Shibboleth at NC State » Technical Documentation » User Affiliations

User Affiliations on NC State IdP

The eduPersonAffiliation attribute provides values which define the user's affiliation with NC State. We populate these values based upon the user's ncsuPrimaryRole attribute found in our LDAP.

Definitions of Each Role Value

Note that users who are both employeed by the university and enrolled as students are customarily set with ncsuPrimaryRole = staff or faculty, but not student. We check for this dual role when we assign the student affiliation.

Examples by User Types


This affiliation is intended to be used to help our service providers distinguish between active accounts, and those that are still able to authenticate even though they have left or have not yet joined the university.

We declare that a user is "separated" if they do not appear in the master list of currently active students, and they do not have group memberships as a currently employed staff member. The specific algorithm is:

  1. Assume the user is separated=1

  2. If the user is a member of one of these hesiod staff groups, set separated=0: ncsu_staff, ncsu_ptstaff, ncsu_access.

  3. If the user is listed as primary_role is student, set separated=0. These are users identified by OIM as active students.

  4. If the user is krb_disabled, then set separated=1, regardless of other groups.

Any user with separated=1 will have the separated affiliation added to their affiliation list. Separated will also be set as their primary affiliation, overriding any other result.


This is a single-valued attribute that represents the primary role of the user at the university. We set the eduPersonPrimaryAffiliation as follows: