(Originally posted at www.ucop.edu/irc/itlc/uctrust/attributes/trustattributes030106.html)
It is essential that UCTrust participants support and use common definitions for certain basic identity attributes. The formal specification of identity management attributes for use within UCTrust, ucEduPerson, is an augmentation of the eduPerson attributes that are used by InCommon. Additional elements may be added from time to time but the definition and meaning of existing attributes is not expected to change.
Participants need not be able to assert all attributes but when they do assert an attribute from that schema the meaning of that attribute must match the definition provided in the specification.
UCTrust: Commonly Defined Identity Attributes
The attributes that all participants should be able to recognize is identified in the table below. Note that while no attributes are required by UCTrust, they have been selected because they are required by services that are commonly offered to members of UCTrust.
The table below lists UCTrust's locally-defined extensions to the InCommon Federated attribute set.
Attribute (Friendly-ish name) | URN | Source | Support | Encoding | Format | Value | Description |
---|---|---|---|---|---|---|---|
UCnetID | urn:oid:2.16.840.1.113916.1.1.4.1 | UCTrust | Current | Ten Digit number | Single | UCnetID, as assigned by UC's Universitywide Demographics Database. The UCnetID is an integer that uniquely identifies a single member of the UC community. This integer is transmitted between UCOP and the campuses in the form of a ten-character field with the digits representing the UCnetID left justified within the field. Note that the number of digits in the UCnetID may be increased in the future. | |
UCTrustAssurance | urn:oid:2.16.840.1.113916.1.1.5 | UCTrust | ??? | Multi | UCTrust Assurance. This multivalued attribute defines the UCTrust assurance associated with a particular SAML-2 assertion. Values for this attribute are of the form urn:mace:universityofcalifornia.edu:ucidentity:attributes:assurance:* | ||
UC Campus Employee ID (PPS ID) | urn:oid:2.16.840.1.113916.1.1.6 | UCTrust | Legacy | SAMLxScopedString | 9 digit number with campus scope | Single | UC Campus Employee ID. This single-valued attribute contains the nine-digit employee ID (including leading zeros), as defined by the University's Payroll/Personnel System (PPS) and issued by this IdP's campus, qualified by the campus's top domain name [1] provided to InCommon. For example, 012345678@ucla.edu would be the value for employee ID 012345678 at UCLA. Note, existence of this value does NOT imply an individual is a current employee of the campus. Use eduPersonAffiliation, eduPersonPrimaryAffiliation or eduPersonScopedAffiliation to identify employees. |
UCTrust Short Campus ID | urn:oid:2.16.840.1.113916.1.1.7 | UCTrust | Deprecated | Single | To facilitate a migration to long identifiers, UCTrustCampusIDShort, will be available for a limited transition period, no more than five years. It will not exceed 12 characters in length, it will contain only alphanumeric characters, and its persistence will not be greater than five years.
| ||
| UCTrust | Retired | This attribute was removed following UCTrust decision to map UCPathEmplid to the existing "inetOrgPerson:employeeNumber" value. | ||||
UCPathEmplid (released as inetOrgPerson:employeeNumber) | urn:oid:2.16.840.1.113730.3.1.3 | UCTrust (reuse of inetOrgPerson) | Current | SAMLxString | 8 digit number | Single | UCPath Emplid, a value assigned by the UCPath HR system. This single valued attribute contains the 8 character employee id (including leading zeros) used to uniquely identify individuals stored in the UCPath system. These mostly consist of employees, but also include some contractor, volunteer and similar type affiliates. Note that this OID is part of the inetOrgPerson defintion (specifically, it represents inetOrgperson::employeeNumber). The UCTrust-specific use of this OID is to define that it will contain the UCPath Emplid. Note, existence of this value does NOT imply an individual is a current or past employee of the University. Use eduPersonAffiliation, eduPersonPrimaryAffiliation or eduPersonScopedAffiliation to identify employees. |
