
ISC Networking & Telecommunications


Penn WebLogin
	Help

	Shibboleth Reference
	Main Page
	Service Provider Information
	InCommon Process
	Shibboleth Setup and Configuration
	SP Validation

	Quick Links
	SP Registration Form (Requires Pennkey Login)
	InCommon Registration Form
	Known Issues
	Intake Process Flowchart
	Road Map
	FAQs

Service Alerts

List of Shibboleth attributes available at Penn

Some of the available attributes are extracted from PennCommunity and PennGroups. The Penn IdP is not an authoritative source of information but rather releases the information to allow members at Penn to participate in larger academic communities like InCommon while preserving the privacy of users. We currently strike that balance by: limiting and approving the release of information to any outside providers to what is appropriate for the service provided, and imposing the same visibility restrictions on name data as Penn Directory imposes.

Attribute Definitions, Visibility, and Source

Attribute	User Suppressable	Source	Field	Definition
Basic Attributes that are available to all SPs
eduPersonPrincipalName	No	PennCommunity	comadmin.member.kerberos_principal	PennKey/PennName
surname (sn)^{1 2 3}	Yes	Penn Directory	diradmin.detailname.last_name	Surname
givenName^{1 2 3}	Yes	Penn Directory	diradmin.detailname.first_name	Given Name
displayName^{2 3}	Yes	Penn Directory	(computed from Penn Directory)	Display Name
mail³	Yes	Penn Directory	diradmin.detail_email.email_address	e-mail address
eduPersonAffiliation	No	PennGroups	(see Affiliation Mapping)	Affiliation
eduPersonScopedAffiliation	No	PennGroups	(see Affiliation Mapping)	Affiliation (scoped)
Attributes that are available only by request
employeeNumber⁴	No	PennCommunity	comadmin.member.penn_id	PennID
eduPersonEntitlement	No	PennGroups	(computed from PennGroups)	(see PennGroups Memberships)

¹ This information is pulled from Penn Directory. Users should update Penn Directory if they wish to correct the presentation of their name.
² Other institutions may send more than 1 value for these attributes; however, we send only 1 value for each as provided by the user in Penn Directory.
³ Service providers should be aware this is user provided data and is not verified.
⁴ This attribute is not released to InCommon.

Affiliation Mapping

PennGroup	eduPersonAffiliation	eduPersonScopedAffiliation
penn:community:student	student	student (scoped to upenn.edu)
penn:community:faculty	faculty	faculty (scoped to upenn.edu)
penn:community:activeNonAlumniWithPennname	member	member (scoped to upenn.edu)
penn:community:employee	employee	employee (scoped to upenn.edu)
penn:community:staff	staff	staff (scoped to upenn.edu)
penn:community:alumni:alumni	alum	alum (scoped to upenn.edu)

PennGroups Memberships

If the user is a member of any of the requested PennGroups, a URN for each group membership will be included as a value of the eduPersonEntitlement attribute.

For example, if the SP requests the PennGroup
penn:isc:staff:netstaff
then Shibboleth will supply, as a value of the eduPersonEntitlement attribute, the URN
urn:mace:upenn.edu:penn:isc:staff:netstaff
if the authenticated user is a member of that PennGroup.

Other members of InCommon will have slightly different definitions for some attributes. For more information see the InCommon Federation Attribute Summary.



Information Systems and Computing University of Pennsylvania Comments & Questions