This page provides a description and examples of the key attributes that are needed to support and enforce appropriate access to CCC -wide services SSO federated applications and cloud services. These are the attributes which need to be supported by college/district Identity Providers, and released to various services including the CCC IdP SSO Proxy.
| Info |
|---|
| The eduPerson schema ( http://software.internet2.edu/eduperson/internet2-mace-dir-eduperson-201602.html ) has a more detailed description of many of these attributes and their intended meaning and purpose. |
...
However, for CCC applications and Cloud Services, which can provide services to many different institutions, having a user identifier that is "globally unique" is very advantageous. And such an
The identifier that has been defined , an identifier is called eduPersonPrincipalName, or EPPN for short. It was is defined first as part of the eduPerson schema, linked to above. EPPN has the syntax of an email address, and might even "work" as an email address, but its purpose is to be a globally unique federated identifier, rather than an email address. It is generally the most important attribute to be shared with federated services.
EPPN Construction
The standard practice in the Higher Education community is that EPPN is constructed by taking some local campus identifier (often SAMAccountName or uid, but sometimes some other local identifier like an employee or student id number), and adding to it a suffix of the form: @college.edu. That suffix is referred to as the "scope". So the EPPN for Jane Smith, who has a sAMAccountName of jsmith, at Best Community College, which has a campus domain of bestcc.edu, will typically be jsmith@bestcc.edu. But depending on how the college manages the sAMAccountName attribute for its users, if Jane Smith has a student id of 12345678, the college might choose to make her EPPN be 12345678@bestcc.edu instead.
...
Here is a diagram that illustrates how this all "fits together":
A. College sends provisioning feed to Cloud Service Provider, making sure the "user_id" is going to match what the Shibboleth IdP will send, either the jsmith@collge.edu or 12345678@college.edu.
...
Simple Name and the SAMLv2 name when sent in the SAMLv2 response | Short description | Sample value(s) | Description | |||
|---|---|---|---|---|---|---|
eduPersonPrincipalName (EPPN) urn:oid:1.3.6.1.4.1.5923.1.1.1.6 | Primary federated identifier of a given user from a college/district IdP. |
| EPPN has the syntax of an email address, but it really is a "globally unique federated identifier", not an email address. It is generally the most important attribute to be shared with federated services. See the above for a much longer description of this critical attribute. | |||
eduPersonAffiliation
urn:oid:1.3.6.1.4.1.5923.1.1.1.1 | Role within the institution |
| All of the roles a given person has within the college, but only the values defined in the eduPerson schema are allowed for this attribute, you can't make up "new values" for it. The affiliate value identifies a person that has applied to one or more colleges but is not a student yet. This is the only attribute listed here that is intended to have multiple values. All the rest are expected to have a single value. | eduPersonPrimaryAffiliation
urn:oid:1.3.6.1.4.1.5923.1.1.1.5 | Primary role at the institution | Must be one of the values specified in eduPersonAffilliation. If the eduPersonAffiliation attribute has many values, the primary affiliation should reflect the role to be associated with services that differentiate based on this value (such as the CCC Portal).For example, if the user is both a staff member and a student, and the primary affiliation is staff, the portal experience will be geared towards a staff member. |
uid urn:oid:0.9.2342.19200300.100.1.1 | Username | jsmith | This is usually the value that the user fills in as their username when they login. If you are using AD, the usual attribute you want to use to populate uid is the sAMAccountName attribute. | |||
givenName urn:oid:2.5.4.42 | First Name | Jane | ||||
sn (surname) urn:oid:2.5.4.4 | Last Name | Smith | ||||
displayName urn:oid:2.16.840.1.113730.3.1.241 | Full name to display | Jane Smith | ||||
mail (email) urn:oid:0.9.2342.19200300.100.1.3 | Email Address | jane.smith@college.edu | ||||
cccId
| The CCCID | The CCCID is a critical attribute for students. If not specified, but required for a portal or service action, the CCCID will be looked up via the EPPN. If no match is found, the action cannot be performed until the user creates a CCCID via the OpenCCC portlet. |
...
Simple Name and the SAMLv2 name when sent in the SAMLv2 response | Short description | Example | values | cccMisCode https://www.openccc.net/saml/attributes/cccMisCode | The MIS code assigned to a college by the CCC. If a IdP is for the district, and represents multiple colleges, each with their own MIS code, the IdP could send the district MIS code as a default. | 123|
|---|---|---|---|---|---|---|
eduPersonPrimaryAffiliation urn:oid:1.3.6.1.4.1.5923.1.1.1.5 | Primary role at the institution |
| 1 | |||
street urn:oid:2.5.4.9 | Street address | 303 Mulberry St. | many | |||
| locality .... urn:oid:2.5.4.7 | City | Metropolis | 1 | |||
| st .... urn:oid:2.5.4.8 | State or Province name | CA | 1 | |||
| postalCode .... urn:oid:2.5.4.17 | Postal or zip code | 12345 | 1 | |||
| homePhone .... urn:oid:0.9.2342.19200300.100.1.20 | Home Phone Number | +1 212 555 1234 | 1 | |||
| mobile .... urn:oid:0.9.2342.19200300.100.1.41 | Mobile Phone Number | +1 775 555 6789 | 1 |
...