Attributes released by the Raven IdP

From RavenWiki
Revision as of 18:10, 3 March 2009 by jw35 (talk | contribs) (Created)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

Following authentication, the IdP on Raven will release various attributes about the authenticated user. Most of these come from or are derived from lookup. Each of these has a formal 'name' (which appears in the protocol messages on the wire) and this is mapped, by the attribute-map.xml file, into a more useful 'id' which in turn is used to name environment variables (on Apache) or server variables (on IIS). An example attribute map is available for use by SPs within the University - this document assumes that this file is in use and that users are authenticating to the Raven IdP - other maps and other IdPs will behave differently.

Exactly what is released will differ depend on how (if at all) the SP is registered with Raven. Registration takes place by providing 'Metadata', which may appear either in the UK federation metadata file or in the local 'Ucam federation' one.

Registered, but with technical errors

No attributes are released. This is a common failure mode and suggests that Raven is finding metadata about the SP but that this doesn't not match reality.

Completely unregistered ('Anonymous')

Raven will release the following attributes with the described values to SPs it knows nothing about:

Name Id Description
urn:mace:dir:attribute-def:eduPersonPrincipalName eppn A single persistent, unique user identifier which is consistent across all services. For a Raven user has the form <crsid>@cam.ac.uk. It is NOT an email address.
urn:mace:dir:attribute-def:eduPersonScopedAffiliation affiliation One or more values indicating the authenticated user's relationship with the organisation operating the IdP. For a Raven user has the value member@cam.ac.uk for anyone who appears in lookup, and the value member@eresources.lib.ac.uk for anyone entitled to access the bulk of University Library-licensed electronic resources. New values may be added over time - applications relying on this attribute should ignore unrecognised values.
urn:mace:dir:attribute-def:eduPersonEntitlement entitlement One or more values indicating particular entitlements. Currently includes urn:mace:dir:entitlement:common-lib-terms on behalf of anyone entitled to access the general University Library electronic resource collection. New values may be added over time - applications relying on this attribute should ignore unrecognised values.

Registered SPs

Raven will additionally release the following to any SP for which it has registration data:

Name Id Description
urn:mace:dir:attribute-def:eduPersonTargetedID targeted-id A single persistent, unique user identifier which is consistent for all accesses to a particular SP by a particular user but which will be different for different users and for different services. The recommended attribute map chooses to return this in the form <IdP entityID>!<SP identityID>!<opaque string>, eg
 
https://shib.raven.cam.ac.uk/shibboleth!https://mnementh.csi.cam.ac.uk/shibboleth!MlWd0XIR7juZvwvarOVdYiUWPW0=
(a default configuration would return the same value as MlWd0XIR7juZvwvarOVdYiUWPW0=@cam.ac.uk - see https://spaces.internet2.edu/display/SHIB2/NativeSPTargetedID for background).

University SPs

Raven will additionally release the following to any SP for which it has registration data and which it recognises as being operated by the University. Note that many of these values are subject to suppression in lookup and that Raven will only release values that are not suppressed.

Name Id Description
urn:mace:dir:attribute-def:sn sn User's Surname. Single-valued.
urn:mace:dir:attribute-def:cn cn User's Registered Name. Single-valued.
urn:mace:dir:attribute-def:displayName displayName User's Display Name. Single-valued.
urn:mace:dir:attribute-def:title title User's Roles. Multi-valued.
urn:mace:dir:attribute-def:ou ou The institutions to which the user belongs. Multi-valued.
urn:oid:1.3.6.1.4.1.6822.1.1.5 instID The 'Inst ID's of the institutions to which the user belongs. Multi-valued.
urn:mace:dir:attribute-def:telephoneNumber telephoneNumber User's Telephone Numbers. Multi-valued.
urn:mace:dir:attribute-def:mail mail User's preferred email address. Single valued.
urn:oid:1.3.6.1.4.1.6822.1.1.11 mailAlternative User's other mail addresses. Multi-valued.
urn:oid:1.3.6.1.4.1.6822.1.1.38 misAffiliation User's 'status' within the University. Possible values are staff and/or student. New values may be added over time - applications relying on this attribute should ignore unrecognised values. Note: the coverage of this attribute is know to be incomplete - anyone with the value student probably is a student (for some definition thereof); anyone without this may or may not be a student. Ditto for 'staff'. Multi-valued.
urn:oid:1.3.6.1.4.1.6822.1.1.22 groupID The groupID of the lookup groups to which the user belongs. Multi-valued. Note the availability of this attribute is subject to both the user's choice of suppression and the group administrator's.
urn:oid:1.3.6.1.4.1.5923.1.1.1.10 persistent-id An alternate form of a persistent, unique user identifier which is consistent for all accesses to a particular SP by a particular user but which will be different for different users and for different services (c.f. targeted-id above). Returned in the same format as targeted-id above. See https://spaces.internet2.edu/display/SHIB2/NativeSPTargetedID for background to this duplication.