Penn Computing

Penn Computing

Computing Menu Computing A-Z
Computing Home Information Systems & Computing Penn

Service Alerts

List of Shibboleth attributes available at Penn

Some of the available attributes are extracted from PennCommunity and PennGroups. The Penn IdP is not an authoritative source of information but rather releases the information to allow members at Penn to participate in larger academic communities like InCommon while preserving the privacy of users. We currently strike that balance by: limiting and approving the release of information to any outside providers to what is appropriate for the service provided, and imposing the same visibility restrictions on name data as Penn Directory imposes.

Attribute Definitions, Visibility, and Source

AttributeFormal Name (SAML2)User
Source Field Definition
Basic Attributes that are available to all SPs
eduPersonPrincipalName urn:oid: No PennCommunity comadmin.member.kerberos_principal PennKey/PennName scoped to
surname (sn)1 2 3 urn:oid: Yes Penn Directory diradmin.detailname.last_name Surname. Should not be used as a unique identifier.
givenName1 2 3 urn:oid: Yes Penn Directory diradmin.detailname.first_name Given Name. Should not be used as a unique identifier.
displayName2 3 urn:oid:2.16.840.1.113730.3.1.241 Yes Penn Directory (computed from Penn Directory) Display Name. Should not be used as a unique identifier.
mail3 urn:oid:0.9.2342.19200300.100.1.3 Yes Penn Directory diradmin.detail_email.email_address e-mail address. Should not be used as a unique identifier.
eduPersonAffiliation urn:oid: No PennGroups (see Affiliation Mapping) Affiliation. Should not be used as a unique identifier.
eduPersonScopedAffiliation urn:oid: No PennGroups (see Affiliation Mapping) Affiliation (scoped). Should not be used as a unique identifier.
Attributes that are available only by request
employeeNumber4 urn:oid:2.16.840.1.113730.3.1.3 No PennCommunity comadmin.member.penn_id PennID
eduPersonEntitlement No PennGroups (computed from PennGroups) (see PennGroups Memberships). Should not be used as a unique identifier.

1 This information is pulled from Penn Directory. Users should update Penn Directory if they wish to correct the presentation of their name.
2 Other institutions may send more than 1 value for these attributes; however, we send only 1 value for each as provided by the user in Penn Directory.
3 Service providers should be aware this is user provided data and is not verified. These attributes should never be used to link accounts or identify a user.
4 This attribute is not released to InCommon.

Note: The creation of custom attributes is warranted from time to time, but we will not create new attributes with exactly the same values and semantics
as existing attributes. In addition, we can not accommodate attributes with a poorly chosen NameFormat as this may create conflicts across the federation.

Affiliation Mapping

PennGroup eduPersonAffiliation eduPersonScopedAffiliation
penn:community:student student student (scoped to
penn:community:faculty faculty faculty (scoped to
penn:community:activeNonAlumniWithPennname member member (scoped to
penn:community:employee employee employee (scoped to
penn:community:staff staff staff (scoped to
penn:community:alumni:alumni alum alum (scoped to

PennGroups Memberships

If the user is a member of any of the requested PennGroups, a URN for each group membership will be included as a value of the eduPersonEntitlement attribute.

For example, if the SP requests the PennGroup
then Shibboleth will supply, as a value of the eduPersonEntitlement attribute, the URN
if the authenticated user is a member of that PennGroup.


Other members of InCommon will have slightly different definitions for some attributes. For more information see the InCommon Federation Attribute Summary.


Information Systems and Computing
University of Pennsylvania
Comments & Questions

Penn Computing University of Pennsylvania
Information Systems and Computing, University of Pennsylvania