Purdue Shibboleth Service Information

Introduction

The Identity and Access Management Office (IAMO) offers a web single sign-on service using Shibboleth open-source software. The Purdue Shibboleth implementation uses CAS for user authentication and provides information about the authenticated user (referred to as attributes) for use by a web application. Purdue is a member of the InCommon Federation.

Attributes Available via Purdue Shibboleth

Attribute: uid
Description: Purdue Career Account login ID used for authentication. An example value would be: jott

Attribute: mail
Description: Purdue email address. An example value would be: jott@purdue.edu

Attribute: displayName
Description: Full name. Same value as cn attribute. An example value would be: Jeffrey A Ott

Attribute: cn
Description: Full name. Same value as displayName attribute. An example value would be: Jeffrey A Ott

Attribute: sn
Description: Last name. An example value would be: Ott

Attribute: givenName
Description: First name and middle initial if one exists in the Student or Personnel system. An example value would be: Jeffrey A.

Attribute: employeeNumber
DescriptionPurdue ID (PUID) as a 10-digit number, including leading zeros. An example value would be: 0005012345

Attribute: eduPersonPrincipalName (ePPN)
Description: Please see the InCommon Attribute Summary. An example value would be: jott@purdue.edu

Attribute: eduPersonScopedAffiliation
Description: Please see the InCommon Attribute Summary. We set the employee, student, and member affiliations. The employee affiliation is set if the user has I2A2 characteristic 0, the student affiliation is set if the user has I2A2 characteristic 1 (has accepted admission for the current or next two semesters), and the member affiliation is set if the user has affiliation employee or student. An example value would be: employee@purdue.edu;member@purdue.edu

Attribute: eduPersonTargetedID
Description: Please see the InCommon Attribute Summary. We can send either urn:mace:dir:attribute-def:eduPersonTargetedID or urn:oid:1.3.6.1.4.1.5923.1.1.1.10 to a version 1.3 Shibboleth Service Provider. Our eduPersonTargetedID is built using the Shibboleth stored id data connector, using Purdue ID (PUID). The value of this identifier does not divulge PUID or user identity, is service-provider specific so user information from different service providers cannot be correlated, and is never reassigned to another person.

Attribute: eduCourseOffering
Description: Course enrollment for the user, in the format http://purdue.edu/course/offering/[campus]/[subject].[course].[section]/[semester/term]. The semester/term is in format YYYYxx, where YYYY is the year, and xx is 10 for fall, 20 for spring, and 30 for summer. The campus is a three-character campus code, subject is capitalized, the course is five characters, and the section is three characters. Please see the formal eduCourseOffering definition for more information. We will filter the courses provided to those appropriate for a given service provider. An example value would be: http://purdue.edu/course/offering/PWL/TST.10100.001/200930; http://purdue.edu/course/offering/PWL/TST.20300.001/200930

Attributes Names

Attribute: uid
SAML 1 Name: urn:mace:dir:attribute-def:uid
SAML 2 Name: urn:oid:0.9.2342.19200300.100.1.1

Attribute: mail
SAML 1 Name: urn:mace:dir:attribute-def:mail
SAML 2 Name: urn:oid:0.9.2342.19200300.100.1.3

Attribute: displayName
SAML 1 Name: urn:mace:dir:attribute-def:displayName
SAML 2 Name: urn:oid:2.16.840.1.113730.3.1.241

Attribute: cn
SAML 1 Name: urn:mace:dir:attribute-def:cn
SAML 2 Name: urn:oid:2.5.4.3

Attribute: sn
SAML 1 Name: urn:mace:dir:attribute-def:sn
SAML 2 Name: urn:oid:2.5.4.4

Attribute: givenName
SAML 1 Name: urn:mace:dir:attribute-def:givenName
SAML 2 Name: urn:oid:2.5.4.42

Attribute: employeeNumber
SAML 1 Name: urn:mace:dir:attribute-def:employeeNumber
SAML 2 Name: urn:oid:2.16.840.1.113730.3.1.3

Attribute: employeeType
SAML 1 Name: urn:mace:dir:attribute-def:employeeType
SAML 2 Name: urn:oid:2.16.840.1.113730.3.1.4

Attribute: eduPersonPrincipalName (ePPN)
SAML 1 Name: urn:mace:dir:attribute-def:eduPersonPrincipalName
SAML 2 Name: urn:oid:1.3.6.1.4.1.5923.1.1.1.6

Attribute: eduPersonScopedAffiliation
SAML 1 Name: urn:mace:dir:attribute-def:eduPersonScopedAffiliation
SAML 2 Name: urn:oid:1.3.6.1.4.1.5923.1.1.1.9

Attribute: eduPersonTargetedID
SAML 1 Name: urn:mace:dir:attribute-def:eduPersonTargetedID
SAML 2 Name: urn:oid:1.3.6.1.4.1.5923.1.1.1.10

Attribute: eduCourseOffering
SAML 1 Name: urn:oid:1.3.6.1.4.1.5923.1.6.1.1
SAML 2 Name: urn:oid:1.3.6.1.4.1.5923.1.6.1.1

Requesting Purdue Shibboleth Access

The first step is to complete the online Docusign form: Memorandum of Understanding (MOU) (MOU Instructions Guide). The request will be reviewed by the respective data steward(s) who steward the attribute data that is provided through Shibboleth. Once reviewed and approved, IAMO will begin the necessary configuration. Please allow 3-5 business days for processing.

Once approved, IAMO will authorize your web application server (Shibboleth service provider) to access the Purdue Shibboleth Identity Provider server and receive the requested attributes.

Research and Scholarship Sites

To support sites that provide research and scholarly activities through the InCommon Federation, Purdue University provides a default set of attributes to service providers (SP) that are part of the InCommon Research and Scholarship (R&S) category. 

The default set of attributes includes:

Attribute: mail
Description: Purdue email address. An example value would be: jott@purdue.edu

Attribute: displayName
Description: Full name. Same value as cn attribute. An example value would be: Jeffrey A Ott

Attribute: givenName
Description: First name and middle initial if one exists in the Student or Personnel system. An example value would be: Jeffrey A

Attribute: sn
Description: Last name. An example value would be: Ott

Attribute: eduPersonPrincipalName (ePPN)
Description: Please see the InCommon Attribute Summary. An example value would be: jott@purdue.edu

Attribute: eduPersonTargetedID
Description: Please see the InCommon Attribute Summary. We can send either urn:mace:dir:attribute-def:eduPersonTargetedID or urn:oid:1.3.6.1.4.1.5923.1.1.1.10 to a version 1.3 Shibboleth Service Provider. Our eduPersonTargetedID is built using the Shibboleth stored id data connector, using Purdue ID (PUID). The value of this identifier does not divulge PUID or user identity, is service provider specific so user information from different service providers cannot be correlated, and is never reassigned to another person.

Please see the InCommon web page for more information on the Research and Scholarship category.

Questions?

Please contact the IAMO at accounts@purdue.edu.