Attributes Provided by NC State IdP
List of available attributes
Our attribute release policy only allows eduPersonPrimaryAffiliation, eduPersonScopedAffiliation, and eduPersonTargetedID to be released by default to all Service Providers. We have additional Attribute Release Policies that apply to the member of our federations and to groups within those federations. A service provider may request additional attributes from this list when they enroll with our IdP, if they provide justification for the use.
| AttributeID | SAML1 / SAML2 Names | Description | Example Value |
|---|---|---|---|
| Account Attributes | |||
| eduPersonPrincipalName | urn:mace:dir:attribute-def:eduPersonPrincipalName urn:oid:1.3.6.1.4.1.5923.1.1.1.6 | unityid@ncsu.edu | jqpublic@ncsu.edu |
| uid | urn:mace:dir:attribute-def:uid urn:oid:0.9.2342.19200300.100.1.1 | unityid | jqpublic |
| campusPermanentId | urn:oid:1.3.6.1.4.1.32548.1.1.2 | campus id number @ncsu.edu | 001234567@ncsu.edu |
| ncsuCampusId | ncsuCampusId | campus id number | 001234567 |
| eduPersonTargetedID | urn:mace:dir:attribute-def:eduPersonTargetedID urn:oid:1.3.6.1.4.1.5923.1.1.1.10 | an opaque string unique to the IdP/SP/user combo | https:/shib.ncsu.edu/idp/shibboleth! https:/mysp.ncsu.edu/sp/shibboleth! EzoRtfstww6btrtCL7MA7PE0IoU |
| ncsuPasswordExpired 1 | urn:oid:1.3.6.1.4.1.234.1.37 | Y = the user has an expired password, N = the password is not expired | N |
| ncsuPasswordExpDate | urn:oid:1.3.6.1.4.1.234.1.38 | the expiration date for the user's password | Tue Dec 02 2014 09:59:08 GMT-0500 (EST) |
| ncsuEnrolledTwoFactor 2 | urn:oid:1.3.6.1.4.1.234.1.43 | Y = the user is enrolled in Duo, N = not enrolled | N |
| ncsuAuthedTwoFactor | urn:oid:1.3.6.1.4.1.234.1.44 | Y = the user authed to Duo, N = Duo was bypassed | N |
| ncsuRenames 3 | ncsuRenames | if the user's uid was renamed, this attribute will provide a list of previous uid's | jqpablic |
| logoutURL 4 | federation.northcarolina.edu.logouturl | fixed URL, used to create a logout link | https://shib.ncsu.edu/idp/logout.jsp |
| Affiliations | |||
| eduPersonPrimaryAffiliation | urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation urn:oid:1.3.6.1.4.1.5923.1.1.1.5 | one of (student, staff, faculty, affiliate, separated 5) | student |
| eduPersonAffiliation | urn:mace:dir:attribute-def:eduPersonAffiliation urn:oid:1.3.6.1.4.1.5923.1.1.1.1 | one or more of (member, student, employee, faculty, staff, alum, affiliate, separated) | student; member |
| eduPersonScopedAffiliation | urn:mace:dir:attribute-def:eduPersonScopedAffiliation urn:oid:1.3.6.1.4.1.5923.1.1.1.9 | affiliation + @ncsu.edu | student@ncsu.edu; member@ncsu.edu |
| isMemberOf 6 | urn:oid:1.3.6.1.4.1.5923.1.5.1.1 | list of fully qualified AD group memberships | CN=NCSU-J-Unity Users,OU=Managed Groups,OU=NCSU,DC=wolftech,DC=ad,DC=ncsu,DC=edu; ... |
| ncsuADGroups | ncsuADGroups | list of AD groups by common name (CN) only | NCSU-J-Unity Users; PERSONA-OIT.oit; ... |
| Personal Attributes | |||
| urn:mace:dir:attribute-def:mail urn:oid:0.9.2342.19200300.100.1.3 | prefered email address | jon_public@ncsu.edu | |
| sn | urn:mace:dir:attribute-def:sn urn:oid:2.5.4.4 | surname | Public |
| givenName | urn:mace:dir:attribute-def:givenName urn:oid:2.5.4.42 | first name | Jonathan |
| displayName | urn:mace:dir:attribute-def:displayName urn:oid:2.16.840.1.113730.3.1.241 | preferred full name | Jon Public |
| ncsuPrivate | urn:oid:1.3.6.1.4.1.234.1.1 | "P" if the record has a privacy block, not set otherwise | "" |
| Student Attributes 7 | |||
| ncsuClassCode | ncsu.students.ncsuClassCode | short code representing class of student | 20 |
| ncsuClassName | ncsu.students.ncsuClassName | academic class of student | Sophomore |
| ncsuCurriculumCode | ncsu.students.ncsuCurriculumCode | short code representing curriculum of student | 11BIOSCBS |
| ncsuCurriculumName | ncsu.students.ncsuCurriculumName | academic curriculum of student | Biological Sciences-BS |
| Employee Attributes 8 | |||
| employeeType | urn:mace:dir:attribute-def:employeeType urn:oid:2.16.840.1.113730.3.1.4 | position type of employee | SPA Employee |
| employeeTitle | ncsu.employees.employeeTitle | position description of employee | Web Systems Programmer |
| ncsuAffiliation | ncsu.employees.ncsuAffiliation | department the employee is affiliated with | Ofc of Information Technology |
| departmentNumber | ncsu.employees.departmentNumber | numerical identification number of employee's department | 517101 |
| departmentName | ncsu.employees.departmentName | unit name of employee's department | Shared Services |
Suggested environment variable names for attributes
While there don't appear to be any standards for these mappings, perhaps it's a good thing to start one here on campus so we all know what we're talking about. These variable name mappings are discussed on our Mapping Attributes page.
