UCTrust Workgroup
Child pages
  • UCTrust Standard Attributes and SAML OIDs

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 11 Next »

(Originally posted at www.ucop.edu/irc/itlc/uctrust/attributes/trustattributes030106.html)

It is essential that UCTrust participants support and use common definitions for certain basic identity attributes. The formal specification of identity management attributes for use within UCTrust, ucEduPerson, is an augmentation of the eduPerson attributes that are used by InCommon.  Additional elements may be added from time to time but the definition and meaning of existing attributes is not expected to change.

Participants need not be able to assert all attributes but when they do assert an attribute from that schema the meaning of that attribute must match the definition provided in the specification.

UCTrust: Commonly Defined Identity Attributes

The attributes that all participants should be able to recognize is identified in the table below. Note that while no attributes are required by UCTrust, they have been selected because they are required by services that are commonly offered to members of UCTrust.

The table below lists UCTrust's locally-defined extensions to the InCommon Federated attribute set.


Attribute (Friendly-ish name)

URN

SourceSupportEncodingFormat

Value

Description

UCnetID

urn:oid:2.16.840.1.113916.1.1.4.1

UCTrustCurrent
Ten Digit numberSingle

UCnetID, as assigned by UC's Universitywide Demographics Database.  The UCnetID is an integer that uniquely identifies a single member of the UC community.  This integer is transmitted between UCOP and the campuses in the form of a ten-character field with the digits representing the UCnetID left justified within the field.  Note that the number of digits in the UCnetID may be increased in the future.

UCTrustAssurance

urn:oid:2.16.840.1.113916.1.1.5

UCTrust???

Multi

UCTrust Assurance.  This multivalued attribute defines the UCTrust assurance associated with a particular SAML-2 assertion.  Values for this attribute are of the form urn:mace:universityofcalifornia.edu:ucidentity:attributes:assurance:*

UC Campus Employee ID (PPS ID)

urn:oid:2.16.840.1.113916.1.1.6

UCTrustLegacySAMLxScopedString9 digit number with campus scopeSingle

UC Campus Employee ID. This single-valued attribute contains the nine-digit employee ID (including leading zeros), as defined by the University's Payroll/Personnel System (PPS) and issued by this IdP's campus, qualified by the campus's top domain name [1] provided to InCommon. For example, 012345678@ucla.edu would be the value for employee ID 012345678 at UCLA.

Note, existence of this value does NOT imply an individual is a current employee of the campus. Use eduPersonAffiliation, eduPersonPrimaryAffiliation or eduPersonScopedAffiliation to identify employees.

UCTrust Short Campus ID

urn:oid:2.16.840.1.113916.1.1.7

UCTrustDeprecated

Single

To facilitate a migration to long identifiers, UCTrustCampusIDShort, will be available for a limited transition period, no more than five years. It will not exceed 12 characters in length, it will contain only alphanumeric characters, and its persistence will not be greater than five years.

  • It will be scoped in a non-standard way. The format will be two characters to designate the UC location, followed by no more than 10 alphanumeric characters assigned by that location. For example, “RI1234567890” could designate Jane Doe at UC Riverside. The following are the two-character location codes:
    • BE - UC Berkeley
    • DA - UC Davis
    • IR - UC Irvine
    • LA - UC Los Angeles
    • ME - UC Merced
    • RI - UC Riverside
    • SD - UC San Diego
    • SF - UC San Francisco
    • SB - UC Santa Barbara
    • SC - UC Santa Cruz
    • OP - UC Office of the President
    • LB - Lawrence Berkeley National Labs
  • It will not be reassigned to more than one person by the same campus within the five-year lifetime of the identifier.
  • Duplicate identifiers for an individual should be rare from a single campus, but are allowed.
  • Duplicates will occur for people who are assigned UCTrustCampusIDShort's by multiple campuses.
  • UCTrustCampusIDShort will be deprecated on or before July 1, 2012. If at any time before that date there are no current applications that need UCTrustCampusIDShort to operate, the UCTrust Work Group may choose to deprecate it sooner.
UCPathEmplid

urn:oid:2.16.840.1.113916.1.1.8

UCTrustRetired


This attribute was removed following UCTrust decision to map UCPathEmplid to the existing "inetOrgPerson:employeeNumber" value.

UCPathEmplid (released as inetOrgPerson:employeeNumber)urn:oid:2.16.840.1.113730.3.1.3

UCTrust

(reuse of inetOrgPerson)

CurrentSAMLxString8 digit numberSingle

UCPath Emplid, a value assigned by the UCPath HR system. This single valued attribute contains the 8 character employee id (including leading zeros) used to uniquely identify individuals stored in the UCPath system. These mostly consist of employees, but also include some contractor, volunteer and similar type affiliates.

