List of Shibboleth attributes available at Penn
Some of the available attributes are extracted from PennCommunity
and PennGroups. The Penn IdP is not an authoritative source of
information but rather releases the information to allow members at Penn to participate in larger academic communities like InCommon while preserving the privacy of users. We currently strike that balance by: limiting and approving the release of information to any outside providers to what is appropriate for the service provided, and imposing the same visibility restrictions on name data as Penn Directory imposes.
Attribute Definitions, Visibility, and Source
| Source || Field || Definition
|Basic Attributes that are available to all SPs|
| eduPersonPrincipalName ||No|| PennCommunity || comadmin.member.kerberos_principal || PennKey/PennName|
| surname (sn)1 2 3 ||Yes|| Penn Directory || diradmin.detailname.last_name || Surname |
| givenName1 2 3||Yes|| Penn Directory || diradmin.detailname.first_name || Given Name |
| displayName2 3||Yes|| Penn Directory || (computed from Penn Directory) || Display Name |
| mail3 ||Yes|| Penn Directory ||diradmin.detail_email.email_address|| e-mail address|
| eduPersonAffiliation ||No|| PennGroups || (see Affiliation Mapping)|| Affiliation |
| eduPersonScopedAffiliation ||No|| PennGroups || (see Affiliation Mapping)|| Affiliation (scoped) |
|Attributes that are available only by request|
| employeeNumber4||No|| PennCommunity || comadmin.member.penn_id || PennID |
| eduPersonEntitlement ||No|| PennGroups || (computed from PennGroups) || (see PennGroups Memberships)|
1 This information is pulled from Penn Directory. Users should update Penn Directory if they wish to correct the presentation of their name.
2 Other institutions may send more than 1 value for these attributes; however, we send only 1 value for each as provided by the user in Penn Directory.
3 Service providers should be aware this is user provided data and is not verified.
4 This attribute is not released to InCommon.
Note: The creation of custom attributes is warranted from time to time, but we will not create new attributes with exactly the same values and semantics
as existing attributes. In addition, we can not accommodate attributes with a poorly chosen NameFormat as this may create conflicts across the federation.
| PennGroup || eduPersonAffiliation ||eduPersonScopedAffiliation
| penn:community:student || student || student (scoped to upenn.edu) |
| penn:community:faculty || faculty || faculty (scoped to upenn.edu) |
| penn:community:activeNonAlumniWithPennname || member || member (scoped to upenn.edu) |
| penn:community:employee || employee || employee (scoped to upenn.edu) |
| penn:community:staff || staff || staff (scoped to upenn.edu) |
| penn:community:alumni:alumni || alum || alum (scoped to upenn.edu) |
If the user is a member of any of the requested PennGroups, a URN for each group membership will be included as a value of the eduPersonEntitlement attribute.
For example, if the SP requests the PennGroup
then Shibboleth will supply, as a value of the eduPersonEntitlement attribute, the URN
if the authenticated user is a member of that PennGroup.