Connect to the Purdue Home Page

Purdue University

Identity and Access Management

Purdue Shibboleth Information

Introduction

The Identity and Access Management Office (IAMO) offers a web single sign on service using Shibboleth open source software. The Purdue Shibboleth implementation uses CAS for user authentication, and provides information about the authenticated user (referred to as attributes) for use by a web application. Purdue is a member of the InCommon Federation.

Attributes Available via Purdue Shibboleth

uid Purdue Career Account login id used for authentication. An example value would be "jott".
mail Purdue email address. An example value would be "jott@purdue.edu".
displayName Full name. Same value as cn attribute. An example value would be "Jeffrey A Ott".
cn Full name. Same value as displayName attribute. An example value would be "Jeffrey A Ott".
sn Last name. An example value would be "Ott".
givenName First name and middle initial if one exists in the Student or Personnel system. An example value would be "Jeffrey A".
employeeNumber Purdue ID (PUID) as a 10 digit number, including leading zeros. An example value would be "0005012345".
employeeType I2A2 characteristics assigned to the user. Definitions of the characteristic numbers can be found here. We will filter the characteristics provided to those appropriate for a given web application server (i.e. Shibboleth Service Provider). An example value would be "0;2029;2041;3592;13101;10086;4286;2000".
eduPersonPrincipalName (ePPN) Please see the InCommon Attribute Summary. An example value would be "jott@purdue.edu".
eduPersonScopedAffiliation Please see the InCommon Attribute Summary. We set the employee, student and member affiliations. The employee affiliation is set if the user has I2A2 characteristic 0, the student affiliation is set if the user has I2A2 characteristic 1 (has accepted admission for the current or next two semesters), and the member affiliation is set if the user has affiliation employee or student. An example value would be "employee@purdue.edu;member@purdue.edu".
eduPersonTargetedID Please see the InCommon Attribute Summary. We can send either urn:mace:dir:attribute-def:eduPersonTargetedID or urn:oid:1.3.6.1.4.1.5923.1.1.1.10 to a version 1.3 Shibboleth Service Provider. Our eduPersonTargetedID is built using the Shibboleth stored id data connector, using Purdue ID (PUID). The value of this identifier does not divulge PUID or user identity, is service provider specific so user information from different service providers can not be correlated, and is never reassigned to another person.
eduCourseOffering Course enrollment for the user, in the format http://purdue.edu/course/offering/[campus]/[subject].[course].[section]/[semester/term]. The semester/term is in format YYYYxx, where YYYY is the year, and xx is 10 for fall, 20 for spring, and 30 for summer. The campus is a three character campus code, subject is capitalized, the course is five characters, and the section is three characters. Please see the formal eduCourseOffering definition for more information. We will filter the courses provided to those appropriate for a given service provider. An example value would be "http://purdue.edu/course/offering/PWL/TST.10100.001/200930;http://purdue.edu/course/offering/PWL/TST.20300.001/200930".

Attributes Names

Attribute SAML 1 Name SAML 2 Name
uid urn:mace:dir:attribute-def:uid urn:oid:0.9.2342.19200300.100.1.1
mail urn:mace:dir:attribute-def:mail urn:oid:0.9.2342.19200300.100.1.3
displayName urn:mace:dir:attribute-def:displayName urn:oid:2.16.840.1.113730.3.1.241
cn urn:mace:dir:attribute-def:cn urn:oid:2.5.4.3
sn urn:mace:dir:attribute-def:sn urn:oid:2.5.4.4
givenName urn:mace:dir:attribute-def:givenName urn:oid:2.5.4.42
employeeNumber urn:mace:dir:attribute-def:employeeNumber urn:oid:2.16.840.1.113730.3.1.3
employeeType urn:mace:dir:attribute-def:employeeType urn:oid:2.16.840.1.113730.3.1.4
eduPersonPrincipalName (ePPN) urn:mace:dir:attribute-def:eduPersonPrincipalName urn:oid:1.3.6.1.4.1.5923.1.1.1.6
eduPersonScopedAffiliation urn:mace:dir:attribute-def:eduPersonScopedAffiliation urn:oid:1.3.6.1.4.1.5923.1.1.1.9
eduPersonTargetedID urn:mace:dir:attribute-def:eduPersonTargetedID urn:oid:1.3.6.1.4.1.5923.1.1.1.10
eduCourseOffering urn:oid:1.3.6.1.4.1.5923.1.6.1.1 urn:oid:1.3.6.1.4.1.5923.1.6.1.1

Requesting Purdue Shibboleth Access

The first step is to fill out a Memorandum of Understanding (MOU) and forward a signed copy to the IAMO as directed on the MOU form. The IAMO will then work with the respective data steward(s) that steward the attribute data to be provided by Shibboleth. Once approved, IAMO will authorize your web application server (Shibboleth service provider) to access the Purdue Shibboleth Identity Provider server and receive the requested attributes.

Research and Scholarship Sites

To support sites that provide research and scholarly activities through the InCommon Federation, Purdue University provides a default set of attributes to service providers (SP) that are part of the InCommon Research and Scholarship (R&S) category.

The default set of attributes includes:

mail Purdue email address. An example value would be "jott@purdue.edu".
displayName Full name. Same value as cn attribute. An example value would be "Jeffrey A Ott".
givenName First name and middle initial if one exists in the Student or Personnel system. An example value would be "Jeffrey A".
sn Last name. An example value would be "Ott".
eduPersonPrincipalName (ePPN) Please see the InCommon Attribute Summary. An example value would be "jott@purdue.edu".
eduPersonTargetedID Please see the InCommon Attribute Summary. We can send either urn:mace:dir:attribute-def:eduPersonTargetedID or urn:oid:1.3.6.1.4.1.5923.1.1.1.10 to a version 1.3 Shibboleth Service Provider. Our eduPersonTargetedID is built using the Shibboleth stored id data connector, using Purdue ID (PUID). The value of this identifier does not divulge PUID or user identity, is service provider specific so user information from different service providers can not be correlated, and is never reassigned to another person.


Please see the InCommon web page for more information on the Research and Scholarship category.

Questions

Please contact the IAMO at accounts@purdue.edu.

Feedback | Contact Purdue | Style Standards
Maintained by: IAMO Team

Purdue University, West Lafayette, IN 47907, (765) 494-4600
© 2010 - 2013 Purdue University | An equal access/equal opportunity university | Copyright Complaints
If you have trouble accessing this page because of a disability, please contact the CSC at itap@purdue.edu or (765) 494-4000.