Shibboleth at NC State » Technical Documentation » User Affiliations

User Affiliations on NC State IdP

The eduPersonAffiliation attribute provides values which define the user's affiliation with NC State. We populate these values based upon the user's ncsuPrimaryRole attribute found in our LDAP.

Definitions of Each Role Value

Note that users who are both employeed by the university and enrolled as students are customarily set with ncsuPrimaryRole = staff or faculty, but not student. We check for this dual role when we assign the student affiliation.

• member = User has an ncsuPrimaryRole of student, staff, or faculty.

• affiliate = Opposite of member. These users are usually incoming or former students, or former employees.

• student = User has an ncsuPrimaryRole of student. Or, the user has an ncsuPrimaryRole of staff or faculty, and they are currently enrolled in a degree curriculum.

• staff = User has an ncsuPrimaryRole of staff or faculty.

• faculty = User has an ncsuPrimaryRole of faculty. (All faculty are also staff, but not all staff are faculty.)

• separated = A special value defined by NC State. See the section below.

• employee = Not used by NC State. Look for staff instead.

• alum = Not used by NC State.

Examples by User Types

• A current student would have eduPersonAffiliation = member, student.

• A current employee would have eduPersonAffiliation = member, staff.

• A current faculty member would have eduPersonAffiliation = member, staff, faculty.

• A current employee who is also a student would have: eduPersonAffiliation = member, staff, student.

• A former student who still has an account would have: eduPersonAffiliation = affiliate.

• A former student with a partially disabled account would have: eduPersonAffiliation = affiliate, separated.

Separated

This affiliation is intended to be used to help our service providers distinguish between active accounts, and those that are still able to authenticate even though they have left the university.

We declare that a user is "separated" if they do not appear in the master list of currently active students, and they do not have group memberships as a currently employed staff member. The specific algorithm is:

1. Assume the user is separated=1

2. If the user is a member of one of these hesiod staff groups, set separated=0: ncsu_staff, ncsu_ptstaff, ncsu_access.

3. If the user is listed as a current student by the SIS system, set separated=0.

4. If the user is a workshop or test account, they will have one of these hesiod groups, set separated=0: temp, workshop.

5. If the user is krb_disabled, then set separated=1, regardless of other groups.

Any user with separated=1 will have the separated affiliation added to their affiliation list. Separated will also be set as their primary affiliation, overriding any other result.

SP administrators may be able to use the SysNews User Lookup tool to verify the affiliations assigned to a user. This tool requires privileges to lookup other users, and those are only available to appropriate NCSU staff.

eduPersonPrimaryAffiliation

This is a single-valued attribute that represents the primary role of the user at the university. We set the eduPersonPrimaryAffiliation as follows:

• If the user is separated, that is their primary affiliation.

• If the ncsuPrimaryRole is one of faculty, staff, or student, then that is used as their primary affiliation.

• Otherwise, their primary affiliation is set to affiliate.

---

Contact: shibboleth-help@ncsu.edu | Page last modified: February 10, 2015