Versions Compared

Old Version 6

changes.mady.by.user Michael Grady

Saved on

compared with

New Version 7

changes.mady.by.user Michael Grady

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This page provides a description and examples of the key attributes that are needed to support and enforce appropriate access to CCC-wide services and cloud services. These are the attributes which need to be supported by college/district Identity Providers, and released to various services inlcuidng the CCC IdP proxyProxy.

Info
The eduPerson schema ( http://software.internet2.edu/eduperson/internet2-mace-dir-eduperson-201602.html ) has a more detailed description of many of these attributes and their intended meaning and purpose.

Using Your College Identity to Access CCC-wide and Cloud Services – the Importance of eduPersonPrincipalName

When your users login to services at your college/within your district, they enter a Username and a password. Most commonly that Username is matched against the sAMAccountName or the uid attribute for the user in your Active Directory or other LDAP directory. Sometimes, particularly for students, you might actually have the student enter some other student identifier as their Username. Generally, most colleges don't require their users to add a '@college.edu' type suffix when they enter their Username. 

However, for CCC-wide and Cloud Services, which can provide services to many different institutions, having a user identifier that is "globally unique" is very advantageous. And such an identifier has been defined, an identifier called eduPersonPrincipalName, or EPPN for short. It was defined first as part of the eduPerson schema, linked to above. EPPN has the syntax of an email address, and might even "work" as an email address, but its purpose is to be a  globally unique federated identifier, rather than an email address. It is generally the most important attribute to be shared with federated services.

The standard practice in the Higher Education community is that EPPN is constructed by taking some local campus identifier (often SAMAccountName or uid, but sometimes some other local identifier like an employee or student id number), and adding to it a suffix of the form:  @college.edu.  So the EPPN for Jane Smith, who has a sAMAccountName of jsmith, at Best Community College that has a campus domain of bestcc.edu, will typically be jsmith@bestcc.edu. But depending on how the college manages the sAMAccountName attribute for its users, if Jane Smith has a student id of 12345678, the college might choose to make her EPPN be 12345678@bestcc.edu instead.

Here are the important considerations to keep in mind in considering what your college/district should use as the EPPN for each of their users:

Minimally Required Attributes

...