Texas A&M University - Infrastructure Services

TAMUFederation Attributes

Federation and Identity Attributes

In a federation scenario, when a person attempts to access a protected Service Provider site an Identity Provider is asked to provide information, in the form of "identity attributes", about the person to the Service Provider. The Service Provider uses this information to evaluate whether the person is authorized to access the protected resource and for other purposes. These attributes might include information unique to that person, like an identifier email address, or more general information such as organizational affiliation or group membership.

The Identity Provider sets policies about which attributes and values are sent to which Service Providers. Without the Service Provider specifically requesting additional data, the only information returned is the person's targeted ID. If a Service Provider requires more information about an individual, they must contact the Identity Provider and request the additional attributes.

TAMUFederation Attribute Summary

Many of the attributes recommended for use in the TAMUFederation are used among InCommon participants. To ensure TAMUFederation participants are also able to participate in InCommon, the TAMUFederation will follow the guidelines recommended by InCommon for attributes the two Federations have in common. For the convenience of TAMUFederation participants, the InCommon recommendations are provided below.

The following is a non-exhaustive list of the attributes commonly encountered in the use of TAMUFederation-enabled services.

Attribute Summary Table
Friendly Name Formal Name Datatype Multi?
eduPersonAffiliation urn:oid:1.3.6.1.4.1.5923.1.1.1.1 String Enumeration Y
eduPersonScopedAffiliation urn:oid:1.3.6.1.4.1.5923.1.1.1.9 Domain-Qualified String Enumeration Y
eduPersonPrincipalName urn:oid:1.3.6.1.4.1.5923.1.1.1.6 Domain-Qualified String N
eduPersonEntitlement urn:oid:1.3.6.1.4.1.5923.1.1.1.7 URN Y
eduPersonTargetedID urn:oid:1.3.6.1.4.1.5923.1.1.1.10 String, max. 256 characters N
sn urn:oid:2.5.4.4 String Y
givenName urn:oid:2.5.4.42 String Y
mail urn:oid:0.9.2342.19200300.100.1.3 String Y
tamuEduPersonUIN urn:oid:1.3.6.1.4.1.4391.0.12 String N


Attribute Descriptions

eduPersonAffiliation

Formal Definition
http://middleware.internet2.edu/eduperson/
Description
Multiple values where value is one of:

  • member
  • student
  • employee
  • faculty
  • staff
  • alum
  • affiliate
  • library-walk-in

Note that these values are NOT case-sensitive, and capital or mixed-case values are permitted (e.g., MEMBER, Member, MeMbEr), though all lower-case is recommended.
Usage Notes
Affiliation is a high-level expression of the relationship of the user to the university or organization. A user can possess many affiliations, though some values are mutually exclusive. This attribute is often made available to any Shibboleth service provider, and is a good way to filter or block users of a given general type. In particular, "member" is an indication that the user is somebody with relatively official standing with a university at the present time, and does not apply to guests, other temporary accounts, terminated employees, unpaid/unregistered students, and other exceptional cases.

eduPersonScopedAffiliation       (per InCommon)

Formal Definition
http://middleware.internet2.edu/eduperson/
Description
Multiple values of the form value@domain, where domain is (typically) a DNS-like subdomain representing the organization or sub-organization of the affiliation (e.g., "tamu.edu") and value is one of:

  • member
  • student
  • employee
  • faculty
  • staff
  • alum
  • affiliate
  • library-walk-in

Note that these values are NOT case-sensitive, and capital or mixed-case values are permitted (e.g., MEMBER, Member, MeMbEr), though all lower-case is recommended.
Usage Notes
Affiliation is a high-level expression of the relationship of the user to the university or organization specified in the domain. A user can possess many affiliations, though some values are mutually exclusive. This attribute is often made available to any Shibboleth service provider, and is a good way to filter or block users of a given general type. In particular, "member" is an indication that the user is somebody with relatively official standing with a university at the present time, and does not apply to guests, other temporary accounts, terminated employees, unpaid/unregistered students, and other exceptional cases.

eduPersonPrincipalName       (per InCommon)

Formal Definition
http://middleware.internet2.edu/eduperson/
Description
A single value of the form user@domain, where domain is (typically) a DNS-like subdomain representing the security domain of the user (e.g., "tamu.edu") and user is generally a username, NetID, UserID, etc. of the sort typically assigned for authentication to network services within the security domain.
Usage Notes
EPPN is the eduPerson equivalent of a username. It typically has most of the properties usually associated with usernames (such as uniqueness and a naming convention of some sort), with the added property of global uniqueness through the use of a scope. An application that tracks information based on it can therefore interact with users via any number of identity providers without fear of duplicates, although the possibility for recycling/reassignment does still exist within the domain of a given identity provider. Note that at some Identity Providers a user can freely change their local account name (in the case of a name change due to marriage, for example), and the corresponding EPPN will typically change as well. This can cause a loss of service until name changes propagate throughout every application storing the value. For a less dynamic identifier, see also the eduPersonTargetedID attribute.

eduPersonEntitlement       (per InCommon)

Formal Definition
http://middleware.internet2.edu/eduperson/
Description
Muliple values, each a URI, representing a license, permission, right, etc. to access a resource or service in a particular fashion. Entitlements represent an assertion of authorization to something, precomputed and asserted by the identity provider. This attribute is typically used to assert privileges maintained centrally rather than within specific application databases.
Usage Notes
Entitlements should not in general be parsed or interpreted based on the structure or content of the values, but simply compared as strings to access-control expressions in the application.

eduPersonTargetedID       (per InCommon)

Formal Definition
http://middleware.internet2.edu/eduperson/
Description
A single string value of no more than 256 characters that uniquely identifies a user in an opaque, privacy-preserving fashion. In most cases, the value will be different for a given user for each service provider to which a value is sent, to prevent correlation of activity between service providers.
Usage Notes
This attribute offers a powerful alternative to the use of eduPersonPrincipalName as a user identifier within applications and databases. Its power lies in the fact that it offers a significant degree of privacy and control for users. It also tends to be more stable than EPPN because it doesn't change merely in response to superficial name changes. It still may change, but generally in a more controlled fashion. It also requires a policy of non-reassignment. That is, while a given user may be associated with more than one value over time, a single value once assigned will never be assigned to any other user. When appropriate, the value can remain consistent across multiple service providers, if those systems have a demonstrated relationship and need to share information about the user's activities. Such sharing must be tightly controlled.
Note that the values are not guaranteed to be unique except within a given identity provider's set of values.

sn       (per InCommon)

Formal Definition
http://middleware.internet2.edu/eduperson/
Description
Multiple string values containing components of the users's "family" name or surname.

givenName       (per InCommon)

Formal Definition
http://middleware.internet2.edu/eduperson/
Description
Multiple string values containing the part of the user's name that is not their surname or middle name.

mail       (per InCommon)

Formal Definition
http://middleware.internet2.edu/eduperson/
Description
Preferred address for the "to:" field of email to be sent to this person. Usually of the form localid@univ.edu. Likely only one value.
Usage Notes
The address in this attribute cannot be assumed to represent an organizationally-assigned contact address for a user established as part of a strong identity-proofing process. This may be true of some organizations that assert this attribute, but some organizations may permit users to provide their own preferred address, e.g. an email account at an Internet mail service.

tamuEduPersonUIN

Formal Definition
http://infrastructure.tamu.edu/directory/attribute/attribute_tamuEduPersonUIN.html
Description
Universal Identification Number (UIN) assigned to the person by the Texas A&M University System.

Useful Links