finnish
Employees payroll unit, or more specifically, the profit units of the employee’s payroll WBS from SAP HR. Note: If a person has several employment contracts, there will be several values, as opposed to the above profit unit.
hyPersonPersonnelUnit - Työntekijän ja muun sopimussuhteisen henkilön henkilöstöyksiköt in finnish
Employees and others personnel unit according to the staff structure. This information can be obtained for all individuals found in SAP HR, including those not employed. NB! In practice, the personnel unit goes deeper in the tree hierarchy than the financial structure, which is why the use of the personnel structure will be preferred instead of the financial structure. For example, the primary organisational unit is calculated according to the personnel structure.
hyPersonStudentFacultyCode - Opiskelijan organisaatiot in finnish
Student’s organisation codes for all student rights in Sisu. In practice, always on the faculty level, with the exception of Open University studies, where the student receives the organisational code H930.
hyPersonEducationCode - Opiskelijan koulutusohjelmat in finnish
Student’s degree programme codes from Sisu. In practice, this field is empty with the study rights that do not lead to the degree, for example, open university studies. Note: Degree programme codes can be found only in Sisu, not in the organisation register, as opposed to the others above.
Coming soon: attribute, which includes all of the employee’s affiliations in relation to the organisation. Organisational information is used in the organisation register’s code.
For more information about the organisational structures see Data management workgroup https://workgroups.helsinki.fi/pages/viewpage.action?pageId=239239725 (for UH employees and in finnish only).