InfoSec

Shibboleth Attributes

One of the most valuable aspects of Shibboleth is the transmission of user attributes. The attributes are a named set of values which describe an authenticated user. When a user logs into your Service Provider (SP), the Shibboleth Identity Provider returns a set of attributes to the SP which can be used by the application for authorization decisions. 

Following is a list of attributes and definitions currently available through the University of Missouri Identity Provider (IdP). During the SP request process, permission will be considered for the appropriate release of additional attributes. 

Attribute NameDefinitionSource
*samAccountName
Example: sts123
SSO IDActive Directory – LDAP
*emailAddress
Example: sts123@umsystem.edu
University assigned email address.Active Directory – LDAP
*displayName
Example: Student, Sally
Global Address List display name.
Note: This value will be obfuscated for students asserting FERPA.
Active Directory – LDAP
*sn
Example: Student
Last name
Note: This value will be obfuscated for students asserting FERPA.
Active Directory – LDAP via PeopleSoft HR/Stu.
*givenName
Example: Sally
First name
Note: This value will be obfuscated for students asserting FERPA.
Active Directory – LDAP via PeopleSoft HR/Stu.
cnCommon Name (First Name, Last Name)
Note: This value will be obfuscated for students asserting FERPA.
Active Directory – LDAP
*departmentUniversity assigned employment department for staff or program department for students.Active Directory – LDAP
*eduPersonPrincipalName
Example: @missouri.edu, @umkc.edu, @umsl.edu, @umsystem.edu, @mst.edu, @umh.edu, @umac.umsystem.edu.
The Principal Name contains the user’s SSOID@domain.edu.
Note: This is not an email address.
Active Directory – LDAP
eduPersonAffiliation
Example: faculty, employee, member, student
Specifies the person’s relationship(s) to the university in broad categories with controlled vocabulary. Individuals may hold more than one eduPersonAffiliation. The only permissible values for this attribute are: faculty, student, staff, alum, member, affiliate, employee, library-walk-in.PeopleSoft HR or Student via UMDW
eduPersonPrimaryAffiliation
Example: faculty
Specifies the person’s PRIMARY relationship to the institution in broad categories with controlled vocabulary.PeopleSoft HR or Student via UMDW
eduPersonScopedAffiliation
Example: faculty@missouri.edu, employee@missouri.edu, member@missouri.edu, student@umkc.edu
The Scoped Affiliation is created by joining the affiliation and the campus of that affiliation (e.g., faculty@missouri.edu).PeopleSoft HR or Student via UMDW
**eduPersonTargetedIDA persistent, opaque identifier used to identify a user to a service provider. This identifier is cryptographically strong and unique to each service provider to ensure that the identity of the end user cannot be determined from the value.The attribute value is made up of an identifier, the identity provider, and the service provider.
employeeIDStudent number or employee ID assigned in PeopleSoft.SSO data on UMDW
*Attributes released by default to internal Shibboleth Service Providers
**Attributes released by default to all Shibboleth Service Providers

UM Common Definition 

Faculty 

Any University of Missouri Faculty member as defined by HR Job data that is in Active, On Leave or Paid Leave status, not a retiree. 

Staff 

Any University of Missouri Non-Faculty (staff) member as defined in HR job data that is in Active, On Leave or Paid Leave status, not a retiree. (Not to include student titles). 

Employee 

Any individual employed by the University of Missouri regardless of employee type that is in Active, On Leave or Paid Leave status and not a retiree. Includes student employees. 

Student 

Any University of Missouri student enrolled for at least one course in the current or a future semester. 

Member 

Emeriti (currently for COLUM only) Anyone with the following affiliation types: Faculty, Staff, Employee, and Student. 

Alum 

Not used at this time. 

Affiliate 

Not used at this time. 

Library-walk-in 

Not used at this time. 

UM Common Definition 

When only one affiliation type is listed in the eduPersonAffiliation attribute that affiliation type should be listed as the eduPersonPrimaryAffiliation. If more than one affiliation exists in eduPersonAffiliation the below set of rules establish primary. 

Faculty 

If eduPersonAffiliation includes faculty it should be listed as the Primary Affiliation superseding all other values. 

Staff 

If eduPersonAffiliation includes non-faculty it should be listed as the Primary Affiliation superseding all other values except Faculty. (This conflict should not occur when using ps_convert.ps_um_employees, if another table is used rules will need to be adjusted, likely based on FTE of each position.) 

Employee 

Employee should only be used if eduPersonAffiliation does not contain Faculty, Staff or Student but they are employed by the university and hold this affiliation in eduPersonAffiliation. Employee supersedes Alum, Member, Affiliate and Library-walk-in. (i.e. a Student Employee who is not enrolled). 

Student 

If eduPersonAffiliation includes student it takes precedence over all values except Faculty and Staff. Student employees who are enrolled should be listed with a primary value of student. 

Member 

Member should be used as Primary only if Faculty, Staff, Student, and Employee do not exist in eduPersonAffiliation. Member should supersede Alum, Affiliate, Library-walk-in. 

Alum 

(Not used at this time.) Use if no other eduPersonAffiliation value except library-walk-in. Alum will only supersede library-walk-in. 

Affiliate 

(Not used at this time.) Affiliate should be used only if Faculty, Staff, Student Employee, and Member does not exist in eduPersonAffiliation. Affiliate should supersede Alum and Library-walk-in. 

Library-walk-in 

(Not used at this time.) Use library-walk-in if it is the only value listed in eduPersonAffiliation. Every other affiliation will supersede library-walk-in