UC Campus Student System ID (proposed) | urn:oid:2.16.840.1.113916.1.1.9 | UCTrust | ??? | SAMLxScopedString | (max) 36 alpha-numeric characters plus campus scope | Single | UC Campus Student System ID. This single-valued attribute contains the individual's local student system ID as defined by the appropriate campus' Student Information System and issued by this IdP's campus, qualified by the campus's top domain name provided to InCommon. For example, 0111111@ucsc.edu would be the value for the person with the student system ID of 0111111 at UCSC. (While this example is only numeric, the identifier is allowed to be alpha-numeric). Identifier lengths are not consistent across campuses, but a maximum identifier length of 36, not counting the campus scope[1], has been agreed to. Note, existence of this value does NOT imply an individual is a current or past student of the campus. Use eduPersonAffiliation, eduPersonPrimaryAffiliation or eduPersonScopedAffiliation to identify student affiliations. |
eduPersonPrincipleName (aka ePPN) | 1.3.6.1.4.1.5923.1.1.1.6 | eduPerson | Current | SAMLxScopedString | Single | Definition A scoped identifier for a person. Basically, a common globally-unique SSO ID for the person associated with their campus. It will take the form "user@scope" where 'user' is a location-assigned username and the "scope" is the campus' internet domain (e.g., campus.edu). | |
eduPersonAffiliation | 1.3.6.1.4.1.5923.1.1.1.1 | eduPerson | Current | SAMLxString | Constrained Values | Multi | Definition Specifies the person's relationship(s) to the institution in broad categories such as student, faculty, staff, alum, etc. (See controlled vocabulary). Permissible values faculty, student, staff, alum, member, affiliate, employee, library-walk-in |
eduPersonScopedAffiliation | 1.3.6.1.4.1.5923.1.1.1.9 | eduPerson | Current | SAMLxScopedString | Constrained Values | Multi | This value is the same as eduPersonAffiliation, but with a scope ("@campus.edu") appended to each value. E.g., "faculty@berkeley.edu" instead of "faculty". |
eduPersonTargetedID | 1.3.6.1.4.1.5923.1.1.1.10 | eduPerson | Inconsistent Deprecated | NameID Format | Triplet of data, some opaque | Single | Definition A persistent, non-reassigned, opaque identifier for a principal (user). As an opaque identifier, the value is not easily human readable, or a value that users will know. Because of the technical construction of In abstract terms, an eduPersonTargetedID value is a tuple consisting of an opaque identifier for the principal, a name for the source of the identifier, and a name for the intended audience of the identifier. The source of the identifier is termed an identity provider and the name of the source takes the form of a SAML V2.0 entityID, which is an absolute URI. The name of the intended audience also takes the form of an absolute URI, and may refer to a single service provider or a collection of service providers (for which SAML V2.0 uses the term "Affiliation", not to be confused with the ordinary eduPerson use of the term). Per the SAML format definition, the identifier portion MUST NOT exceed 256 characters, and the source and audience URI values MUST NOT exceed 1024 characters. In SAML, a service provider is an abstract designation and may or may not refer to a single application or physical system. As a result, and because service providers may be grouped arbitrarily into "Affiliations" for policy purposes, the intended audience of an eduPersonTargetedID may be (and often is) limited to a single "target" application, or may consist of a large number of related applications. This is at the discretion of the identity provider. The value of the principal identifier SHOULD be different for different "audience" values, but this is also at the discretion of the identity provider. This attribute may or may not be stored in a typical Directory Service because of its potential variance by relying party, but it is defined here for use in other service contexts such as Security Assertion Markup Language (SAML) assertions. It is typically used in federated scenarios in which more typical opaque identifiers lack appropriate uniqueness guarantees across multiple identity providers. |
eduPersonUniqueID | Emerging | ||||||
eduPersonEntitlement | Not supported | ||||||
subject-id | Emerging | ||||||
pairwise-id | Emerging | ||||||
givenName (FirstName) | Current | ||||||
sn (LastName) | Current | ||||||
cn (FullName) | Current | ||||||
displayName | Current | ||||||
Current | |||||||
These attributes are formally described for LDAP servers as the ucEduPerson object class.
[1] For data element sizing purposes, the longest UC top level domain likely to be used as a "scope" value is "universityofcalifornia.edu" (26 characters, 27 counting the "@" sign).