This document describes the NameID formats and attributes that can be released by the UW Identity Provider (IdP) to SAML relying parties (e.g. Shibboleth SPs).
In addition to providing user authentication and single sign-on (SSO) for web applications, SAML provides the capability for an IdP to release additional user information to an SP at authentication time. The user information is presented as a nameID and assertion attributes. Attributes are useful for access control decisions and personalization within the SP application. When integrating an application with SAML, it is helpful to know which NameID formats and attributes are available, where they come from, and what they look like. This guide provides that information.
NameIDs are returned to an SP in the IdP's authentication response. They are enclosed within the <Subject></Subject> block of XML.
| NameID | SAML Format | Description | Example Value1 |
|---|---|---|---|
| default | An identifier that is generated with a new value for each authentication. | AAdzZWNyZXQxHXqU1u2h16PsI7AMqO | |
| nameIDPersistentID | An identifier that is computed and stored once for each user/SP combination. The same value will be released each time a user authenticates from the same SP but different values will be released if the user also authenticates from other SPs. | 0920ddf277bb2a06162e469631147f69 | |
| eppnNameID | ePPN2 as a NameID | jsmith@washington.edu | |
| idNameID | uwNetID3 as a NameID | jsmith | |
| uwEduEmailNameID | uwEduEmail4 as a NameID | jsmith@uw.edu |
1 All NameID formats the UW IdP releases have three parts: IDP entityID|SP entityID|value. For example, an eppnNameID might look like urn:mace:incommon:washington.edu|https://dept.uw.edu/shibboleth|netid@washington.edu. Only the last part is shown in the "Example Value" column.
2 See ePPN description in table below.
3 See uwNetID description in table below.
4 See uwEduEmail description in table below.
Attributes are returned to an SP in the IdP's authentication response. They are enclosed within the <AttributeStatement></AttributeStatement> block of XML.
Some attributes provided by the UW IdP are defined by the eduPerson specification.
Table 1. The information in this table is specific to personal UW NetIDs. For shared UW NetIDs, the IdP can only release UW NetID-based, uwRegID, and displayName attributes. A bolded SP Registry Name value highlights cases where the attribute name used in the SP Registry interface differs from the "FriendlyName" released by the IdP.
SP Registry Name | FriendlyName | Name | Type | Source | Example Value |
|---|---|---|---|---|---|
affiliation | eduPersonAffiliation | urn:oid:1.3.6.1.4.1.5923.1.1.1.1 | multi-value string | PDS: eduPersonAffiliation | member;staff;employee |
attributePersistentID1 | eduPersonTargetedID | urn:oid:1.3.6.1.4.1.5923.1.1.1.10 | string | computed | See nameIDPersistentID in table above. |
| awsname | RoleSessionName | https://aws.amazon.com/SAML/Attributes/RoleSessionName | string | computed as ePPN | smith@washington.edu |
| awsrole | Role | https://aws.amazon.com/SAML/Attributes/Role | string | computed from group memberships in the u_weblogin_aws stem | arn:aws:iam::227741503957:role/sandbox-myteam |
| awssession | SessionDuration | https://aws.amazon.com/SAML/Attributes/SessionDuration | string | IdP | 43200 |
cn | cn | urn:oid:2.5.4.3 | string | PDS: "uwPersonPreferredFirst uwPersonPreferredMiddle uwPersonPreferredSurname" will be used if available, otherwise PDS: cn. | John P. Smith |
displayName | displayName | urn:oid:2.16.840.1.113730.3.1.241 | string | PDS: displayName | John P. Smith |
displayNameAndPronouns | displayNameAndPronouns | urn:oid:1.2.840.113994.200.52 | string | PDS: displayName (PDS: uwPersonPronoun) | John P. Smith (he/him/his) |
