Shibboleth Service Provider Attribute Configuration
This page describes the attributes that are available to a shibboleth SP for use in authorization checking. To configure the SP to handle these attributes, you must edit the file attribute-map.xml in the SP configuration directory. There is a template file that lists all attributes currently available which can be downloaded from:
http://sites.utoronto.ca/security/projects/attribute-map-UofT-template.xml.
There are four categories of attributes: UTORauth, Core/Common LDAP, eduPerson LDAP, and Shibboleth-specific.
Definitions
Intramural SP: A Shibboleth Service Provider run within the University.
Federated SP: A Service Provider running outside the University: e.g. at another educational institution, a private company, or a government service.
The following table lists the available attributes, descriptions are below.
|
| Attribute Category |
Attribute Name |
|
| UTORauth |
UTORid |
| |
UTid |
| |
personid |
| |
|
| Core/Common LDAP |
cn |
| |
sn |
| |
mail |
| |
|
| eduPerson LDAP |
eduPersonPrincipalName |
| |
eduPersonAffiliation |
| |
eduPersonScopedAffiliation |
| |
|
| Shibboleth-specific |
persistenID |
| |
transientID |
|
UTORauth
Most of our information comes via UTORauth databases. Many of the attributes are compatible or mapped to common LDAP attributes. Most importantly, UTORauth provides the persistent identifying attributes: UTid, UTORid, and personid. It provides other attributes like staffdept and mail.
UTORid
Format: eight character (lowercase) alphanumeric string, starting wih a letter.
Availability: given by default to intramural SPs; not provided to Federated SPs.
Privacy: May not be Intramural SPs if a privacy policy
UTORid is UofT's userid for most I+TS provided services as well as an increasing number of deparmental services. UTORids are eight character labels, in most cases derived for the person's name, so they are mnemonic, ... within the limitations the eight characters.
UTid
Format: The UTid is a number.
Availability: The UTid is not provided to federated SPs; intramural SPs require permission of data owner.
The UTid is the persistent identifier for each user in the UTORauth system. Though it's rare, UTORid may change, but the UTid will not. We encourage SPs to use the UTid as the primary key for any user database or storage. It's common that web application keys its data on the username and that would mean keying on the UTORid. But if you key on UTid, your databases and access rules will transparently transit a UTORid name change.
personid
Format: a number
Availability: The personid is not provided to federated SPs; intramural SPs require permission of data owner.
This is the person's student number.
Core/Common LDAP
Most of the LDAP community uses a common set of "schemas" specifying the labels, formats, and semantics of LDAP attributes. Shibboleth can provide this information and, by convention, we maintain the same labels, formats, and semantics. cn
Format: the common name of the person, usually "$givenName $sn"
givenName
Format: the given name of the person (which rather presumes the user *is* a person)
sn
Format: the surname of the person
Availability: available to intramural and federated SPs.
mail
Format: email address of the user
Availability: Not provided to federated SPs. Available to intramural SPs.
eduPerson LDAP
Internet2, with support from EDUCAUSE, developed the eduPerson LDAP schema to widely-used person and organizational attributes in higher education. Two key features are (1) scoped identifiers to assist federated services and (2) a reference set of affiliations identifying how persons are affiliated with the institution.
eduPersonPrincipalName (EPPN)
Format: $utorid@utoronto.ca
eduPersonAffiliation (affiliation)
Format: one of "student", "faculty", "staff", "alum", or "applicant"
Availability: available to intramural.
eduPersonScopedAffiliation
Format: $affiliation@utoronto.ca
Availability: available to intramural and federated SPs.
Shibboleth-specific Attributes
Shibboleth creates some attributes of its own. In order to provide privacy to users, Shibboleth provides opaque IDs that allow an SP to serve a user without knowing the users identity.
persistentID
Format: opaque string
The same persistentID will be provided to the SP at each application session. The SP will know it's the same user, but the SP will not know the EPPN, utorid, mail or other identifying info about the user. The SP can maintain a history and set of preferences for the user without knowing the user's identity.
transientID
Format: opaque string
Back to the main page. |
