Skip to end of metadata
Go to start of metadata

Purpose

This document describes the NameID formats and attributes that can be released by the UW Shibboleth Identity Provider (IdP) to Shibboleth Service Providers (SPs) and other SAML 2.0 relying parties.

Background

In addition to providing user authentication and single sign-on (SSO) for web applications, Shibboleth provides the capability for an IdP to release additional user information to an SP at authentication time. The user information is presented as a nameID and assertion attributes. Attributes are useful for access control decisions and personalization within the SP application. When integrating an application with Shibboleth, it is helpful to know which NameID formats and attributes are available, where they come from, and what they look like. This guide provides that information.

NameIDs

NameIds are returned to an SP in the IdP's authentication response. They are enclosed within the <Subject></Subject> block of XML.

NameIDSAML FormatDescription Example Value1
default

urn:oasis:names:tc:SAML:2.0:
nameid-format:transient

An identifier that is generated with a new value for each authentication. 
AAdzZWNyZXQxHXqU1u2h16PsI7AMqO
9JoRQANqwu4Dpe1fvRrjMlYoL3v/kR
H9QHUX7SqOomf2MyZhIbSReBUBnIiA
JwN3nVfyKPxYs88/GZ74FKvA7xlpOs
cvMFmQPz3U9zyvxcotResE+dYICFLX
mZImZW1NZSS6LQWQ==
nameIDPersistentID

urn:oasis:names:tc:SAML:2.0:
nameid-format:persistent

An identifier that is computed and stored once for each user/SP
combination. The same value will be released each time a user
authenticates from the same SP but different values will be released
if the user also authenticates from other SPs.
0920ddf277bb2a06162e469631147f69
eppnNameID

urn:oasis:names:tc:SAML:1.1:
nameid-format:unspecified

ePPN2 as a NameID jsmith@washington.edu
idNameID

urn:oasis:names:tc:SAML:1.1:
nameid-format:unspecified

uwNetID3 as a NameID jsmith
uwEduEmailNameID

urn:oasis:names:tc:SAML:1.1:
nameid-format:emailAddress

uwEduEmail4 as a NameIDjsmith@uw.edu

1 All NameID formats the UW IdP releases have three parts: IDP entityID|SP entityID|value. For example, an eppnNameID might look like urn:mace:incommon:washington.edu|https://dept.uw.edu/shibboleth|netid@washington.edu. Only the last part is shown in the "Example Value" column.
2 See ePPN description in table below.
3 See uwNetID description in table below.
4 See uwEduEmail description in table below.

Attributes

Attributes are returned to an SP in the IdP's authentication response. They are enclosed within the <AttributeStatement></AttributeStatement> block of XML.

For the most part, the IdP provides attributes defined by the Internet2 eduPerson specification. Easier to read might be InCommon's Attribute Overview.

  • You request release of attributes via the UW Service Provider Registry, which uses the local name. See instruction for requesting attributes for more information.
  • In the table below, "Local name" is how the attributes are labeled in the UW's SP registry.  "SAML2 name/OID" or "eduPerson name" are how the attributes are labeled in the SAML response from the IdP.  
  • Refer to the SAML2/OID name when mapping attributes to environment variables in your SP.
  • Multi-valued string attributes normally show up in the environment as a string of semi-colon separated values.
  • Several attributes are sourced from the Person Directory Service (PDS). See the PDS Attribute Reference for more information.

The following table is specific to personal UW NetIDs. For shared UW NetIDs, the IdP can only release UW NetID-based, uwRegID, and displayName attributes.

Local name

eduPerson name

SAML2 name (OID)

Type

Source

Example Value

affiliation

eduPersonAffiliation

urn:oid:1.3.6.1.4.1.5923.1.1.1.1

multi-value string

PDS: eduPersonAffiliation

member;staff;employee

attributePersistentID2

eduPersonTargetedID

urn:oid:1.3.6.1.4.1.5923.1.1.1.10

string

computed

See nameIDPersistentID in table above.

cn

cn

urn:oid:2.5.4.3

string

PDS: "uwPersonPreferredFirst uwPersonPreferredMiddle uwPersonPreferredSurname" will be used if available, otherwise PDS: cn.

