IT Services will migrate spaces.ais.ucla.edu content to the Atlassian Confluence Cloud. Spaces will be in read-only mode after June 22nd.
(Originally posted at www.ucop.edu/irc/itlc/uctrust/attributes/trustattributes030106.html)
It is essential that UCTrust participants support and use common definitions for certain basic identity attributes. The formal specification of identity management attributes for use within UCTrust, ucEduPerson, is an augmentation of the eduPerson attributes that are used by InCommon. Additional elements may be added from time to time but the definition and meaning of existing attributes is not expected to change.
Participants need not be able to assert all attributes but when they do assert an attribute from that schema the meaning of that attribute must match the definition provided in the specification.
UCTrust: Commonly Defined Identity Attributes
The attributes that all participants should be able to recognize is identified in the table below. Note that while no attributes are required by UCTrust, they have been selected because they are required by services that are commonly offered to members of UCTrust.
The table below lists UCTrust's locally-defined extensions to the InCommon Federated attribute set.
Attribute | URN | Encoding | Format | Multi/Single Valued | Description |
|---|---|---|---|---|---|
UCnetID | urn:oid:2.16.840.1.113916.1.1.4.1 | Ten Digit number | Single | UCnetID, as assigned by UC's Universitywide Demographics Database. The UCnetID is an integer that uniquely identifies a single member of the UC community. This integer is transmitted between UCOP and the campuses in the form of a ten-character field with the digits representing the UCnetID left justified within the field. Note that the number of digits in the UCnetID may be increased in the future. | |
UCTrustAssurance | urn:oid:2.16.840.1.113916.1.1.5 | Multi | UCTrust Assurance. This multivalued attribute defines the UCTrust assurance associated with a particular SAML-2 assertion. Values for this attribute are of the form urn:mace:universityofcalifornia.edu:ucidentity:attributes:assurance:* | ||
UC Campus Employee ID | urn:oid:2.16.840.1.113916.1.1.6 | SAMLxScopedString | 9 digit number with campus scope | Single | UC Campus Employee ID. This single-valued attribute contains the nine-digit employee ID (including leading zeros), as defined by the University's Payroll/Personnel System (PPS) and issued by this IdP's campus, qualified by the campus's top domain name [1] provided to InCommon. For example, 012345678@ucla.edu would be the value for employee ID 012345678 at UCLA. Note, existence of this value does NOT imply an individual is a current employee of the campus. Use eduPersonAffiliation, eduPersonPrimaryAffiliation or eduPersonScopedAffiliation to identify employees. |
UCTrust Short Campus ID | urn:oid:2.16.840.1.113916.1.1.7 | Single | To facilitate a migration to long identifiers, UCTrustCampusIDShort, will be available for a limited transition period, no more than five years. It will not exceed 12 characters in length, it will contain only alphanumeric characters, and its persistence will not be greater than five years.
| ||
| This attribute was removed following UCTrust decision to map UCPathEmplid to the existing "inetOrgPerson:employeeNumber" value. | ||||
| UCPathEmplid (released as inetOrgPerson:employeeNumber) | urn:oid:2.16.840.1.113730.3.1.3 | SAMLxString | 8 digit number | Single | UCPath Emplid, a value assigned by the UCPath HR system. This single valued attribute contains the 8 character employee id (including leading zeros) used to uniquely identify individuals stored in the UCPath system. These mostly consist of employees, but also include some contractor, volunteer and similar type affiliates. Note that this OID is part of the inetOrgPerson defintion (specifically, it represents inetOrgperson::employeeNumber). The UCTrust-specific use of this OID is to define that it will contain the UCPath Emplid. Note, existence of this value does NOT imply an individual is a current or past employee of the University. Use eduPersonAffiliation, eduPersonPrimaryAffiliation or eduPersonScopedAffiliation to identify employees. |
| UC Campus Student System ID (proposed) | urn:oid:2.16.840.1.113916.1.1.9 | SAMLxScopedString | (max) 36 alpha-numeric characters plus campus scope | Single | UC Campus Student System ID. This single-valued attribute contains the individual's local student system ID as defined by the appropriate campus' Student Information System and issued by this IdP's campus, qualified by the campus's top domain name provided to InCommon. For example, 0111111@ucsc.edu would be the value for the person with the student system ID of 0111111 at UCSC. (While this example is only numeric, the identifier is allowed to be alpha-numeric). Identifier lengths are not consistent across campuses, but a maximum identifier length of 36, not counting the campus scope[1], has been agreed to. Note, existence of this value does NOT imply an individual is a current or past student of the campus. Use eduPersonAffiliation, eduPersonPrimaryAffiliation or eduPersonScopedAffiliation to identify student affiliations. |
These attributes are formally described for LDAP servers as the ucEduPerson object class.
[1] For data element sizing purposes, the longest UC top level domain likely to be used as a "scope" value is "universityofcalifornia.edu" (26 characters, 27 counting the "@" sign).