Note that this OID is part of the inetOrgPerson defintion (specifically, it represents inetOrgperson::employeeNumber). The UCTrust-specific use of this OID is to define that it will contain the UCPath Emplid.

Note, existence of this value does NOT imply an individual is a current or past employee of the University. Use eduPersonAffiliation, eduPersonPrimaryAffiliation or eduPersonScopedAffiliation to identify employees.

UC Campus Student System ID (proposed)urn:oid:2.16.840.1.113916.1.1.9UCTrust???SAMLxScopedString(max) 36 alpha-numeric characters plus campus scopeSingle

UC Campus Student System ID. This single-valued attribute contains the individual's local student system ID as defined by the appropriate campus' Student Information System and issued by this IdP's campus, qualified by the campus's top domain name provided to InCommon. For example, 0111111@ucsc.edu would be the value for the person with the student system ID of 0111111 at UCSC. (While this example is only numeric, the identifier is allowed to be alpha-numeric).

Identifier lengths are not consistent across campuses, but a maximum identifier length of 36, not counting the campus scope[1], has been agreed to.

Note, existence of this value does NOT imply an individual is a current or past student of the campus. Use eduPersonAffiliation, eduPersonPrimaryAffiliation or eduPersonScopedAffiliation to identify student affiliations.

eduPersonPrincipleName

(aka ePPN)

1.3.6.1.4.1.5923.1.1.1.6eduPersonCurrentSAMLxScopedString
Single

Definition

A scoped identifier for a person. Basically, a common globally-unique SSO ID for the person associated with their campus.

It will take the form "user@scope" where 'user' is a location-assigned username and the "scope" is the campus' internet domain (e.g., campus.edu). 


eduPersonAffiliation1.3.6.1.4.1.5923.1.1.1.1eduPersonCurrentSAMLxStringConstrained ValuesMulti

Definition

Specifies the person's relationship(s) to the institution in broad categories such as student, faculty, staff, alum, etc. (See controlled vocabulary).

Permissible values

faculty, student, staff, alum, member, affiliate, employee, library-walk-in


eduPersonScopedAffiliation1.3.6.1.4.1.5923.1.1.1.9eduPersonCurrentSAMLxScopedStringConstrained ValuesMultiThis value is the same as eduPersonAffiliation, but with a scope ("@campus.edu") appended to each value. E.g., "faculty@berkeley.edu" instead of "faculty".  
eduPersonTargetedID1.3.6.1.4.1.5923.1.1.1.10eduPerson

Inconsistent

Deprecated

NameID FormatTriplet of data, some opaqueSingle

Definition

A persistent, non-reassigned, opaque identifier for a principal (user).

As an opaque identifier, the value is not easily human readable, or a value that users will know. Because of the technical construction of   

In abstract terms, an eduPersonTargetedID value is a tuple consisting of an opaque identifier for the principal, a name for the source of the identifier, and a name for the intended audience of the identifier. The source of the identifier is termed an identity provider and the name of the source takes the form of a SAML V2.0 entityID, which is an absolute URI. The name of the intended audience also takes the form of an absolute URI, and may refer to a single service provider or a collection of service providers (for which SAML V2.0 uses the term "Affiliation", not to be confused with the ordinary eduPerson use of the term).

Per the SAML format definition, the identifier portion MUST NOT exceed 256 characters, and the source and audience URI values MUST NOT exceed 1024 characters.

In SAML, a service provider is an abstract designation and may or may not refer to a single application or physical system. As a result, and because service providers may be grouped arbitrarily into "Affiliations" for policy purposes, the intended audience of an eduPersonTargetedID may be (and often is) limited to a single "target" application, or may consist of a large number of related applications. This is at the discretion of the identity provider. The value of the principal identifier SHOULD be different for different "audience" values, but this is also at the discretion of the identity provider.

This attribute may or may not be stored in a typical Directory Service because of its potential variance by relying party, but it is defined here for use in other service contexts such as Security Assertion Markup Language (SAML) assertions. It is typically used in federated scenarios in which more typical opaque identifiers lack appropriate uniqueness guarantees across multiple identity providers.

eduPersonUniqueID

Emerging



eduPersonEntitlement

Not supported



subject-id

Emerging



pairwise-id

Emerging



givenName (FirstName)

Current



sn (LastName)

Current



cn (FullName)

Current



displayName

Current



mail

Current












These attributes are formally described for LDAP servers as the ucEduPerson object class.

[1] For data element sizing purposes, the longest UC top level domain likely to be used as a "scope" value is "universityofcalifornia.edu" (26 characters, 27 counting the "@" sign).


  • No labels