wiki:IamUaArp

Version 202 (modified by dabantz@…, 5 years ago) (diff)

--

University of Alaska

Identity Provider attribute release information &

Privacy Statement regarding your data

The most current version of this document is actively maintained at https://iam.alaska.edu/trac/wiki/IamUaArp

One of the most powerful aspects of Shibboleth-based Identity Provider (IdP) is the ability to release selected information about the person to a relying application. A relying application will not see your username and password but instead refer you back to the UA IdP to authenticate ("log in"). If you successfully authenticate ("log in") to the IdP, the IdP asserts a set of attributes about you back to the relying application using a standard protocol (SAML). Different applications can receive different information; in fact, some applications will not receive personally identifiable information about the person that has authenticated.

Permission to release information about you:
If upon review of this information you do not want to release the indicated attributes about you to a service, you should not use (log into) that service.

Re-use or distribution of information about you:
Although the attributes released to a service are deemed necessary to appropriately use that service, that is the only purpose for which they are released. Any subsequent re-use for other purposes is not allowed; if you detect such misuse of your information, contact iam@alaska.edu.

Data about you released to services

(List of Services receiving attributes follows the description of attributes)

The following explains some of terminology related to our attribute release policies. The data about you that is sent to an information service when you use SSO to log in to that service are described here informally as "attributes." This document does not provide formal or complete definitions of either SAML attributes (the format in which data is sent to services) or LDAP attributes (the format of data in AD or other directories). Other attributes based on data in Banner and/or UA Directories could be released as and if appropriate for other applications (e.g., major, office location, employee type).

Note that only the selected attributes indicated by the name of each service are sent to that service; if an attribute is not listed, it is not sent to that service. For a full list of your University of Alaska attributes as seen by the Identity Provider, click on this link and log in with your UA credentials:

My UA Login Information

eduPerson attributes - these attributes defined in national standards provide identifiers in specific formats and indications of your relation to the University

eduPersonAffiliation or ePA - One or more of the following describing the role or type of affiliation with UA: Student, Employee, Staff, Faculty, Member, or Affiliate. Member designates a person who is part of the University of Alaska and generally entitled to information services, even if not formally a student or employee; it includes campus-based researchers with external funding, faculty emeriti, and some others. Affiliate designates merely that the person has a record in the UA IdP, but is not automatically eligible for services, and may be used for those with a limited specific affiliation with UA such as short-term guests.

eduPersonEntitlement - permissions or entitlements based on your role(s) at UA; may additionally be scoped to a department or (in the future) course. For example: for a student in Chemistry at UAF-main campus, learner@urn:mace:alaska.edu:itunesu:UAF - Main Campus:Chemistry

eduPersonInstitutionalMail - An email address assigned to the individual in the alaska.edu domain, Distinguished from email by requirement of UA domain ("...@alaska.edu") and from EPPN and eduPersonUnique ID in that it is intended for use by services to send email to users within the domain: delivery (directly, via email routing, or via forward) to a mailbox under control of the user. [in draft awaiting formal approval from standards body]

eduPersonPrincipalName or ePPN - A unique identifier comprised of your UA username followed by "@alaska.edu"; while it has the look of an email address, it does not signify that this is a valid email address or your preferred email address; example: jpjones3@alaska.edu.

eduPersonScopedAffiliation - eduPersonAffiliation with added scope of alaska.edu; for example, Student@alaska.edu, Affiliate@alaska.edu

eduPersonTargetedID or ePTID- An opaque identifier unique to the combination of the authenticated person and the application; because it is different for each application, and does not itself reveal the identity of the user, it enables the application to track preferences or make bookmarks for the user, but does not enable that use information to be correlated with use in other applications or to a real person; example: 84e411ea-7daa-4a57-bbf6-b5cc52981b73

eduPersonUniqueID or ePUID - A non-changing unique identifier - specifically, not changing upon change of name or role at UA - scoped to alaska.edu; syntax is UA ID#@alaska.edu; example: 30123456@alaska.edu.

eduPersonOrcid or ePOID - carries values of the ORCID-assigned researcher identifiers for the associated entry; syntax is URL; example: http://orcid.org/0000-0003-0028-9548.

eduPersonAssurance - Set of URIs that assert compliance with specific standards for identity assurance; may indicate the authentication context; syntax is URI; example: https://iam.alaska.edu/trac/wiki/mfa.

