Versions Compared

Old Version 12

changes.mady.by.user Scott Cantor (osu.edu)

Saved on

compared with

New Version 13

changes.mady.by.user Scott Cantor (osu.edu)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

What is eduPerson and how do campuses use it?

eduPerson is a an attribute schema that includes bindings to an Lightweight Directory Access Protocol (LDAP) schema and to SAML. It is designed to include widely-used person and organizational attributes in higher education.

...

 

Are eduPerson attributes inteded intended or actually used (consumed) as LDAP attributes, or as attributes in SAML assertions? (Am I doing something I will regret if I build SAML attributes in the IdP from existing attributes in my campus LDAP/AD directory, for example building ePPN from sAMAccountName?)

That's a site-specific question. eduPerson may be used in both contexts (and in future ones). If you have no LDAP applications, then you may not find it useful or necessary to actually store attributes directly in LDAP and it may be simpler to just construct them as needed from within SAML software or in a database. However, if you do have the need or the ability to store them in LDAP, it will generally be easier to produce them in SAML too. The more your IDM infrastructure does, the less your SAML software has to do to compensate.

 

Are there canonical values of eduPersonAssurance that are or should be recoginzed by service providers?

The values of this attribute are generally specific to a community and there are none defined by the eduPerson specification (just as there are no values defined for eduPersonEntitlement). InCommon, for example, has defined assurance profiles that include values suitable for use with this attribute.

 

If eduPerson directory attributes are multi-valued, can one assume services will be able to properly consume corresponding multi-valued SAML attributes?

Attributes designed for searching, such as givenName, sn, or mail, are often not handled correctly if multiple values are supplied in a federated context. So in general, no, one can't assume that.

Why does eduPerson include the eduPersonOrcid attribute and not eduPersonResearcherId? Won't this lead to new attributes for every kind of identifier?

...

Attributes are not "expensive" to create, and the more precise an attribute definition can be made, the more intelligent software can be when dealing with them. We should expect to see additional attributes created for any kind of identifier that gains adoption by the community. 

How are Identity Providers and Service Providers leveraging the eduPersonOrcid attribute?

...