Account Services on the Web
Page Help
Attributes
In addition to the obvious advantage of being able to federate with virtually every university of any importance, one of the advantages of Shibboleth is that the authentication process can deliver a set of "Attributes" which you can use to help make authorization decisions.
At Iowa State we have decided to make all the attributes available in the public LDAP directories available to on-campus Service Providers. These attributes are available to your web server and CGI programs as environment variables whose names match the LDAP attributes names. One quirk is that if the LDAP attribute has an empty value, that attribute is not included in the environment.
As of 05-May-2016 the attributes are:
| Friendly Name (OID) | Count | Who | Description | Example |
|---|---|---|---|---|
| uid (0.9.2342.19200300.100.1.1) | 1 | All | Net-ID | jqpublic |
| mail (0.9.2342.19200300.100.1.3) | 1 | All | Email Address | jqpublic@iastate.edu |
| userClass (0.9.2342.19200300.100.1.8) | 1 | All | faculty│staff│student│affiliate | staff |
| description (2.5.4.13) | 1 | All | Name and Affiliation | John Q Public - staff |
| ou (2.5.4.11) | 1 | E | Organizational Unit | IT Services Systems & Operations |
| title (2.5.4.12) | 1 | E | Job Title (possibly generic) | Senior Systems Analyst [ITSYS] |
| cn (2.5.4.3) | 1..N | All | Common Name(s) | John Q Public;John Public;John Quincy Public |
| displayName (2.16.840.1.113730.3.1.241) | 1 | All | Display Name | Public, John Q [ITSYS] |
| givenName (2.5.4.42) | 1 | All | Given Name | John |
| sn (2.5.4.4) | 1 | All | Surname (family name) | Public |
| telephoneNumber (2.5.4.20) | 1 | All | Office or In-Session Phone | +1 515 294 4000 |
| facsimileTelephoneNumber (2.5.4.23) | 0..1 | All | Fax Number | +1 515 294 4000 |
| street (2.5.4.9) | 1 | All | Street Address | 291 Durham |
| l (2.5.4.7) | 1 | All | Locality (city) | Ames |
| st (2.5.4.8) | 1 | All | State | IA |
| postalCode (2.5.4.17 | 1 | All | Zipcode | 500112251 |
| postalAddress (2.5.4.16) | 1 | All | Office or In-Session Address | 291 Durham $ Ames IA $ 500112251 |
| postOfficeBox (2.5.4.18) | 0..1 | All | Post Office Box | po box 123 |
| homePhone (0.9.2342.19200300.100.1.20) | 0..1 | All | Home Phone | +1 515 555 1212 |
| homePostalAddress (0.9.2342.19200300.100.1.39) | 0..1 | All | Home Address | 123 Main St $ Anytown IA $ 501234567 |
| eduPersonPrincipalName (1.3.6.1.4.1.5923.1.1.1.6) | 1 | All | Net-ID @ Identity-Provider | jqpublic@iastate.edu |
| eduPersonAffiliation (1.3.6.1.4.1.5923.1.1.1.1) | 1..N | All | faculty│staff│student│affiliate | staff |
| eduPersonPrimaryAffiliation (1.3.6.1.4.1.5923.1.1.1.5) | 1 | All | faculty│staff│student│affiliate | staff |
| eduPersonOrgDN (1.3.6.1.4.1.5923.1.1.1.3) | 1 | All | Organization | o=Iowa State University, dc=iastate, dc=edu |
| eduPersonOrgUnitDN (1.3.6.1.4.1.5923.1.1.1.4) | 1 | All | OU, Organization | ou=IT Services Systems & Operations, o=Iowa State University, dc=iastate, dc=edu |
| eduPersonNickname (1.3.6.1.4.1.5923.1.1.1.2) | 0..1 | All | Nickname | Anything |