| AttributeID | Environment Variable |
|---|---|
| Account Attributes | |
| eduPersonPrincipalName | SHIB_EPPN |
| uid | SHIB_UID |
| campusPermanentId | SHIB_CPID |
| ncsuCampusId | SHIB_NCSU_CID |
| eduPersonTargetedID | SHIB_EPTID |
| ncsuPasswordExpired | SHIB_PWEXPIRED |
| ncsuPasswordExpDate | SHIB_PWEXPIREDATE |
| ncsuEnrolledTwoFactor | SHIB_2FENROLL |
| ncsuAuthedTwoFactor | SHIB_2FAUTHED |
| ncsuRenames | SHIB_RENAMES |
| Affiliations | |
| eduPersonPrimaryAffiliation | SHIB_PRIMARY |
| eduPersonAffiliation | SHIB_UNAFFILIATION |
| eduPersonScopedAffiliation | SHIB_AFFILIATION |
| isMemberOf | SHIB_MEMBEROF |
| ncsuADGroups | SHIB_GROUPS |
| Personal Attributes | |
| SHIB_MAIL | |
| sn | SHIB_SN |
| givenName | SHIB_GIVENNAME |
| displayName | SHIB_DISPLAYNAME |
| ncsuPrivate | SHIB_PRIVATE |
| Student Attributes | |
| ncsuClassCode | SHIB_STU_CLASSCODE |
| ncsuClassName | SHIB_STU_CLASSNAME |
| ncsuCurriculumCode | SHIB_STU_CURRICCODE |
| ncsuCurriculumName | SHIB_STU_CURRICNAME |
| Employee Attributes | |
| employeeType | SHIB_EMP_TYPE |
| employeeTitle | SHIB_EMP_TITLE |
| ncsuAffiliation | SHIB_EMP_AFFIL |
| departmentNumber | SHIB_EMP_DEPTNUM |
| departmentName | SHIB_EMP_DEPTNAME |
Attribute Release Policies
Our official Attribute Release Policy statement can be downloaded here: NC State Attribute Release Policy (pdf). It lists the attributes that we release by default to each of the federation member SPs.
We also have special policies for categories of SPs within these federations.
InCommon Research and Scholarship
We participate in the InCommon Research and Scholarship category with our IdP. We release these attributes to these SPs:
- eduPersonPrincipalName
- givenName
- sn
- displayName
WRAP-like NC State SPs
We have defined our own category of SPs within the NCSU Federation for sites that seek to use Shibboleth to replace the functionality of our older WRAP authentication system. Members of this category will only receive these attributes:
- eduPersonPrincipalName
- uid
- eduPersonAffiliation
- eduPersonPrimaryAffiliation
- ncsuPasswordExpDate
- ncsuPasswordExpired
- ncsuEnrolledTwoFactor
- ncsuAuthedTwoFactor
Members of this category will not receive the campusPermanentId attribute, nor any of the Personal Attributes listed above, even though those are normally released to NCSU Federation members.
Since IdP version 3 (upgraded May 2016), our IdP does not allow authentication with an expired password. Service Providers should always get ncsuPasswordExpired=N for all users. ↩
See the Two-Factor Attributes page for more information about these attributes. ↩
See the Account Renames page for more information about this attribute. ↩
logoutURL is defined by the UNC Systems Federation and should only be used by those members. See Shibboleth Logout for information on the correct way to create a logout URL for your users. ↩
See the Separated Affiliation documentation to understand how this affiliation is expected to be used. ↩
See the Group Membership documentation for more information. ↩
See the Student Attributes page for more information. ↩
See the Employee Attributes page for more information. ↩