Cliquez ici pour la version française

European Student Identifier (ESI) specification

1. Scope of application

In the context of activities related to the digitization of student mobility processes, a new identifier called European Student Identifier (ESI) has been implemented.

Such an identifier is needed to identify students as part of their formal learning activities, and/or the administrative related activities, which require data exchanges to take place between institutions.

This ESI uses the schacPersonalUniqueCode attribute (urn:oid:1.3.6.1.4.1.25178.1.2.14), as specified in this reference document.

2. Purpose

The ESI specification is about adding a specific tag in the metadata, with a twofold objective :
1. to identify eligible Service Providers (SPs) that require the ESI ;
2. to facilitate Identity Providers (IDPs) in the release of such attribute value to those eligible Service Providers.

3. Requirements for Service Providers (SP)

# ESI-SP-01
Declaring compliance with the ESI specification for a Service Provider is only possible :

  • for an organization established in one of the Member States of the European Union and in any other country belonging to the European Economic Area (Iceland, Liechtenstein and Norway) ;
  • Or any third country or international organization offering an adequate level of data protection in the terms of Article 45 of the GDPR.

# ESI-SP-02
Eligible Service Providers for the ESI specification are:

  • Services that directly support student mobility, such as the Erasmus+ services ;
  • Services that transfer student records or transcripts between higher education institutions and need to identify the students to whom the records belong. For example, university alliance scenarios where student records are shared among (some of) the universities in the alliance.

# ESI-SP-03
An eligible Service Provider which wants to receive the ESI via the schacPersonalUniqueCode attribute must present the following tag (i.e. Entity Category attribute) in its metadata:

<mdattr:EntityAttributes
        xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
   <saml:Attribute
        xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
        NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
        Name="http://macedir.org/entity-category">
    <saml:AttributeValue>
        https://myacademicid.org/entity-categories/esi
    </saml:AttributeValue>
  </saml:Attribute>
</mdattr:EntityAttributes>
This specific tag is automatically added to the metadata of the Service Provider once compliance with the ESI specification is declared on the federation registry.

# ESI-SP-04
By displaying the specific tag above in its metadata, a Service Provider commits not to use the ESI attribute for purposes other than those specified in the scope of application in §1, and to add this limited use statement in the published privacy policy of the service.

4. Requirements for Identity Providers (IdP)

# ESI-IDP-01
An Identity Provider capable of supporting the ESI specification must have the following specific tag (i.e. Entity Category Support attribute) in its metadata:

<mdattr:EntityAttributes 
        xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
  <saml:Attribute
        xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
        NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
        Name="http://macedir.org/entity-category-support">
    <saml:AttributeValue>
        https://myacademicid.org/entity-categories/esi
    </saml:AttributeValue>
  </saml:Attribute>
</mdattr:EntityAttributes>
This specific tag is automatically added to the metadata of the Identity Provider once compliance with the ESI specification is declared on the federation registry.

# ESI-IDP-02
By displaying the above specific tag in its metadata, an Identity Provider signals that it is able to release the ESI via the attribute SchacPersonalUniqueCode according to the current specification, to all ESI-labeled Service Providers, either automatically or subject to user consent or notification, without administrative intervention by any party.

5. Declaring an ESI compliance for your Service Provider (SP)

Declaring compliance with the ESI specification for your Service Provider involves the following steps :

  1. Review the ESI requirements that apply specifically to Service Providers ;
  2. If the eligibility conditions are met (country of origin of the organization and nature of the service), request the schacPersonalUniqueCode attribute for its service provider from the federation registry and declare it compliant with the ESI specification : see this page for more details.
  3. Update the published privacy policy of your service with the limited use statement required for ESI (see requirement “#ESI-SP-04”).

6. Declaring an ESI compliance for your Identity Provider (IDP)

Declaring compliance with the ESI specification for your Identity Provider involves the following steps :

  1. Review the ESI requirements that apply specifically to Identity Providers ;
  2. Configure your Identity Provider to release the ESI (via the attribute SchacPersonalUniqueCode) to the ESI-labeled Service Providers : see this page for more details. ;
  3. Declare the compliance of your Identity Provider on the federation registry.