Child pages
  • eduPersonPrincipalName
Skip to end of metadata
Go to start of metadata


This page is being updated and refined - the information on it is not yet considered to be "official". Thanks for your understanding!

eduPersonPrincipalName, also commonly referred to as ePPN, is the identifier of the person for the purposes of inter-institutional authentication. It should be represented in the form "user@scope" where scope defines a local security domain.


Because of its ubiquity (all logged in users have logon IDs), ePPN is often used as the key identifier in local applications. However, application developers should remember that ePPN is not guaranteed to be unique and persistent over time. At UCLA, a person's logon ID may change over time. In addition, while it is not currently done, logon ID may be reassigned in the future. If your application requires a unique, persistent identifier, please use eduPersonTargetedID or uclaPPID instead.

eduPersonPrincipalName is a calculated attribute based on data in the Enterprise Directory. It takes the form of:


for example, a user with the logon ID "joebruin" has an ePPN of:

Note: While it looks similar, an ePPN is not an email address. Having an ePPN does not necessarily mean that person has an email address of the same value.

Release Policy

UCLA does not by default release this attribute to service providers. Each service provider is required to submit a request for data access and is subject to data privacy review from campus data stewards.

For additional information, please contact Albert Wu

See Also

The Official eduPerson Object Class Definition


This is the usage of this attribute in the attribute-map.xml file. For more information about Mapping the attribute please visit Shibboleth wiki.

  <Attribute name="urn:oid:" id="SHIBEDUPERSONPRINCIPALNAME">
	<AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
  • No labels