Group Memberships & Roles

edirRole - roles defined within the UA Enterprise Directory that convey elevated privileges or permissions; examples: DEPTADMIN, SPONSORACCOUNT, HELPDESK

eduIsMemberOf - group membership recorded in the UA Enterprise Directory; often used to express privileges or permissions in other services; example: cn=appusers:onbaseprep:ad_confidential,ou=group,dc=alaska,dc=edu

adIsMemberOf - group membership recorded in the UA Domain (Active Directory), usually assigned programmatically on the basis of UA campus and/or role; example: CN=UAA_Students,OU=UAA,DC=ua,DC=ad,DC=alaska,DC=edu

Names any of the following can be provided, depending on the requirements of the service

common name - (or cn) usually a combination of given name and surname; may be multi-valued to include preferred first name and middle initial; example: William Smith, William A Smith, Bill Smith

display name - a concatenation of your first and last name; it is based on your legal surname and preferred first name as recorded in UA's Human Resources and/or Student Information Systems (Banner); example: John Doe.

given name - preferred first name indicated in Banner if provided, otherwise legal individual or first name; examples: William, Wilma

surname - (or sn) legal family or last name; examples: Smith, Costa-Gavras. Note: the systems of record at UA sometimes combine family or last name with a generational title or suffix and if present these are carried over in the released value of surname; examples: Carter Jr, Arnaz III

email - an email address indicated as your preferred email address in the UA Enterprise Directory; it may or may not be an @alaska.edu address; examples: gene.kelly@alaska.edu, peterq@arsc.edu; this attribute can be multi-valued; for services that cannot consume multiple values, use the institutionally defined single-valued attribute onemail.

canonicalEmail - the default email address assigned to all UA students, faculty and staff, based on UA Username; examples: jjastor@alaska.edu, jpsmith13@alaska.edu

mailRoutingAddress - the email destination address to which email to other recorded addresses is delivered (routed); for most people, mailRoutingAddress is the email account issued to you by your campus, but users may change this address in the UA Enterprise Directory; unlike the email (mail) attribute, it is always single-valued.

onemail - a single-valued attribute with principal's recorded email address; the value is a single value of user-indicated preferred email address, or if not specified in the institutional directory, the principal's mailRoutingAddress.

telephone number - phone number as recorded in the UA Enterprise Directory; in international format starting with "+" and country code, no punctuation other than spaces; example: +1 907 474 0123

UA identifiers

UAID or bannerID - the unique persistent numeric identifier assigned to all employees and students ("employee ID#", "student ID#") commonly used for UA login and account ids in preference to the less persistent name-based UA Username; example: 30123456

UA Username (released as uaSystemID and as uaUsername) - the unique name-based identifier commonly used for UA login and account ids; example: jpmorgan, pdsmith3

uakPersonID - see eduPersonUniqueID. UA-defined unique identifier using UA ID# parallel to the name-based EPPN, but using the unchanging numeric ID # assigned to all students and employees; implemented prior to and now deprecated in favor of eduPersonUniqueId; example: 30123456@alaska.edu

UA sAMAccountName (released as uaksAMAccountName) - the key identifier in the UA (Microsoft Windows) Domain; in the UA Domain this has value identical to UA Username for all students and employees.

uakSystemLegacyID - usernames based on the prior UA convention that is used in some legacy systems, based on one letter designation of your MAU (a, f, j, s), role (s, f, n, x, h) and initials; examples: asabc2, fxpqr

UDCID (Banner UDC Identifier) - an unchanging, Banner-generated, 32-character, alphanumeric value; it is an opaque (not intended to be human-readable) identifier used in Banner-related applications; example: GXgX9A£4LhGpthOsuyjvu-SKmae2IRzo

UA faculty/staff information

assignmentCount - UA employee's number of current assignments or jobs; value of 1 is typical and indicates an active employee; value of 0 indicates an employee with no current assignment or job, such as an occasional employee, adjunct faculty not currently teaching, faculty on sabbatical or other leave.

