Shibboleth@OSU

User Attributes

Basics

The "currency" of the Shibboleth software is attributes. An attribute is a named set of values about an authenticated user. The values are typically strings, but can be more complex XML-based data. When a user logs into your service provider software, Shibboleth obtains a set of attributes for that user and maps them (based on rules you create) into environment variables and/or HTTP headers for your application to consume. In most cases, the OSU Shibboleth adminstrators or even users themselves create rules that specify which attributes are passed to which service provider. Even public attributes that uniquely identify users such as the OSU Internet Username are suppressed unless the service requires this information.

Well-behaved applications using Shibboleth recognize first and foremost that the attributes they receive about users belong to the user, and the user may choose to suppress them. This is a reality, but applications are free to deny access should they not receive what they need. Therefore, you should design your applications to look for attributes as needed, but never require them in order to recieve a meaningful response, even if that response is just "sorry, I need your username to continue". Very little can be assumed, but the result is a more robust application.

As described in the Shibboleth documentation, when multiple values are supplied for an attribute, they are generally separated by a semicolon in the variable or header.

Attribute List

The following is a fairly complete list of the information currently available through Shibboleth from the Ohio State identity provider service. Some attributes may also be available from other InCommon identity providers, subject to appropriate privacy policies and application need. This is by no means exhaustive of the information that may eventually be available through Shibboleth, nor does it imply that something you need can't be made available if it's present in a reasonable form in the university's directory service or administrative systems. The answer may be no, but you can ask.

The columns for "Default Header" should not be read as constraining you. Any header name can be assigned as needed. Check and modify your configuration as needed if you need to make adjustments.

Standard Directory Attributes

The first table consists of attributes that are available by default to all on-campus services without requiring special arrangements. These are standard directory-oriented attributes, available for most/all users.

Full Name Default Header (2.x) Datatype Multi?
(SAML1) urn:mace:dir:attribute-def:eduPersonScopedAffiliation
(SAML2) urn:oid:1.3.6.1.4.1.5923.1.1.1.9
HTTP_AFFILIATION Domain-Qualified String Enumeration Y
(SAML1) urn:mace:dir:attribute-def:eduPersonPrincipalName
(SAML2) urn:oid:1.3.6.1.4.1.5923.1.1.1.6
REMOTE_USER / HTTP_EPPN Domain-Qualified String  
(SAML1) urn:mace:dir:attribute-def:displayName
(SAML2) urn:oid:2.16.840.1.113730.3.1.241
HTTP_DISPLAYNAME String  
(SAML1) urn:mace:dir:attribute-def:sn
(SAML2) urn:oid:2.5.4.4
HTTP_SN String Y
(SAML1) urn:mace:dir:attribute-def:givenName
(SAML2) urn:oid:2.5.4.42
HTTP_GIVENNAME String Y
(SAML1) urn:mace:dir:attribute-def:employeeNumber
(SAML2) urn:oid:2.16.840.1.113730.3.1.3
HTTP_OSUID / HTTP_EMPLOYEENUMBER String  
(SAML1) urn:mace:dir:attribute-def:departmentNumber
(SAML2) urn:oid:2.16.840.1.113730.3.1.2
HTTP_DEPARTMENTNUMBER String Y
(SAML1) urn:mace:dir:attribute-def:mail
(SAML2) urn:oid:0.9.2342.19200300.100.1.3
HTTP_EMAIL String Y

Additional Attributes

The second table consists of attributes that are available upon request and by permission of the data owner. Some of this data is classified as protected or restricted by the university.

