UCTrust: Common Identity Attributes
(Originally posted at www.ucop.edu/irc/itlc/uctrust/attributes/trustattributes030106.html)
It is essential that UCTrust participants support and use common definitions for certain basic identity attributes. The formal specification of identity management attributes for use within UCTrust, ucEduPerson, is an augmentation of the eduPerson attributes that are used by InCommon. Additional elements may be added from time to time but the definition and meaning of existing attributes is not expected to change.
Participants need not be able to assert all attributes but when they do assert an attribute from that schema the meaning of that attribute must match the definition provided in the specification.
The attributes that all participants should be able to recognize is identified in the table below. Note that, while no attributes are required by UCTrust, they have been selected because they are required by services that are offerred to members of UCTrust.
The table below shows UCTrust's extensions to the InCommon attribute set.
Attribute | URN | Description |
---|---|---|
UCnetID | urn:oid:2.16.840.1.113916.1.1.4.1 | UCnetID, as assigned by UC's Universitywide Demographics Database. The UCnetID is an integer that uniquely identifies a single member of the UC community. This integer is transmitted between UCOP and the campuses in the form of a ten-character field with the digits representing the UCnetID left justified within the field. Note that the number of digits in the UCnetID may be increased in the future. |
UCTrustAssurance | urn:oid:2.16.840.1.113916.1.1.5 | UCTrust Assurance. This multivalued attribute defines the UCTrust assurance associated with a particular SAML-2 assertion. Values for this attribute are of the form urn:mace:universityofcalifornia.edu:ucidentity:attributes:assurance:* |
UC Campus Employee ID | urn:oid:2.16.840.1.113916.1.1.6 | UC Campus Employee ID. This single-valued attribute contains the nine-digit employee ID (including leading zeros), as defined by the University's Payroll/Personnel System (PPS) and issued by this IdP's campus, qualified by the campus's top domain name provided to InCommon. For example, 012345678@ucla.edu would be the value for employee ID 012345678 at UCLA. |
UCTrust Short Campus ID | urn:oid:2.16.840.1.113916.1.1.7 | To facilitate a migration to long identifiers, UCTrustCampusIDShort, will be available for a limited transition period, no more than five years. It will not exceed 12 characters in length, it will contain only alphanumeric characters, and its persistence will not be greater than five years.
|
UCPathEmplid | urn:oid:2.16.840.1.113916.1.1.8 | UCPath Emplid, assigned by the UCPath HR system. This single valued attribute contains the 8 character employee id (including leading zeros) used to uniquely identify individuals stored in the UCPath system, mostly employees, but also including some contractor, volunteer and similar type affiliates. |
These attributes are formally described for LDAP servers as the ucEduPerson object class.
The entire registry of UC Object Identifies (OIDs) and Uniform Resource Names (URNs) is provided in URNs and OIDs for the University of California.