dlevel - code from Banner HR indicating an employee's home department; examples: D8ARCH, D1ASHE. More human-friendly attributes are uakEmployeeDepartment, uakEmployeeAffiliation

employee type - indication of employment category from HR record, examples: Exempt Staff - Regular or Faculty - Regular - <12 month

title - working or informal title at UA; examples: Professor of Biology or Instructional Designer

TKL - "Time Keeping Location" from employees' HR record; example: T801; deprecated for non-HR use or authorization because it has no uniform simple connection to the employee's department, work location, or role, but rather indicates one of the distributed locations or control points for managing employee records.

uakEmployeeCampus - campus to which the employee's home department belongs; example: possible values are:

UA Statewide Admin, 
UAA Kenai Peninsula College, UAA Kodiak College, UAA Main, UAA Matanuska-Susitna College, UAA Prince William Sound Community College, 
UAF Bristol Bay Campus, UAF Chukchi Campus, UAF Community and Technical College, UAF Cooperative Extension Service, UAF Interior-Aleutians Campus, UAF Kuskokwim Campus, UAF Fairbanks, UAF Main, UAF Northwest Campus, UAF Rural College, 
UAS Main, UAS Ketchikan Campus, UAS Sitka Campus

uakEmployeeDept - department name of an employee's home department from personnel record in Banner HR; example: CLA Philosophy & Humanities

uakEmployeeAffiliation

uakEmployeeFacultyAffiliation - academic program(s) in which a faculty member is currently an instructor of record; note that academic program names are not identical to employee department names; examples: UAF - eLearning & Distance Ed|Philosophy, UAF - Fairbanks Campus|Biology & Wildlife

UA student information

creditHoursCurrent - current student enrollment in credit hours; some services may require a minimum number of credit hours

uakStudentCampus - campus(es) providing courses in which a student is currently enrolled or has a major declared; note that these campus names from Banner SIS are not identical to the names from Banner HR for employee campus; the possible values are:

UAA - Kenai Peninsula Campus, UAA - Kodiak Campus, UAA - Main Campus, UAA - Mat-Su Campus, PWSCC - Prince William Sound
UAF - eLearning & Distance Ed, UAF - Bristol Bay (RB), UAF - Chukchi Campus, UAF - Correspondence Study(CS), UAF - Fairbanks Campus, UAF - Interior-Aleutians (RI), UAF - Juneau Fisheries (JU), UAF - Kuskokwim Campus, UAF - Northwest Campus, UAF - Rural College (RE)
UAS - Juneau Campus, UAS - Ketchikan Campus, UAS - Sitka Campus) 

uakStudentDept - academic program(s) in which a student is currently enrolled or has declared a major

Services (Applications)

The following applications rely on the UA IdP for authentication and receive the value(s) of the attributes listed in the right column. The Attributes named here are described above.

