List of Shibboleth attributes available at Penn
Some of the available attributes are extracted from PennCommunity and PennGroups. The Penn IdP is not an authoritative source of information but rather releases the information to allow members at Penn to participate in larger academic communities like InCommon while preserving the privacy of users. We currently strike that balance by: limiting and approving the release of information to any outside providers to what is appropriate for the service provided, and imposing the same visibility restrictions on name data as Penn Directory imposes.
Attribute Definitions, Visibility, and Source
| Attribute | Formal Name (SAML2) | User Suppressable | Source | Field | Definition |
|---|---|---|---|---|---|
| Basic Attributes that are available to all SPs | |||||
| eduPersonPrincipalName | urn:oid:1.3.6.1.4.1.5923.1.1.1.6 | No | PennCommunity | comadmin.member.kerberos_principal | PennKey/PennName scoped to @upenn.edu |
| surname (sn)1 2 3 | urn:oid:2.5.4.4 | Yes | Penn Directory | diradmin.detailname.last_name | Surname. Should not be used as a unique identifier. |
| givenName1 2 3 | urn:oid:2.5.4.42 | Yes | Penn Directory | diradmin.detailname.first_name | Given Name. Should not be used as a unique identifier. |
| displayName2 3 | urn:oid:2.16.840.1.113730.3.1.241 | Yes | Penn Directory | (computed from Penn Directory) | Display Name. Should not be used as a unique identifier. |
| mail3 5 | urn:oid:0.9.2342.19200300.100.1.3 | Yes | Penn Directory or pennname@upenn.edu | diradmin.detail_email.email_address | e-mail address. Should not be used as a unique identifier. |
| eduPersonAffiliation | urn:oid:1.3.6.1.4.1.5923.1.1.1.1 | No | PennGroups | (see Affiliation Mapping below) | Affiliation. Should not be used as a unique identifier. |
| eduPersonScopedAffiliation | urn:oid:1.3.6.1.4.1.5923.1.1.1.9 | No | PennGroups | (see Affiliation Mapping below) | Affiliation (scoped). Should not be used as a unique identifier. |
| employeeNumber4 | urn:oid:2.16.840.1.113730.3.1.3 | No | PennCommunity | comadmin.member.penn_id | PennID |
| Attributes that are available only by request | |||||
| eduPersonEntitlement | No | PennGroups | (computed from PennGroups) | (see PennGroups Memberships below) Should not be used as a unique identifier. | |
1This information is pulled from Penn Directory. Users should update Penn Directory if they wish to correct the presentation of their name.
2 Other institutions may send more than 1 value for these attributes; however, we send only 1 value for each as provided by the user in Penn Directory.
3 Service providers should be aware this is user-provided data and is not verified. These attributes should never be used to link accounts or identify a user.
4 This attribute is not released to InCommon.
5 This attribute will be populated with the directory public e-mail address, if no public e-mail is released it will be populated with pennname@upenn.edu.
Note: The creation of custom attributes is warranted from time to time, but we will not create new attributes with exactly the same values and semantics
as existing attributes. In addition, we can not accommodate attributes with a poorly chosen NameFormat as this may create conflicts across the federation.
Affiliation Mapping
| PennGroup | eduPersonAffiliation | eduPersonScopedAffiliation |
|---|---|---|
| penn:community:student | student | student (scoped to upenn.edu) |
| penn:community:faculty | faculty | faculty (scoped to upenn.edu) |
| penn:community:activeNonAlumniWithPennname | member | member (scoped to upenn.edu) |
| penn:community:employee | employee | employee (scoped to upenn.edu) |
| penn:community:staff | staff | staff (scoped to upenn.edu) |
| penn:community:alumni:alumni | alum | alum (scoped to upenn.edu) |
PennGroups Memberships
If the user is a member of any of the requested PennGroups, a URN for each group membership will be included as a value of the eduPersonEntitlement attribute. When a user no longer has an active affiliation or they are removed from the respective group, the affiliation will no longer be asserted during log in.
For example, if the SP requests the PennGroup
penn:isc:staff:netstaff
then Shibboleth will supply, as a value of the eduPersonEntitlement attribute, the URN
urn:mace:upenn.edu:penn:isc:staff:netstaff
if the authenticated user is a member of that PennGroup.
Other members of InCommon will have slightly different definitions for some attributes. For more information see the InCommon Federation Attribute Summary.