Skip to end of metadata
Go to start of metadata

Purpose

This document describes the procedure used to request release of a nameID and attributes to a Service Provider (SP) from the UW Shibboleth Identity Provider (IdP).

Background

In addition to providing user authentication and single sign-on (SSO) for web applications, Shibboleth provides the capability for an IdP to release additional user information to an SP at authentication time. The user information is presented as a nameID and assertion attributes. Attributes are useful for access control decisions and personalization within the SP application. See Guide to NameID Formats and Attributes Available from the UW IdP for more information about what data is available.

UW IdP Default NameID

A NameID is a subject identifier returned in an authentication response. The SAML specification defines a variety of standard nameID formats and the UW IdP supports several of these. An IdP can only return one nameID for a subject in any given authentication response. By default, the UW IdP will return a Transient NameID, but one of the alternate formats can be requested.

UW IdP Default Attributes

By default, the UW IdP will release a few attributes to any UW SP, where "UW SP" is defined as any SP registered in UW DNS with a domain name ending in washington.edu or uw.edu. These attributes are:

  • uwNetID
  • ePPN
  • affiliation
  • scopedAffiliation

By default, the UW IdP will release the following attributes to any SP that is registered in the InCommon Federation or in eduGain, and that is designated with the Research & Scholarship (R&S) Category:

  • ePPN
  • ePTID
  • givenName
  • surname
  • mail

No attributes will be released by default to other SPs. Additional attributes may be requested by any UW or non-UW SP administrator.

Procedure

SP administrators with a UW NetID can request a nameID format and attributes via the self-service Service Provider Registry (SP Registry). Once you've logged into the SP Registry, follow these steps:

  1. Browse the SP list or use the search feature to locate your SP in the left panel
  2. Click on your SP
  3. Click the "NameID & Attributes" tab
  4. Click "Request attributes"
  5. In the "Request attributes for..." box that pops up, select one NameID format. If your SP doesn't require a NameID of any particular format, leave the default option (Transient NameID) selected.
  6. In the same window, under the "Assertion attributes" section, click the check boxes for any attributes your application requires
  7. Provide an explanation of why you need these attributes. If you are requesting gws_groups please indicate the specific group(s) you need.
  8. Click "Submit"
  9. Your request will generate a ticket, which be reviewed and approved per applicable policy
  10. A staff person will respond to you after approval has been granted or if they have questions

You can return to the SP Registry at any time to request a different nameID format or additional attributes or to remove attributes you no longer require.

Vendors and external partners that provide application services to UW users typically don't have a UW NetID. They currently are unable to use the self-service SP Registry. Instead, they should email their attribute requests to iam-support@uw.edu.

Consuming Attributes

To make attributes available to the SP application, the attributes must be mapped to web server environment variables. Of the four attributes automatically released by the UW IdP to UW SPs, ePPN, affiliation, and scopedAffiliation are mapped to server variables in a default Shibboleth SP install. You should see them if you run a test script on your site that dumps the server environment variables to a web page. The uwNetID attribute is not mapped by default and you will need to configure a mapping to make it available to your application. You will also need to map any other attributes you request from the UW IdP.

  • No labels