| isuPersonMiddleInitial (1.3.6.1.4.1.5923.1.3.106) | 0..1 | All | First Letter of Middle Name | Q |
| isuPersonMiddleName (1.3.6.1.4.1.5923.1.3.108) | 0..1 | All | Middle Name | Quincy |
| isuPersonPersistentID (1.3.6.1.4.1.5923.1.3.123) | 1 | All | Unique & Unchanging | 123456 |
| isuPersonStatus (1.3.6.1.4.1.5923.1.3.101) | 1 | All | Net-ID is [in]active | active |
| isuPersonEmploymentStatus (1.3.6.1.4.1.5923.1.3.127) | 1 | All | Employed | Y |
| isuPersonRegistrationStatus (1.3.6.1.4.1.5923.1.3.128) | 1 | All | Registered (student) | Y |
| isuPersonSponsorsNetID (1.3.6.1.4.1.5923.1.3.126) | 0..1 | A | Sponsor's Net-ID | jsponsor |
| isuPersonDeptNum (1.3.6.1.4.1.5923.1.3.91) | 0..1 | E | 5 Digit Number | 26797 |
| isuPersonDeptAbrvn (1.3.6.1.4.1.5923.1.3.92) | 0..1 | E | 5 Character Abbreviation | ITSYS |
| isuPersonDeptShortname (1.3.6.1.4.1.5923.1.3.93) | 0..1 | E | 15 Characters Max | IT Services SYS |
| isuPersonDeptName (1.3.6.1.4.1.5923.1.3.94) | 0..1 | E | 40 Characters Max | IT Services Systems & Operations |
| isuPersonAdministrativeUnit (1.3.6.1.4.1.5923.1.3.99) | 0..1 | E | College or Unit | Information Technology Services |
| isuPersonCollege (1.3.6.1.4.1.5923.1.3.110) | 0..1 | S | College | College of Engineering |
| isuPersonCollege2 (1.3.6.1.4.1.5923.1.3.113) | 0..1 | S | College (of 2nd Major) | College of Liberal Arts and Sciences |
| isuPersonCollegeAbbrev (1.3.6.1.4.1.5923.1.3.109) | 0..1 | S | College | ENGR |
| isuPersonCollegeAbbrev2 (1.3.6.1.4.1.5923.1.3.112) | 0..1 | S | College (of 2nd Major) | LAS |
| isuPersonMajor (1.3.6.1.4.1.5923.1.3.111) | 0..1 | S | Major | CPR E |
| isuPersonMajor2 (1.3.6.1.4.1.5923.1.3.114) | 0..1 | S | Major (2nd) | CHEM |
| isuPersonStudentMajor (1.3.6.1.4.1.5923.1.3.115) | 0..1 | S | Major | CPR E |
| isuPersonUidNumber (1.3.6.1.4.1.5923.1.3.102) | 1 | All | "Unix" Users ID Number | 12345 |
| isuPersonGidNumber (1.3.6.1.4.1.5923.1.3.103) | 1 | All | "Unix" Group ID Number | 101 |
| isuPersonLoginShell (1.3.6.1.4.1.5923.1.3.117) | 1 | All | "Unix" Login Shell | /bin/bash |
| isuPersonHomeDirectory (1.3.6.1.4.1.5923.1.3.118) | 1 | All | "Unix" Home Directory | /home/jqpublic |
| isuPersonMacosxPath (1.3.6.1.4.1.5923.1.3.104) | 1 | All | Macintosh Home Directory | /Users/jqpublic |
| isuPersonMacosxLabPath (1.3.6.1.4.1.5923.1.3.105) | 1 | All | Still Used? | /Users/LabUser |
| isuPersonVpnIp (1.3.6.1.4.1.5923.1.3.119) | 1 | All | ISU VPN Address | 10.65.66.67 |
| isuPersonVpnNetmask (1.3.6.1.4.1.5923.1.3.122) | 1 | All | ISU VPN Network Mask | 255.254.0.0 |
Who: All = Everyone, S = Students, E = Employees, A = Affiliates
Note: the attributes which start with isuPerson are "unlikely" to be available for federated users. Additionally other Identity Providers likely release far fewer attributes and they may use standard fields in non-standard ways.
The name, address & phone attributes are subject to redaction based on the person's privacy settings.
If you need additional flexibility making authorization decisions you may find the mod_isuacl Apache module useful.