Full Name Default Header (2.x) Datatype Multi?
urn:oid:1.3.6.1.4.1.5923.1.6.1.1 (eduCourseOffering) HTTP_EDUCOURSEOFFERING URI Y
urn:oid:1.3.6.1.4.1.5923.1.6.1.2 (eduCourseMember) HTTP_EDUCOURSEMEMBER Role@URI Y
(SAML1) urn:mace:dir:attribute-def:eduPersonEntitlement
(SAML2) urn:oid:1.3.6.1.4.1.5923.1.1.1.7
HTTP_ENTITLEMENT URI Y
urn:mace:osu.edu:shibboleth:attribute-def:FERPA HTTP_FERPA Y/N  
urn:mace:osu.edu:shibboleth:attribute-def:major HTTP_MAJOR String Y
urn:mace:osu.edu:shibboleth:attribute-def:advisor HTTP_ADVISOR String Y
urn:mace:osu.edu:shibboleth:attribute-def:advisor:academic HTTP_ADVR String Y
urn:mace:osu.edu:shibboleth:attribute-def:advisor:athletic HTTP_ATAD String Y
urn:mace:osu.edu:shibboleth:attribute-def:advisor:college-office HTTP_CLAD String Y
urn:mace:osu.edu:shibboleth:attribute-def:advisor:career-services HTTP_CRAD String Y
urn:mace:osu.edu:shibboleth:attribute-def:advisor:dissertation HTTP_DISS String Y
urn:mace:osu.edu:shibboleth:attribute-def:advisor:dept HTTP_DPAD String Y
urn:mace:osu.edu:shibboleth:attribute-def:advisor:faculty HTTP_FCAD String Y
urn:mace:osu.edu:shibboleth:attribute-def:advisor:honors HTTP_HOAD String Y
urn:mace:osu.edu:shibboleth:attribute-def:advisor:major HTTP_MJAD String Y
urn:mace:osu.edu:shibboleth:attribute-def:advisor:minor HTTP_MNAD String Y
urn:mace:osu.edu:shibboleth:attribute-def:advisor:map HTTP_OMAD String Y
urn:mace:osu.edu:shibboleth:attribute-def:advisor:qec HTTP_QEC String Y
urn:mace:osu.edu:shibboleth:attribute-def:advisor:research HTTP_READ String Y
urn:mace:osu.edu:shibboleth:attribute-def:advisor:scholars HTTP_SCAD String Y
urn:mace:osu.edu:shibboleth:attribute-def:advisor:thesis HTTP_THES String Y
eduPersonScopedAffiliation
Formal Definition
http://middleware.internet2.edu/eduperson/
Description

Multiple values of the form value@domain, where domain is a DNS subdomain representing the organization or sub-organization of the affiliation (e.g., "osu.edu") and value is one of:

  • member
  • student
  • employee
  • faculty
  • staff
  • alum
  • affiliate

Note that these values are NOT case-sensitive, and capital or mixed-case values are permitted (e.g., MEMBER, Member, MeMbEr).

OSU-Specific Information

Only the values member, student, employee, faculty, and staff are currently supported, and the only domain value currently applied is "osu.edu" and represents the university as a whole.

member is assigned to any user possessing either employee or student.

student is assigned to any user with an "active" program of study. This is a change from the previous definition which was based on expected or past enrollment in classes.

employee is assigned to any user having an appointment (active or inactive) in the university's HR system.

faculty is assigned to any user possessing employee and whose appointment(s) include one with a faculty title.

staff is assigned to any user possessing employee but not faculty.

Usage Notes

Affiliation is a good rough approximation of the relationship of the user to the university or organization specified in the domain. A user can possess many affiliations, though some values are mutually exclusive. This attribute is typically available to any Shibboleth service provider, and is a good way to filter or block users of a given general type. In particular, member is an indication that the user is somebody with relatively official standing with the university at the present time, and does not apply to guests, other temporary accounts, terminated employees, unpaid/unregistered students, and other exceptional cases. At this time, affiliation values are the best way to provision/deprovision access when employees or students leave the university, until such time as the accounts themselves are more promptly disabled.

eduPersonPrincipalName
Formal Definition
http://middleware.internet2.edu/eduperson/
Description

A single value of the form user@domain, where domain is a DNS subdomain representing the security domain of the user (e.g., "osu.edu") and user is generally a username, NetID, UserID, etc. of the sort typically assigned for authentication to network services within the security domain.

OSU-Specific Information

OCIO assigns so-called Internet Usernames as the primary means of campus-wide authentication. The official campus e-mail address is then constructed by appending "@osu.edu" to the username. The eduPersonPrincipalName of an account that corresponds to an Internet Username is the same as that e-mail address, and currently takes the form "lastname.#@osu.edu". Other kinds of accounts might be issued in the future and could look different, but the value of this attribute will always be unique at any given time for each active account.

At the present time, Internet Usernames (and by extension, EPPNs) are not generally reassigned, but OCIO reserves the right to recycle older usernames in the future. Even today, the value often changes for a given physical user, however, because account renaming is generally permitted.

