| Note | ||
|---|---|---|
| ||
Note that this page has been deprecated; the information they contain is no longer current. The page has been retained for historical purposes only. |
| Include Page | ||||
|---|---|---|---|---|
|
...
Support the attributes defined in the Attribute Summary section, below.
Release either a non-reassigned and permanently unique to an individual eduPersonPrincipalName (preferred) or eduPersonTargetedID (if a non-reassigned eduPersonPrincipalName is not available at your institution) to all Service Providers globally, if your institution does participate in eduGAIN.
Release either a non-reassigned and permanently unique to an individual eduPersonPrincipalName (preferred) or eduPersonTargetedID (if a non-reassigned eduPersonPrincipalName is not available at your institution) to all Service Providers registered by InCommon if your institution does not participate in eduGAIN.
Support the International Research and Scholarship Entity Category
...
Summary of Attributes Supported by IdPs in the InCommon Federation
Friendly Name | Protocol-level Names | Datatype | Multi? |
SAML1: urn:mace:dir:attribute-def: |
eduPersonScopedAffiliation |
| Domain-Qualified String Enumeration | Y |
SAML1: urn:mace:dir:attribute-def: |
eduPersonPrincipalName |
| Domain-Qualified String | N |
SAML1: urn:mace:dir:attribute-def: |
eduPersonEntitlement |
| URI | Y | |
SAML2: urn:oid:1.3.6.1.4.1.5923.1.1.1.10 | String, max. 256 characters | N | |
SAML1: urn:mace:dir:attribute-def: |
sn |
| String | Y |
SAML1: urn:mace:dir:attribute-def: |
givenName |
| String | Y |
SAML1: urn:mace:dir:attribute-def: |
displayName |
| String | N |
SAML1: urn:mace:dir:attribute-def: |
| String | Y |
Attribute Descriptions
| Anchor | ||||
|---|---|---|---|---|
|
Description
Multiple values of the form value@domain, where domainis (typically) a DNS-like subdomain representing the organization or sub-organization of the affiliation (e.g., "osu.edu") and value is one of:
...
Usage Notes
Affiliation is a high-level expression of the relationship of the user to the university or organization specified in the domain. A user can possess many affiliations, though some values are mutually exclusive. This attribute is often made available to any Shibboleth service provider, and is a good way to filter or block users of a given general type. In particular, "member" is an indication that the user is somebody with relatively official standing with a university at the present time, and does not apply to guests, other temporary accounts, terminated employees, unpaid/unregistered students, and other exceptional cases.
| Anchor | ||||
|---|---|---|---|---|
|
Description
A single value of the formuser@domain, wheredomainis (typically) a DNS-like subdomain representing the security domain of the user (e.g., "osu.edu") and user is generally a username, NetID, UserID, etc. of the sort typically assigned for authentication to network services within the security domain.
Usage Notes
ePPN is the eduPerson equivalent of a username. It typically has most of the properties usually associated with usernames (such as uniqueness and a naming convention of some sort), with the added property of global uniqueness through the use of a scope. An application that tracks information based on it can therefore interact with users via any number of identity providers without fear of duplicates, although the possibility for recycling/reassignment does still exist within the domain of a given identity provider.Note that at some Identity Providers a user can freely change their local account name (in the case of a name change due to marriage, for example), and the corresponding EPPN will typically change as well. This can cause a loss of service until name changes propagate throughout every application storing the value. For a less dynamic identifier, see also the eduPersonTargetedID attribute.
| Anchor | ||||
|---|---|---|---|---|
|
Description
Muliple values, each a URI, representing a license, permission, right, etc. to access a resource or service in a particular fashion. Entitlements represent an assertion of authorization to something, precomputed and asserted by the identity provider. This attribute is typically used to assert privileges maintained centrally rather than within specific application databases.
Usage Notes
Entitlements should not in general be parsed or interpreted based on the structure or content of the values, but simply compared as strings to access-control expressions in the application.
| Anchor | ||||
|---|---|---|---|---|
|
Description
A single string value of no more than 256 characters that uniquely identifiers a user in an opaque, privacy-preserving fashion. In most cases, the value will be different for a given user for each service provider to which a value is sent, to prevent correlation of activity between service providers.
...
Note that the values are not guaranteed to be unique except within a given identity provider's set of values.
| Anchor | ||||
|---|---|---|---|---|
|
Description
Multiple string values containing components of the users's "family" name or surname.
| Anchor | ||||
|---|---|---|---|---|
|
Description
Multiple string values containing the part of the user's name that is not their surname or middle name.
| Anchor | ||||
|---|---|---|---|---|
|
Description
A single string value indicating the preferred name of a person to be used for display purposes, for example a greeting or a descriptive listing.
| Anchor | ||||
|---|---|---|---|---|
Description
Preferred address for the "to:" field of email to be sent to this person. Usually of the form localid@univ.edu. Likely only one value.
...