Shibboleth at NC State » Technical Documentation » Attributes Provided by NC State IdP

Attributes Provided by NC State IdP

List of available attributes

Our attribute release policy only allows eduPersonPrimaryAffiliation, eduPersonScopedAffiliation, and eduPersonTargetedID to be released by default to all Service Providers. We have additional Attribute Release Policies that apply to the member of our federations and to groups within those federations. A service provider may request additional attributes from this list when they enroll with our IdP, if they provide justification for the use.

NC State IdP Attribute Table
AttributeID SAML1 / SAML2 Names Description Example Value
Account Attributes
eduPersonPrincipalName urn:mace:dir:attribute-def:eduPersonPrincipalName urn:oid:
uid urn:mace:dir:attribute-def:uid urn:oid:0.9.2342.19200300.100.1.1 unityid jqpublic
campusPermanentId urn:oid: campus id number
ncsuCampusId ncsuCampusId campus id number 001234567
eduPersonTargetedID urn:mace:dir:attribute-def:eduPersonTargetedID urn:oid: an opaque string unique to the IdP/SP/user combo https:/! https:/! EzoRtfstww6btrtCL7MA7PE0IoU
ncsuPasswordExpired 1 urn:oid: Y = the user has an expired password, N = the password is not expired N
ncsuPasswordExpDate urn:oid: the expiration date for the user's password Tue Dec 02 2014 09:59:08 GMT-0500 (EST)
ncsuEnrolledTwoFactor 2 urn:oid: Y = the user is enrolled in Duo, N = not enrolled N
ncsuAuthedTwoFactor urn:oid: Y = the user authed to Duo, N = Duo was bypassed N
ncsuRenames 3 ncsuRenames if the user's uid was renamed, this attribute will provide a list of previous uid's jqpablic
logoutURL 4 fixed URL, used to create a logout link
eduPersonPrimaryAffiliation urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation urn:oid: one of (student, staff, faculty, affiliate, separated 5) student
eduPersonAffiliation urn:mace:dir:attribute-def:eduPersonAffiliation urn:oid: one or more of (member, student, employee, faculty, staff, alum, affiliate, separated) student; member
eduPersonScopedAffiliation urn:mace:dir:attribute-def:eduPersonScopedAffiliation urn:oid: affiliation +;
isMemberOf 6 urn:oid: list of AD group memberships CN=NCSU-J-Unity Users,OU=Managed Groups,OU=NCSU,DC=wolftech,DC=ad,DC=ncsu,DC=edu; ...
Personal Attributes
mail urn:mace:dir:attribute-def:mail urn:oid:0.9.2342.19200300.100.1.3 prefered email address
sn urn:mace:dir:attribute-def:sn urn:oid: surname Public
givenName urn:mace:dir:attribute-def:givenName urn:oid: first name Jonathan
displayName urn:mace:dir:attribute-def:displayName urn:oid:2.16.840.1.113730.3.1.241 preferred full name Jon Public
ncsuPrivate urn:oid: "P" if the record has a privacy block, not set otherwise ""
Student Attributes
ncsuClassCode ncsu.students.ncsuClassCode short code representing class of student SO
ncsuClassName ncsu.students.ncsuClassName academic class of student Sophomore
ncsuCurriculumCode ncsu.students.ncsuCurriculumCode short code representing curriculum of student HB
ncsuCurriculumName ncsu.students.ncsuCurriculumName academic curriculum of student Biological Sciences-Human Biology
Employee Attributes
employeeType urn:mace:dir:attribute-def:employeeType urn:oid:2.16.840.1.113730.3.1.4 position type of employee SPA Employee
employeeTitle ncsu.employees.employeeTitle position description of employee Web Systems Programmer
ncsuAffiliation ncsu.employees.ncsuAffiliation department the employee is affiliated with Ofc of Information Technology
departmentNumber ncsu.employees.departmentNumber numerical identification number of employee's department 517101
departmentName ncsu.employees.departmentName unit name of employee's department Shared Services

Suggested environment variable names for attributes

While there don't appear to be any standards for these mappings, perhaps it's a good thing to start one here on campus so we all know what we're talking about. These variable name mappings are discussed on our Mapping Attributes page.

Attribute Environment Variable Names
AttributeID Environment Variable
Account Attributes
eduPersonPrincipalName SHIB_EPPN
campusPermanentId SHIB_CPID
ncsuCampusId SHIB_NCSU_CID
eduPersonTargetedID SHIB_EPTID
ncsuPasswordExpired SHIB_PWEXPIRED
ncsuEnrolledTwoFactor SHIB_2FENROLL
ncsuAuthedTwoFactor SHIB_2FAUTHED
ncsuRenames SHIB_RENAMES
eduPersonPrimaryAffiliation SHIB_PRIMARY
eduPersonAffiliation SHIB_UNAFFILIATION
eduPersonScopedAffiliation SHIB_AFFILIATION
Personal Attributes
ncsuPrivate SHIB_PRIVATE
Student Attributes
ncsuCurriculumCode SHIB_STU_CURRICCODE
ncsuCurriculumName SHIB_STU_CURRICNAME
Employee Attributes
employeeType SHIB_EMP_TYPE
employeeTitle SHIB_EMP_TITLE
ncsuAffiliation SHIB_EMP_AFFIL
departmentNumber SHIB_EMP_DEPTNUM
departmentName SHIB_EMP_DEPTNAME

Attribute Release Policies

Our official Attribute Release Policy statement can be downloaded here: NC State Attribute Release Policy (pdf). It lists the attributes that we release by default to each of the federation member SPs.

We also have special policies for categories of SPs within these federations.

  1. Since IdP version 3 (upgraded May 2016), our IdP does not allow authentication with an expired password. Service Providers should always get ncsuPasswordExpired=N for all users. ↩

  2. See the Two-Factor Attributes page for more information about these attributes. ↩

  3. See the Account Renames page for more information about this attribute. ↩

  4. logoutURL is defined by the UNC Systems Federation and should only be used by those members. See Shibboleth Logout for information on the correct way to create a logout URL for your users. ↩

  5. See the Separated Affiliation documentation to understand how this affiliation is expected to be used. ↩

  6. See the Group Membership documentation for more information. ↩