Note that a fairly small number of "legacy" accounts persist whose actual Internet Username does not correspond to the lastname.# format (so-called Magnus names, usually a first initial plus up to seven characters of the last name (e.g., jsmith). Even in these cases, the EPPN value for the account will still match the lastname.#@osu.edu syntax.

Usage Notes

EPPN is typically considered the Shibboleth-equivalent of a username. It typically has most of the properties usually associated with usernames (such as uniqueness and a naming convention of some sort), with the added property of global uniqueness through the use of a suffix/qualifier. An application that tracks information based on it can therefore interact with users via any number of identity providers without fear of duplicates, although the possibility for recycling/reassignment does still exist within the domain of a given identity provider.

Note that in most cases, a user can freely change their local account name (in the case of a name change due to marriage, for example), and the corresponding EPPN will typically change as well. This can cause a loss of service until name changes propagate throughout every application storing the value. For a less dynamic identifier, see also the eduPersonTargetedID attribute.

eduCourseOffering
Formal Definition

http://middleware.internet2.edu/courseid/docs/internet2-mace-dir-courseid-educourse-ldap-200507.html

Description

Muliple values, each a URI, representing active enrollment in a university course and/or class section offered in a specific academic term.

OSU-Specific Information

This attribute carries distinct values that map to the course and section level, so either level of granularity can be used. The format of Ohio State's eduCourseOffering values is as follows:

Course Enrollment: urn:mace:osu.edu:course:TERM:SUBJECT:COURSE

Section (i.e., class) Enrollment: urn:mace:osu.edu:section:TERM:SUBJECT:COURSE:CLASS

TERM

Code indicating academic term of the class. Beginning with Summer 2012, this is now a code of the form YYYYTT. The first four characters are the year, and the last two characters are AU, SP, and SU, standing for Autumn, Spring, and Summer terms, respectively.

NOTE: First- or second-half-only courses are denoted by a period and an additional digit (1 or 2) appended to the code (e.g., Summer 2012 2nd Term = 2012SU.2)

On the semester calendar, each term includes classes that may be offered full term, or in the first or second half of the term.

SUBJECT
The official "subject" abbreviation of the course (a list of current subjects can be found here)
COURSE
Fully punctuated course number as designated in master schedule (e.g. 131H or 611.04)
CLASS
The "class number" (typically a 4-5 digit number as listed in the master schedule)

Currently, student enrollment for a window of roughly three terms (previous, current, next) is reflected in the values asserted for this attribute. Previous or future enrollment outside of this window will generally not be available.

Usage Notes

These values are encoded as shown above so that you can determine what value to associate with course-specific application rules. They should not in general be parsed or interpreted based on the structure or content of the values, but simply compared as strings. For example, do NOT use pattern matching to identify "all the Physics courses", because the encoding rules may change in the future.

eduCourseMember
Formal Definition

http://middleware.internet2.edu/courseid/docs/internet2-mace-dir-courseid-educourse-ldap-200507.html

Description

Muliple values, each containing a role, '@', and a URI, representing a role-based relationship with a university course and/or section offered in a specific academic term.

OSU-Specific Information
The URI portion of the attribute's values are defined as with the eduCourseOffering attribute above. The role portion currently consists of only two possible role values, "Learner" for students and "Instructor" for all instructional roles related to a course or section. Currently all instructor types captured by the SIS system of record are treated as the "Instructor" role.
Usage Notes

The difference between this attribute and eduCourseOffering is that the values of that attribute are implicitly treated as being associated with the logged-in user as a student. This attribute adds a "Role@" prefix to each URI that allows each relationship to be identified as student or instructor. An instructor that is also taking classes (as many graduate students do) will often contain both kinds of roles in his/her set of values.

eduPersonEntitlement
Formal Definition
http://middleware.internet2.edu/eduperson/
Description

Muliple values, each a URI, representing a license, permission, right, etc. to access a resource or service in a particular fashion. Entitlements represent an assertion of authorization to something, precomputed and asserted by the identity provider. This attribute is typically used to assert privileges maintained centrally rather than within specific application databases.

OSU-Specific Information

Currently, the only entitlements supported are a copy of the values supplied in the eduCourseOffering attribute described immediately above. The reason for supporting them in both places is that entitlements are a superset of course-related data and might include additional, unrelated privileges in the future.