!ServiceBrief DescriptionAttributes required
AcademicWorksAcademicWorks scholarship managementUAID, displayName, onemail
AcademicWorks QAAcademicWorks QA/test instance (in process)UAID, displayName, onemail
AcademyOne ePUID, ePPN, displayName, givenName, sn eduPersonAffiliation, onemail, UAID
Adirondak (in prep) student housing tbd
AlcoholEdu Alcohol effects / healthy decisions ePPN, UAID, onemail, givenName, sn
ALEKS Assessment and LEarning in Knowledge Spaces (proficiency tests)eduPersonUniqueId, givenName, sn, displayName, email
Amazon Web Services AWS role (specific LDAP group memberships) and AWS session id = uakPersonID
Atomic Learning(instructional videos)surname, given name, UA ID#, ePPN, email, eduPersonAffiliation, and "AtomicLearningCampus" (combined set of values of uakStudentCampus and uakEmployeeCampus
Baseline (Campus Labs) analytics(?) UAID, canonicalEmail, givenName, sn
BLaST mentoring Biomedical Learning and Student Training ePUID, UA Username, onemail, displayName, givenName, sn
Bluecourse evaluation; see explorancebannerID
Campus Labs uid, UAID, canonicalEmail, givenName, sn
Cherwell web clientCherwell ITSM web client ePPN, UA Username, banner ID, displayName, onemail
CI Login secure access to multiple research tools & collaborations:
ATLAS,
Research Grid,
DOE KBase,
Globus,
OSG Connect,
XSEDE
ePPN, eduPersonTargetedID, displayName, givenName, surname, email, eduPersonScopedAffiliation
community.uaf.edu UAF Community (WordPress) UA Username, sn, gevenName, onemail, UA ID#, displayName
CourseLeaf (in prep)online course catalogUAID, ePUID, UA Username, ePPN, displayName
CTSIClinical and Translational Sciences - see IndianaCTSI
Concur'Travel Expense ManagementePPN
Data Cookbook Data analysis, limited to licensed usersbannerID
Digital Measures (UAA)FacultyInsight reporting, UAAePPN, eduPersonAffiliation
Digital Signage (UAA)contact Matthieu Ostrander, UAAePPN, ePUID, uaUsername, onemail, cn, uakEmployeeDept, uakEmployeeCampus, uakEmployeeMAU, uakEmployeeAffiliation
DocuSign DEMO instance electronic signatures automatic account generation and loginePUID, ePPN, givenName, surname, canonicalEmail
EAB Student Success Collaborative (UAF) bannerID
EDUCAUSE(EDUCAUSE Portal)eduPersonTargetedID (PersistentID), ePPN, surname, givenName, email, eduPersonScopedAffiliation (affiliation@alaska.edu)
eduroam set-up eduroam roaming wireless network accessePPN
Enrollment RX Student recruitment / on-boarding (in Salesforce) limited usersePPN, ePUID
explorance blue course evaluation (UAF) bannerID
EZProxy access to UAF Rasmuson Library licensed scholarly databasesePPN, eduPersonAffiliation, uasystemid, uakStudentDept, uakStudentCampus, uakStudentMAU, uakEmployeeDept, uakEmployeeCampus, uakEmployeeMAU, uakStudentAffiliation, uakStudentDegree, uakEmployeeFacultyAffiliation
Faculty180 Faculty Activity Reporting (UAF)UA ID#, common name, givenName, surname, email
Filesender Utility to send / receive / short term store files up to 1TBePPN, eduPersonScopedAffiliation, displayName, sn, givenName, mail
Gartner research & advice re technologygivenName, sn, canonicalEmail, eduPersonAffiliation
Google Apps for Education (proof of concept, poc.alaska.edu)UA email, calendar, Drive, et aluid
Gradescope Grading and feedbackePPN, ePUID, eduPersonAffiliation, displayName, sn, givenName, mail
GENI Experimenter PortalSite for network researchersePPN, eduPersonScopedAffiliation, displayName, sn, givenName, mail
Handshake ePPN
Haven Sexual Assault Awareness / Title 9 training ePPN, UAID, onemail, givenName, sn
Haven Plus content specifically required by amendments to Clery Act ePPN, UAID, onemail, givenName, sn
Haven for Faculty/Staff scenarios & examples re: sexual assault, domestic violence, and sexual harassment ePPN, UAID, onemail, givenName, sn
HealthyRoads UA Wellness program for benefits-eligible employeesUA ID# and custom attribute
IAM @ UA this IAM wiki ePPN
iGradstudent financial literacyePUID, canonicalEMail, givenName, sn, ePPN, uakEmployeeCampus, uakStudentCampus
IndianaCTSI research, research grant, and collaboration toolsePPN (researchers will be promoted to provide name and email to the service)
InfoEd research administrationePPN, UA ID#
