<!-- $Ansible-Managed safire/safire-web:attribute-map.xml.j2 b3d09d39 guy$ -->
<!--
    Note that the friendly names given in this file derive from the Shibboleth
    defaults; they are not the friendly names of attributes used by SAFIRE on
    its website. Those are instead given as a comment above each attribute.
    This file /should/ list all the attributes supported by SAFIRE, but it is
    possible that we'll forget to update it when/if we add attributes.
    See https://safire.ac.za/technical/attributes/ for more details.
-->
<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

    <!-- SAFIRE: Minimum attributes required for participation -->

    <!-- displayName -->
    <Attribute name="urn:oid:2.16.840.1.113730.3.1.241" id="displayName"/>

    <!-- eduPersonPrincipalName -->
    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn">
        <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
    </Attribute>

    <!-- eduPersonScopedAffiliation -->
    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" id="affiliation">
        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
    </Attribute>

    <!-- givenName -->
    <Attribute name="urn:oid:2.5.4.42" id="givenName"/>

    <!-- mail -->
    <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/>

    <!-- sn -->
    <Attribute name="urn:oid:2.5.4.4" id="sn"/>

    <!-- SAFIRE: Optional attributes -->

    <!-- eduPersonAffiliation -->
    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" id="unscoped-affiliation">
        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
    </Attribute>

    <!-- eduPersonAssurance -->
    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" id="assurance"/>

    <!-- eduPersonDisplayPronouns -->
    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.18" id="eduPersonDisplayPronouns"/>

    <!-- eduPersonEntitlement -->
    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="entitlement"/>

    <!-- eduPersonOrcid -->
    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.16" id="eduPersonOrcid"/>

    <!-- eduPersonPrimaryAffiliation -->
    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" id="primary-affiliation">
        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
    </Attribute>

    <!-- preferredLanguage -->
    <Attribute name="urn:oid:2.16.840.1.113730.3.1.39" id="preferredLanguage"/>

    <!-- schacHomeOrganization -->
    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.9" id="schacHomeOrganization"/>

    <!-- SAFIRE: SAFIRE supplied attributes -->

    <!-- schacHomeOrganizationType -->
    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.10" id="schacHomeOrganizationType"/>

    <!--
    Legacy pairwise identifier attribute / NameID format, intended to be replaced by the
    simpler pairwise-id attribute (see below).
    -->

    <!-- The eduPerson attribute version (note the OID-style name): -->
    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" id="persistent-id">
        <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
    </Attribute>

    <!-- The SAML 2.0 NameID Format: -->
    <Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id">
        <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
    </Attribute>

    <!-- New standard identifier attributes for SAML. -->

    <Attribute name="urn:oasis:names:tc:SAML:attribute:subject-id" id="subject-id">
        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
    </Attribute>

    <Attribute name="urn:oasis:names:tc:SAML:attribute:pairwise-id" id="pairwise-id">
        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
    </Attribute>

    <!-- SAFIRE: likely future attributes (not in use as of 2024-08-20) -->

</Attributes>