John P. Smith

displayName

displayName

urn:oid:2.16.840.1.113730.3.1.241

string

PDS: displayName

John P. Smith

email

mail

urn:oid:0.9.2342.19200300.100.1.3

string

Returns first match from:
PDS: uwEWPEmail1 (employee)
PDS: uwSWPEmail (student)
Computed: uwNetID@uw.edu

smith@uw.edu
smith@u.washington.edu
smith@chem.washington.edu
smith@somedomain.com

(May contain alternate emails for employees self-managed inside Workday and https://identity.uw.edu)

employeeNumber

employeeNumber

urn:oid:2.16.840.1.113730.3.1.3

string

PDS: uwEmployeeID

880000000

entitlement_lib

eduPersonEntitlement

urn:oid:1.3.6.1.4.1.5923.1.1.1.7

multi-value string

computed

urn:mace:dir:entitlement:common-lib-terms3

entitlement_sln

eduPersonEntitlement

urn:oid:1.3.6.1.4.1.5923.1.1.1.7

multi-value string

computed

urn:mace:washington.edu:courses:win2012:17417

ePPN

eduPersonPrincipalName

urn:oid:1.3.6.1.4.1.5923.1.1.1.6

string

computed

smith@washington.edu

ePTID

eduPersonTargetedID

urn:oid:1.3.6.1.4.1.5923.1.1.1.10

string

computed

0920ddf277bb2a06162e469631147f69@washington.edu4

givenName

givenName

urn:oid:2.5.4.42

string

PDS: "uwPersonPreferredFirst uwPersonPreferredMiddle" will be used if set by user, otherwise PDS: uwPersonRegisteredFirstMiddle

John P.

gws_groups5

isMemberOf

urn:oid:1.3.6.1.4.1.5923.1.5.1.1

multi-value string

GWS

urn:mace:washington.edu:groups:uw_employee

homeDepartmentouurn:oid:2.5.4.11stringPDS: uwEmployeeHomeDepartmentOFFICE OF PROGRESS6
mailstoppostOfficeBoxurn:oid:2.5.4.18stringPDS: uwEmployeeMailstop359000

phone

telephoneNumber

urn:oid:2.5.4.20

stringPDS: uwEWPPhone1+1 206 221-50007
preferredFirst
n/aurn:oid:1.2.840.113994.200.47stringPDS: uwPersonPreferredFirstJohn
preferredMiddle
n/aurn:oid:1.2.840.113994.200.48stringPDS: uwPersonPreferredMiddleP.
preferredSurname
n/aurn:oid:1.2.840.113994.200.49stringPDS: uwPersonPreferredSurnameSmith

scopedAffiliation

eduPersonScopedAffiliation

urn:oid:1.3.6.1.4.1.5923.1.1.1.9

multi-value string

PDS: eduPersonAffiliation

member@washington.edu

surname

surname

urn:oid:2.5.4.4

string

PDS: uwPersonPreferredSurname will be used if set by user, otherwise uwPersonRegisteredSurname

Smith

titletitleurn:oid:2.5.4.12stringPDS: uwEWPTitle1Technical Lead
uwEduEmailnone

urn:oid:1.2.840.113994.200.45

stringComputed: uwNetID@uw.edusmith@uw.edu8

uwNetID

uid

urn:oid:0.9.2342.19200300.100.1.1

string

PDS: uwNetID

smith

uwRegID

n/a

urn:oid:1.2.840.113994.200.24

string

PDS: uwRegID

B778D7CE539311D6B3850004AC494FFE

uwStudentID

n/a

urn:oid:1.2.840.113994.200.21

string

PDS: uwStudentID

1234567 

uwStudentSystemKeyn/a

urn:oid:1.2.840.113994.200.20

stringPDS: uwStudentSystemKey000524591

Notes

2 attributePersistentID is the most common way to use the persistent id attribute. It replaces the SAML1 ePTID.  TargetedID and PersistentID vales are equivalent. PersistentID is constructed using a combination of the user's ID and the SP's entityID.
3 The entitlement_lib always generates a value of "urn:mace:dir:entitlement:common-lib-terms"
4 ePTID is a SAML 1 construct that has been replaced with PersistentID in SAML 2. You probably want nameIDPersistentID or attributePersistentID instead.
5 The IdP doesn't normally release all groups to an SP. You will need to specify the particular group(s) or stem(s) that are of interest to your application.
6 This is the best available indicator of departmental affiliation using an employee's home department budget name.  If OU information becomes available in the future the contents of this attribute may be updated.
7 Does not include student whitepages phone number data at this time.
8 uwEduEmail is constructed to appear as the new UW email address format. It should not be used as an identifier in environments where the service provider will interact with other federated (InCommon etc) IdPs/SSO providers. In federated environments the UW identifiers must be scoped to 'washington.edu'