urn:oid:0.9.2342.19200300.100.1.3 | string | Returns first match from: | smith@uw.edu (May contain alternate emails for employees self-managed inside Workday and https://identity.uw.edu) | ||
employeeNumber | employeeNumber | urn:oid:2.16.840.1.113730.3.1.3 | string | PDS: uwEmployeeID | 880000000 |
entitlement_lib2 | eduPersonEntitlement | urn:oid:1.3.6.1.4.1.5923.1.1.1.7 | multi-value string | computed | urn:mace:dir:entitlement:common-lib-terms |
entitlement_sln | eduPersonEntitlement | urn:oid:1.3.6.1.4.1.5923.1.1.1.7 | multi-value string | computed | urn:mace:washington.edu:courses:win2012:17417 |
ePPN | eduPersonPrincipalName | urn:oid:1.3.6.1.4.1.5923.1.1.1.6 | string | computed | smith@washington.edu |
ePTID3 | eduPersonTargetedID | urn:oid:1.3.6.1.4.1.5923.1.1.1.10 | string | computed | 0920ddf277bb2a06162e469631147f69@washington.edu |
givenName | givenName | urn:oid:2.5.4.42 | string | PDS: "uwPersonPreferredFirst uwPersonPreferredMiddle" will be used if set by user, otherwise PDS: uwPersonRegisteredFirstMiddle | John P. |
gws_groups4 | isMemberOf | urn:oid:1.3.6.1.4.1.5923.1.5.1.1 | multi-value string | GWS | urn:mace:washington.edu:groups:uw_employee |
| homedept5 | homeDepartment | urn:oid:2.5.4.11 | string | PDS: uwEmployeeHomeDepartment | OFFICE OF PROGRESS |
| mailstop | mailstop | urn:oid:2.5.4.18 | string | PDS: uwEmployeeMailstop | 359000 |
phone6 | phone | urn:oid:2.5.4.20 | string | PDS: uwEWPPhone1 | +1 206 221-5000 |
| preferredFirst | preferredFirst | urn:oid:1.2.840.113994.200.47 | string | PDS: uwPersonPreferredFirst | John |
| preferredMiddle | preferredMiddle | urn:oid:1.2.840.113994.200.48 | string | PDS: uwPersonPreferredMiddle | P. |
| preferredSurname | preferredSurname | urn:oid:1.2.840.113994.200.49 | string | PDS: uwPersonPreferredSurname | Smith |
| registeredGivenName | registeredGivenName | urn:oid:1.2.840.113994.200.32 | string | PDS: uwPersonRegisteredFirstMiddle (does not incorporate preferred name) | John |
| registeredSurname | registeredSurname | urn:oid:1.2.840.113994.200.31 | string | PDS: uwPersonRegisteredSurname | Smith-Jones |
scopedAffiliation | eduPersonScopedAffiliation | urn:oid:1.3.6.1.4.1.5923.1.1.1.9 | multi-value string | PDS: eduPersonAffiliation | member@washington.edu |
surname | surname | urn:oid:2.5.4.4 | string | PDS: uwPersonPreferredSurname will be used if set by user, otherwise uwPersonRegisteredSurname | Smith |
| title | title | urn:oid:2.5.4.12 | string | PDS: uwEWPTitle1 | Technical Lead |
| uwEduEmail | uwEduEmail | urn:oid:1.2.840.113994.200.45 | string | Computed: uwNetID@uw.edu | smith@uw.edu |
uwPronouns | uwPronouns | urn:oid:1.2.840.113994.200.51 | string | PDS: uwPersonPronoun | he/him/his |
uwNetID | uid | urn:oid:0.9.2342.19200300.100.1.1 | string | PDS: uwNetID | smith |
uwRegID | uwRegID | urn:oid:1.2.840.113994.200.24 | string | PDS: uwRegID | B778D7CE539311D6B3850004AC494FFE |
uwStudentID | uwStudentID | urn:oid:1.2.840.113994.200.21 | string | PDS: uwStudentID | 1234567 |
| uwStudentSystemKey | uwStudentSystemKey | urn:oid:1.2.840.113994.200.20 | string | PDS: uwStudentSystemKey | 000524591 |
1 attributePersistentID is the most common way to use the persistent id attribute. It replaces the SAML1 ePTID. TargetedID and PersistentID vales are equivalent. PersistentID is constructed using the IdP entityID, the SP entityID, and an opaque ID for the user.
2 The entitlement_lib always generates a value of "urn:mace:dir:entitlement:common-lib-terms"
3 ePTID is a SAML 1 construct that has been replaced with PersistentID in SAML 2. You probably want nameIDPersistentID or attributePersistentID instead.
4 The IdP doesn't normally release all groups to an SP. You will need to specify the particular group(s) or stem(s) that are of interest to your application.
5 Departmental affiliation based on an employee's supervisory org in Workday.
6 Does not include student whitepages phone number data at this time.