Child pages
  • eduPersonPrincipalName

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migration of unmigrated content due to installation of a new plugin



eduPersonPrincipalName, also commonly referred to as ePPN, is the identifier of the person for the purposes of inter-institutional authentication. It should be represented in the form "user@scope" where scope defines a local security domain.


Because of its ubiquity (all logged in users have logon IDs), ePPN is often used as the key identifier in local applications. However, application developers should remember that ePPN is not guaranteed to be unique and persistent over time. At UCLA, a person's logon ID may change over time. In addition, while it is not currently done, logon ID may be reassigned in the future. If your application requires a unique, persistent identifier, please use eduPersonTargetedID or uclaPPID instead.

eduPersonPrincipalName is a calculated attribute based on data in the Enterprise Directory. It takes the form of:


for example, a user with the logon ID "joebruin" has an ePPN of:

Note: While it looks similar, an ePPN is not an email address. Having an ePPN does not necessarily mean that person has an email address of the same value.

Release Policy

UCLA does not by default release this attribute to service providers. Each service provider is required to submit a request for data access and is subject to data privacy review from campus data stewards.

For additional information, please contact Albert Wu

See Also

The Official eduPerson Object Class Definition


This is the usage of this attribute in the attribute-map.xml file. For more information about Mapping the attribute please visit Shibboleth wiki.

Code Block
  <Attribute name="urn:oid:" id="SHIBEDUPERSONPRINCIPALNAME">
	<AttributeDecoder xsi:type="ScopedAttributeDecoder"/>