Shibboleth at NC State » Technical Documentation » User Affiliations

User Affiliations on NC State IdP

The eduPersonAffiliation attribute provides values which define the user's affiliation with NC State. We populate these values based upon the user's ncsuPrimaryRole attribute found in our LDAP.

Definitions of Each Role Value

Note that users who are both employeed by the university and enrolled as students are customarily set with ncsuPrimaryRole = staff or faculty, but not student. We check for this dual role when we assign the student affiliation.

Examples by User Types


This affiliation is intended to be used to help our service providers distinguish between active accounts, and those that are still able to authenticate even though they have left the university.

We declare that a user is "separated" if they do not appear in the master list of currently active students, and they do not have group memberships as a currently employed staff member. The specific algorithm is:

  1. Assume the user is separated=1

  2. If the user is a member of one of these hesiod staff groups, set separated=0: ncsu_staff, ncsu_ptstaff, ncsu_access.

  3. If the user is listed as a current student by the SIS system, set separated=0.

  4. If the user is a workshop or test account, they will have one of these hesiod groups, set separated=0: temp, workshop.

  5. If the user is krb_disabled, then set separated=1, regardless of other groups.

Any user with separated=1 will have the separated affiliation added to their affiliation list. Separated will also be set as their primary affiliation, overriding any other result.

SP administrators may be able to use the SysNews User Lookup tool to verify the affiliations assigned to a user. This tool requires privileges to lookup other users, and those are only available to appropriate NCSU staff.


This is a single-valued attribute that represents the primary role of the user at the university. We set the eduPersonPrimaryAffiliation as follows: