wiki:IamUaArp

Version 31 (modified by dabantz@…, 12 years ago) (diff)

--

University of Alaska Identity Provider attribute release information

One of the most powerful aspects of Shibboleth-based Identity Provider (IdP) is the ability to release selected information about the person to a relying application. A relying application will not see your username and password but instead refer you back to the UA IdP to authenticate ("log in"). If you successfully authenticate ("log in") to the IdP, the IdP asserts a set of attributes about you back to the relying application using a standard protocol (SAML). Different applications can receive different information; in fact, some applications will not receive personally identifiable information about the person that has authenticated. The most current version of this document is actively maintained at https://iam.alaska.edu/trac/wiki/IamUaArp

Attributes

The following explains some of terminology related to our attribute release policies. Other attributes based on data in the UA Directory (EDIR) (e.g., major, email addresses, office location, employee type) could be released as and if appropriate for other applications.

Names any of the following may be provided, depending on the requirements of the service

common name - usually a combination of given name and surname; may be multi-valued to include preferred first name and middle initial; example: William Smith, William A Smith, Bill Smith

display name - a concatenation of your first and last name; it is based on your legal surname and preferred first name as recorded in UA's Human Resources and/or Student Information Systems (Banner); example: John Doe.

given name - legal individual or first name; example: William

surname - legal family or last name; example: Smith

eduPerson attributes - these attributes defined in national standards provide and indication of your relation to the University

eduPersonAffiliation - one or more of the following: Student, Employee, Staff, Faculty, Member, or Affiliate. Member designates a person who is part of the University of Alaska and generally entitled to information services, even if not formally a student or employee; it includes campus-based researchers with external funding, faculty emeriti, and some others. Affiliate designates merely that the person has a record in the UA IdP, but is not automatically eligible for services, and may be used for those with a limited specific affiliation with UA such as short-term guests.

eduPersonEntitlement - this designates permissions or entitlements based on your role(s) at UA, and may additionally be scoped to a department or (in the future) course. For example: for a student in Chemistry at UAF-main campus, learner@urn:mace:alaska.edu:itunesu:UAF - Main Campus:Chemistry

EPPN (eduPersonPrincipalName) - A unique identifier comprised of your UA username followed by "@alaska.edu"; while it has the look of an email address, it does not signify that this is a valid email address or your preferred email address; example: jpjones3@alaska.edu.

eduPersonTargetedID - An opaque identifier unique to the combination of the authenticated person and the application; because it is different for each application, and does not itself reveal the identity of the user, it enables the application to track preferences or make bookmarks for the user, but does not enable that use information to be correlated with use in other applications or to a real person; example: 84e411ea-7daa-4a57-bbf6-b5cc52981b73

email - an email address indicated as your preferred email address in the UA Enterprise Directory; it may or may not be an @alaska.edu address; examples: gene.kelly@alaska.edu, peterq@arsc.edu

group membership - list of the groups in which you are a member; can be used to designate access permissions or roles within applications; examples: cn=appusers:rightanswersprod:helpdesk,ou=group,dc=alaska,dc=edu, cn=appusers:onbaseprod:transfer_specialist,ou=group,dc=alaska,dc=edu

telephone number - phone number as recorded in the UA Enterprise Directory, like +1 907 474 0123

TKL - A legacy attribute for employees ("Time Keeping Location"); deprecated because it has no firm connection to the employee's department or actual location, but rather indicates one of the locations at which time cards were collected and paychecks distributed.

UA identifiers

UA Campus - UA campus with which you are affiliated; based on home department of employees, and location of student courses and programs; examples: UAF Main, UAS Sitka

UA ID# (bannerid or uaIdentifier)- the unique numeric identifier assigned to all employees and students ("employee ID#", "student ID#") commonly used for UA login and account ids; example: 30123456

UA ID# scoped (uakPersonID) - unique identifier using UA ID# parallel to the name-based EPPN, but using the unchanging numeric ID # assigned to all students and employees; intended to substitute for EPPN when the Service Provider needs an unchanging identifier for each user; example: 30123456@alaska.edu

UA Username (uaSystemID) - the unique name-based identifier commonly used for UA login and account ids; example: jpmorgan

UDCID (UDCIdentifier) - an unchanging, Banner-generated, 32-character, alphanumeric value; it is an opaque (not intended to be human-readable) identifier used in Banner-related applications; example: GXgX9A£4LhGpthOsuyjvu-SKmae2IRzo

Applications

The following applications rely on the UA IdP for authentication and receive the information (attributes) indicated upon successful authentication (login).

AskUA, aka Right Answers (Help Desk Knowledgebase Portal): UA Username, group membership, eduPersonAffiliation

Atomic Learning (instructional videos) : surname, given name, UA ID#, EPPN, email, UA Campus, eduPersonAffiliation

Blackboard Connect (Emergency Communications) EPPN, UA ID#, givenName, surname [released under specific attribute names required by this vendor: BBConnectFedID, ContactRefCode, FirstName, LastName]

CTSI (Clinical and Translational Sciences) - see IndianaCTSI

Dreamspark (Microsoft's full suite of software development tools): (none!)

EDUCAUSE (EDUCAUSE Portal): eduPersonTargetedID (PersistentID), EPPN, surname, givenName, email, eduPersonScopedAffiliation (affiliation@alaska.edu)

eduroam (roaming wireless network access) Attributes released by UA IdP: EPPN

EZProxy (access to UAF Rasmuson Library licensed scholarly databases): EPPN, eduPersonEntitlement and standard values of eduPersonAffiliation

Faculty180 (Faculty Activity Reporting) UA ID#, common name, givenName, surname, email

Google (Google Apps for Higher Ed, including email, calendar, docs; currently only in proof-of-concept): UA Username

IndianaCTSI (research, research grant, and collaboration tools): EPPN (researchers will be promoted to provide name and email to the service)

iTunesU (University of Alaska section for podcasts in Apple's iTunes): EPPN, Transient ID, eduPersonTargetedID (old format), eduPersonEntitlement

InfoEd (research administration): EPPN, UA ID#

Intellex (Environmental Health & Safety training): UA Username, UA ID#, email

Kuali Ready (Disaster Recovery Planning) UA ID# scoped, displayName, given name, surname, email, telephone number

NSF (National Science Foundation, including FastLane for PIs): EPPN, given name, surname, common name, email

NIH (National Institutes of Health resources; services tbd): given name, surname, email

Parking @ UAF : EPPN, UA ID#

Spaces (Internet2 wiki at spaces.internet2.edu): EPPN, eduPersonEntitlement and standard values of eduPersonAffiliation

Trac (wiki, technical documentation and internal tracking for IAM-related projects): EPPN

UAlaska network (authenticated access to UA wired network): EPPN

Win for Alaska (Wellness programs for UA Employees): EPPN