Usage Notes

Entitlements should not in general be parsed or interpreted based on the structure or content of the values, but simply compared as strings. They represent a delegation of control by an application over who possesses the right to use a resource to the identity provider, potentially simplifying application logic in the process and centralizing control over the policy, blacklisting or whitelisting, etc.

displayName
Formal Definition
http://middleware.internet2.edu/eduperson/
Description

A string value containing a user's legal name, suitable for display. Preferred over handling first and last name independently to better address international students.

OSU-Specific Information

Ohio State's identity provider uses a format of "First Last" based on the data maintained for the university's public directory service, which is in turn derived from systems of official record.

sn
Formal Definition
http://middleware.internet2.edu/eduperson/
Description

Multiple string values containing components of the users's "family" name or surname.

OSU-Specific Information

Ohio State's identity provider does not separate hyphenated or multi-part surnames into multiple values. The attribute is currently single-valued. The value is derived from the data maintained for the university's public directory service, which is in turn derived from systems of official record.

givenName
Formal Definition
http://middleware.internet2.edu/eduperson/
Description

Multiple string values containing the part of the user's name that is not their surname or middle name.

OSU-Specific Information

Ohio State's identity provider does not separate hyphenated or multi-part given names into multiple values. The attribute is currently single-valued. The value is derived from the data maintained for the university's public directory service, which is in turn derived from systems of official record.

employeeNumber
Formal Definition

http://www.faqs.org/rfcs/rfc2798.html

Description

A string value containing an employee identifier, typically assigned by an employer.

OSU-Specific Information

Ohio State's identity provider asserts the university employee or student "OSUID" as the value for this attribute. Guest accounts issued to unaffiliated people are assigned an identifier by our Novell Identity Management system, and the value generated by that system is used as the value of this attribute. Guest values will be of different lengths than standard enterprise-assigned values and usually contain letters, so do not assume that all values will be of a fixed length or numeric. Values should be compared case-insensitively.

An additional point about guests: our enterprise Human Resources and Student Information Systems will not accept OSUID values assigned externally by the IDM system. As a result, if a guest user later becomes an affiliate (is hired, applies for admission, becomes a student, etc.), the value of this attribute WILL change to a more typical employee or student identifier. This is more rare than changes to usernames, but is still a fact of life applications will have to deal with.

departmentNumber
Formal Definition

http://www.faqs.org/rfcs/rfc2798.html

Description

Multiple string values containing a department identifier, typically assigned based on the circumstances of employment.

OSU-Specific Information

Ohio State's identity provider asserts a 5-digit university department ID for each active appointment held by the user.

mail
Formal Definition

http://www.faqs.org/rfcs/rfc2798.html

Description

Multiple string values containing SMTP-compatible email addresses believed to belong to the user.

OSU-Specific Information

Most campus users have a university-assigned email address at which official university e-mail is sent. This address has the form lastname.#@osu.edu and is the same as their eduPersonPrincipalName. Some users, especially new applicants, may have non-OSU addresses that they register with the university. OSU makes no guarantees as to the accuracy of those addresses or whether they are actually controlled by the user in question.

FERPA
Formal Definition

None

Description

An OSU-specific attribute containing a value of 'Y' for any student that has elected to suppress their directory information under FERPA.

Usage Notes

Any value other than 'Y' is an indication that suppression was not elected.

Major
Formal Definition

None

Description

An OSU-specific attribute containing the set of academic majors in which a student is enrolled for the previous, current, and subsequent terms. Each major is represented by its "plan" abbreviation, a truncated string used in identifying the lowest level of a student's academic career(s).

A list of current plans can be found here.

Usage Notes

As a multi-valued attribute, applications should be prepared for the fact that they cannot assume a single major.

Advisor
Formal Definition

None

Description

An OSU-specific attribute containing the set of advisors of all types assigned to a student, each identified by their OSUID. A top-level attribute carries all advisors, regardless of type. A set of finer-grained attributes also exists, one for each type of advisor tracked by the SIS:

  • Academic
  • Athletic
  • College-Office
  • Career-Services
  • Dissertation
  • Departmental
  • Faculty
  • Honors
  • Major
  • Minor
  • MAP
  • Qualifying Exam Committee
  • Research
  • Thesis Committee
Usage Notes

As a multi-valued attribute, applications should be prepared for the fact that they cannot assume a single advisor.