Intellex Environmental Health & Safety trainingUA Username, UA ID#, email
Inteum Web Intellectual PropertyePPN, ePUID, onemail, displayName
Internet2 research & education apps of Internet eduPersonAffiliation, email
Internet2 email lists (Sympa) subscription options, unsubscription, archives, list management eduPersonAffiliation, email
Inventor Portaldisclosures - UAF-based inventionsePPN, ePUID, onemail, displayName
Kognito - UAS only conversation & simulations re behavioreduPersonUniqueID, displayName, canonicalEmail, group memberships indicating UAS student/employee
leanhighered.orgUAA Lean Center of ExcellenceePPN, ePUID, uaUsername,onemail, displayName,cn,uakEmployeeDept,uakEmployeeCampus,uakEmployeMAU,uakEmployeeAffiliation
LeanKit kanban board to visualize projects & work-flowePPN
Maxient manage behavior recordsePPN, ePUID, givenName, sn, onemail
MediaSpace view, upload, edit videosUAID, givenName, sn, onemail, adIsMemberOf
MyDraw UAF Recreation, Adventure, and Wellness online courses bannerID
NSF National Science Foundation, including FastLane for PIs (via Research.gov)ePPN, given name, surname, common name, email
NIH National Institutes of Health resources; services tbdgiven name, surname, email
NCBI National Center for Biotechnology Information (search for Alaska in sign-in page)given name, surname, email
OohLaLa UAS only dashboard for student lifeeduPersonUniqueID, givenName (preferred), surname, canonicalEmail
ORCIDregistry of researcher identifiers linking research activitieseduPersonScopedAffiliation, sn, transientId, ePPN, givenName, onemail, uakeduPersonAffiliation, eduPersonTargetedID
OrigamiRisk demo site Risk Management tracking applicationeduPersonUniqueId (Banner ID#), displayName, eduPersonAffiliation, assignmentCount, creditHoursCurrent, mail
OrigamiRisk production site Risk Management tracking applicationeduPersonUniqueId (Banner ID#), displayName, eduPersonAffiliation, assignmentCount, creditHoursCurrent, mail
OrgSync"connect with UAF organizations, events, involvement opportunities"ePUID, ePPN, ePA, sn, givenName, onemail
Parking @ UAFParking permits ePPN, UA ID#
PageUp People UA jobs bannerID
People.alaska.eduweb gateway for UA Enterprise DirectoryuaUsername
RADIUSUA RADIUS admin interfaceePA
Raveemergency communicationsePUID, ePPN, ePA
REFEDS mailing listsfrom GÉANT, European research & education ePPN, sn, givenName, eduPersonScopedAffiliation, eduPersonAffiliation, onemail|
Research.govNSF, NASA, & Grants.gov (pick UA from organization listePPN, given name, surname, common name, email
SANS Securing the HumanSecurity training & certificationePPN, ePUID, givenName, surname, canonicalEmail
Shibboleth.netwiki and issues tracking for Shibboleth projectePPN, givenName, sn, cn
Spaces Internet2 wiki at spaces.internet2.eduePPN, eduPersonEntitlement and standard values of eduPersonAffiliation
Staff Council @ UAFNominate candidates for UAF Staff Council UA ID#, given name, surname, email, telephone number, employee type, TKL, title, employee affiliation
Study Abroad @ UAF (click "Student Login") UA ID#, given name, surname, email
TurningTechnologies (test)interactive learning tools and measurementsePPN, eduPUI, displayName, givenName, sn
Trac wiki, technical documentation and internal tracking for IAM-related projectsePPN
Tuition ManagementTuition Management / payment plans for studentseduPersonUniqueID, eduPersonTargetedID, displayName, sn, givenName, UAID, onemail
UAA.LeanHigherEd.orgcontact Matthieu Ostrander, UAePPN, ePUID, uaUsername, onemail, cn, uakEmployeeDept, uakEmployeeCampus, uakEmployeeMAU, uakEmployeeAffiliation
TMS Tuition Management System UAID, ePUID, displayName, givenName, sn, eduPersonTargetedID, username
UAA Commons online UAA faculty/staff for teachingePPN, uaUsername, uakEmployeeCampus & MAU, displayName, sn, givenName
UAA Ticketspurchase student-discount event tickets cn (common name), displayName, eduPersonAffiliation, mail, uakStudentCampus, creditHoursCurrent
UAS Connect UID, ePUID, UAUsername, canonical email, givenName, sn, displayName, AD group memberships indicating UAS student or employee
Zoomaudio/video/web conferencingdisplayName, ePPN, givenName, sn, canonicalEmail, Zoom roles (AD group memberships in OU=zoom,OU=Services)