IAM in Service Catalog
This document describes the procedure used to request release of a nameID and attributes to a Service Provider (SP) from the UW Shibboleth Identity Provider (IdP).
In addition to providing user authentication and single sign-on (SSO) for web applications, Shibboleth provides the capability for an IdP to release additional user information to an SP at authentication time. The user information is presented as a nameID and assertion attributes. Attributes are useful for access control decisions and personalization within the SP application. See Guide to NameID Formats and Attributes Available from the UW IdP for more information about what data is available.
A NameID is a subject identifier returned in an authentication response. The SAML specification defines a variety of standard nameID formats and the UW IdP supports several of these. An IdP can only return one nameID for a subject in any given authentication response. By default, the UW IdP will return a Transient NameID, but one of the alternate formats can be requested.
By default, the UW IdP will release a few attributes to any UW SP, where "UW SP" is defined as any SP registered in UW DNS with a domain name ending in
uw.edu. These attributes are:
By default, the UW IdP will release the following attributes to any SP that is registered in the InCommon Federation or in eduGain, and that is designated with the Research & Scholarship (R&S) Category:
No attributes will be released by default to other SPs. Additional attributes may be requested by any UW or non-UW SP administrator.
You can return to the SP Registry at any time to request a different nameID format or additional attributes or to remove attributes you no longer require.
Vendors and external partners that provide application services to UW users typically don't have a UW NetID. They currently are unable to use the self-service SP Registry. Instead, they should email their attribute requests to email@example.com.
To make attributes available to the SP application, the attributes must be mapped to web server environment variables. Of the four attributes automatically released by the UW IdP to UW SPs, ePPN, affiliation, and scopedAffiliation are mapped to server variables in a default Shibboleth SP install. You should see them if you run a test script on your site that dumps the server environment variables to a web page. The uwNetID attribute is not mapped by default and you will need to configure a mapping to make it available to your application. You will also need to map any other attributes you request from the UW IdP.