Shibboleth at NC State » Technical Documentation » User Affiliations

User Affiliations on NC State IdP

The eduPersonAffiliation attribute provides values which define the user's affiliation with NC State. We populate these values based upon the user's ncsuPrimaryRole attribute found in our LDAP.

Definitions of Each Role Value

Note that users who are both employeed by the university and enrolled as students are customarily set with ncsuPrimaryRole = staff or faculty, but not student. We check for this dual role when we assign the student affiliation.

• member = User has an ncsuPrimaryRole of student, staff, or faculty.

• affiliate = Opposite of member. These users are usually incoming or former students, or former employees.

• student = User has an ncsuPrimaryRole of student. Or, the user has an ncsuPrimaryRole of staff or faculty, and they are currently enrolled in a degree curriculum.

• staff = User has an ncsuPrimaryRole of staff or faculty.

• faculty = User has an ncsuPrimaryRole of faculty. (All faculty are also staff, but not all staff are faculty.)

• separated = A special value defined by NC State. See the section below.

• employee = Not used by NC State. Look for staff instead.

• alum = Not used by NC State.

Examples by User Types

• A current student would have eduPersonAffiliation = member, student.

• A current employee would have eduPersonAffiliation = member, staff.

• A current faculty member would have eduPersonAffiliation = member, staff, faculty.

• A current employee who is also a student would have: eduPersonAffiliation = member, staff, student.

• A future student who has not not yet enrolled would have: eduPersonAffiliation = affiliate, separated.

• A former student with a partially disabled account would have: eduPersonAffiliation = affiliate, separated.

• A former employee who still has an account flag for access would have: eduPersonAffiliation = affiliate.

• A former employee otherwise would have: eduPersonAffiliation = affiliate, separated.

Separated

This affiliation is intended to be used to help our service providers distinguish between active accounts, and those that are still able to authenticate even though they have left or have not yet joined the university.

We declare that a user is "separated" if they do not appear in the master list of currently active students, and they do not have group memberships as a currently employed staff member. The specific algorithm is:

1. Assume the user is separated=1

2. If the user is a member of one of these hesiod staff groups, set separated=0: ncsu_staff, ncsu_ptstaff, ncsu_access.

3. If the user is listed as primary_role is student, set separated=0. These are users identified by OIM as active students.

4. If the user is krb_disabled, then set separated=1, regardless of other groups.

Any user with separated=1 will have the separated affiliation added to their affiliation list. Separated will also be set as their primary affiliation, overriding any other result.

eduPersonPrimaryAffiliation

This is a single-valued attribute that represents the primary role of the user at the university. We set the eduPersonPrimaryAffiliation as follows:

• If the user is separated, that is their primary affiliation.

• If the ncsuPrimaryRole is one of faculty, staff, or student, then that is used as their primary affiliation.

• Otherwise, their primary affiliation is set to affiliate.

---

Contact: shibboleth-help@ncsu.edu | Page last modified: June 11, 2021