Penn Computing

Penn Computing

Computing Menu Computing A-Z
Computing Home Information Systems & Computing Penn

Service Alerts

List of Shibboleth attributes available at Penn

Some of the available attributes are extracted from PennCommunity and PennGroups. The Penn IdP is not an authoritative source of information but rather releases the information to allow members at Penn to participate in larger academic communities like InCommon while preserving the privacy of users. We currently strike that balance by: limiting and approving the release of information to any outside providers to what is appropriate for the service provided, and imposing the same visibility restrictions on name data as Penn Directory imposes.

Attribute Definitions, Visibility, and Source

Attribute User
Suppressable
Source Field Definition
Basic Attributes that are available to all SPs
eduPersonPrincipalName No PennCommunity comadmin.member.kerberos_principal PennKey/PennName
surname (sn)1 2 3 Yes Penn Directory diradmin.detailname.last_name Surname
givenName1 2 3Yes Penn Directory diradmin.detailname.first_name Given Name
displayName2 3Yes Penn Directory (computed from Penn Directory) Display Name
mail3 Yes Penn Directory diradmin.detail_email.email_address e-mail address
eduPersonAffiliation No PennGroups (see Affiliation Mapping) Affiliation
eduPersonScopedAffiliation No PennGroups (see Affiliation Mapping) Affiliation (scoped)
Attributes that are available only by request
employeeNumber4No PennCommunity comadmin.member.penn_id PennID
eduPersonEntitlement No PennGroups (computed from PennGroups) (see PennGroups Memberships)

1 This information is pulled from Penn Directory. Users should update Penn Directory if they wish to correct the presentation of their name.
2 Other institutions may send more than 1 value for these attributes; however, we send only 1 value for each as provided by the user in Penn Directory.
3 Service providers should be aware this is user provided data and is not verified.
4 This attribute is not released to InCommon.

Note: The creation of custom attributes is warranted from time to time, but we will not create new attributes with exactly the same values and semantics
as existing attributes. In addition, we can not accommodate attributes with a poorly chosen NameFormat as this may create conflicts across the federation.

Affiliation Mapping

PennGroup eduPersonAffiliation eduPersonScopedAffiliation
penn:community:student student student (scoped to upenn.edu)
penn:community:faculty faculty faculty (scoped to upenn.edu)
penn:community:activeNonAlumniWithPennname member member (scoped to upenn.edu)
penn:community:employee employee employee (scoped to upenn.edu)
penn:community:staff staff staff (scoped to upenn.edu)
penn:community:alumni:alumni alum alum (scoped to upenn.edu)

PennGroups Memberships

If the user is a member of any of the requested PennGroups, a URN for each group membership will be included as a value of the eduPersonEntitlement attribute.

For example, if the SP requests the PennGroup
penn:isc:staff:netstaff
then Shibboleth will supply, as a value of the eduPersonEntitlement attribute, the URN
urn:mace:upenn.edu:penn:isc:staff:netstaff
if the authenticated user is a member of that PennGroup.


 

Other members of InCommon will have slightly different definitions for some attributes. For more information see the InCommon Federation Attribute Summary.

top

Information Systems and Computing
University of Pennsylvania
Comments & Questions


Penn Computing University of Pennsylvania
Information Systems and Computing, University of Pennsylvania