Purdue Shibboleth Information
Introduction
The Identity and Access Management Office (IAMO) offers a web single sign on service using Shibboleth open source software.
The Purdue Shibboleth implementation uses CAS for user authentication, and provides information about the authenticated user (referred to as attributes) for use by a web application.
Purdue is a member of the InCommon Federation.
Attributes Available via Purdue Shibboleth
| uid |
Purdue Career Account login id used for authentication. An example value would be "jott". |
| mail |
Purdue email address. An example value would be "jott@purdue.edu". |
| displayName |
Full name. Same value as cn attribute. An example value would be "Jeffrey A Ott". |
| cn |
Full name. Same value as displayName attribute. An example value would be "Jeffrey A Ott". |
| sn |
Last name. An example value would be "Ott". |
| givenName |
First name and middle initial if one exists in the Student or Personnel system. An example value would be "Jeffrey A". |
| employeeNumber |
Purdue ID (PUID) as a 10 digit number, including leading zeros. An example value would be "0005012345". |
| employeeType |
I2A2 characteristics assigned to
the user. Definitions of the characteristic numbers can be
found here. We will filter the characteristics
provided to those appropriate for a given web application server (i.e. Shibboleth Service Provider). An
example value would be "0;2029;2041;3592;13101;10086;4286;2000". |
| eduPersonPrincipalName (ePPN) |
Please see the
InCommon Attribute Summary. An example value would be "jott@purdue.edu". |
| eduPersonScopedAffiliation |
Please see the
InCommon Attribute
Summary. We set the employee, student and member affiliations. The employee affiliation is set if
the user has I2A2 characteristic 0,
the student affiliation is set if the user has
I2A2 characteristic 1 (has accepted admission for the current or next two semesters), and the member
affiliation is set if the user has affiliation employee or student. An example value would
be "employee@purdue.edu;member@purdue.edu". |
| eduPersonTargetedID |
Please see the
InCommon Attribute Summary. We can send either urn:mace:dir:attribute-def:eduPersonTargetedID or
urn:oid:1.3.6.1.4.1.5923.1.1.1.10 to a version 1.3 Shibboleth Service Provider. Our eduPersonTargetedID
is built using the Shibboleth
stored id data
connector, using Purdue ID (PUID).
The value of this identifier does not divulge
PUID or user identity, is service
provider specific so user information from different service providers can not be correlated, and is
never reassigned to another person. |
| eduCourseOffering |
Course enrollment for the user, in the format http://purdue.edu/course/offering/[campus]/[subject].[course].[section]/[semester/term]. The semester/term is in format YYYYxx, where YYYY is the year, and xx is 10 for fall, 20 for spring, and 30 for summer. The campus is a three character campus code, subject is capitalized, the course is five characters, and the section is three characters. Please see the formal eduCourseOffering definition for more information. We will filter the courses provided to those appropriate for a given service provider. An example value would be "http://purdue.edu/course/offering/PWL/TST.10100.001/200930;http://purdue.edu/course/offering/PWL/TST.20300.001/200930". |
Attributes Names
| Attribute |
SAML 1 Name |
SAML 2 Name |
| uid |
urn:mace:dir:attribute-def:uid |
urn:oid:0.9.2342.19200300.100.1.1 |
| mail |
urn:mace:dir:attribute-def:mail |
urn:oid:0.9.2342.19200300.100.1.3 |
| displayName |
urn:mace:dir:attribute-def:displayName |
urn:oid:2.16.840.1.113730.3.1.241 |
| cn |
urn:mace:dir:attribute-def:cn |
urn:oid:2.5.4.3 |
| sn |
urn:mace:dir:attribute-def:sn |
urn:oid:2.5.4.4 |
| givenName |
urn:mace:dir:attribute-def:givenName |
urn:oid:2.5.4.42 |
| employeeNumber |
urn:mace:dir:attribute-def:employeeNumber |
urn:oid:2.16.840.1.113730.3.1.3 |
| employeeType |
urn:mace:dir:attribute-def:employeeType |
urn:oid:2.16.840.1.113730.3.1.4 |
| eduPersonPrincipalName (ePPN) |
urn:mace:dir:attribute-def:eduPersonPrincipalName |
urn:oid:1.3.6.1.4.1.5923.1.1.1.6 |
| eduPersonScopedAffiliation |
urn:mace:dir:attribute-def:eduPersonScopedAffiliation |
urn:oid:1.3.6.1.4.1.5923.1.1.1.9 |
| eduPersonTargetedID |
urn:mace:dir:attribute-def:eduPersonTargetedID |
urn:oid:1.3.6.1.4.1.5923.1.1.1.10 |
| eduCourseOffering |
urn:oid:1.3.6.1.4.1.5923.1.6.1.1 |
urn:oid:1.3.6.1.4.1.5923.1.6.1.1 |
Requesting Purdue Shibboleth Access
The first step is to fill out a Memorandum of Understanding (MOU)
and forward a signed copy to the IAMO as directed on the MOU form. The IAMO will then work with the
respective data steward(s) that steward the
attribute data to be provided by Shibboleth. Once approved, IAMO will authorize your web application
server (Shibboleth service provider) to access the Purdue Shibboleth Identity Provider server and receive
the requested attributes.
Research and Scholarship Sites
To support sites that provide research and scholarly activities through the InCommon Federation, Purdue University
provides a default set of attributes to service providers (SP) that are part of the InCommon Research and
Scholarship (R&S) category.
The default set of attributes includes:
| mail |
Purdue email address. An example value would be "jott@purdue.edu". |
| displayName |
Full name. Same value as cn attribute. An example value would be "Jeffrey A Ott". |
| givenName |
First name and middle initial if one exists in the Student or Personnel system. An example value would be "Jeffrey A". |
| sn |
Last name. An example value would be "Ott". |
| eduPersonPrincipalName (ePPN) |
Please see the
InCommon Attribute Summary. An example value would be "jott@purdue.edu". |
| eduPersonTargetedID |
Please see the
InCommon Attribute Summary. We can send either urn:mace:dir:attribute-def:eduPersonTargetedID or
urn:oid:1.3.6.1.4.1.5923.1.1.1.10 to a version 1.3 Shibboleth Service Provider. Our eduPersonTargetedID
is built using the Shibboleth
stored id data
connector, using Purdue ID (PUID).
The value of this identifier does not divulge
PUID or user identity, is service
provider specific so user information from different service providers can not be correlated, and is
never reassigned to another person. |
Please see the InCommon web page for more information on the
Research and
Scholarship category.
Questions
Please contact the IAMO at accounts@purdue.edu.
|
