Guide to NameID Formats and Attributes Available from the UW IdP

This document describes the NameID formats and attributes that can be released by the UW Identity Provider (IdP) to SAML relying parties (e.g. Shibboleth SPs).

Background

In addition to providing user authentication and single sign-on (SSO) for web applications, SAML provides the capability for an IdP to release additional user information to an SP at authentication time. The user information is presented as a nameID and assertion attributes. Attributes are useful for access control decisions and personalization within the SP application. When integrating an application with SAML, it is helpful to know which NameID formats and attributes are available, where they come from, and what they look like. This guide provides that information.

NameIDs

NameIDs are returned to an SP in the IdP's authentication response. They are enclosed within the <Subject></Subject> block of XML.

NameID	SAML Format	Description	Example Value¹
default	urn:oasis:names:tc:SAML:2.0: nameid-format:transient	An identifier that is generated with a new value for each authentication.	AAdzZWNyZXQxHXqU1u2h16PsI7AMqO 9JoRQANqwu4Dpe1fvRrjMlYoL3v/kR H9QHUX7SqOomf2MyZhIbSReBUBnIiA JwN3nVfyKPxYs88/GZ74FKvA7xlpOs cvMFmQPz3U9zyvxcotResE+dYICFLX mZImZW1NZSS6LQWQ==
nameIDPersistentID	urn:oasis:names:tc:SAML:2.0: nameid-format:persistent	An identifier that is computed and stored once for each user/SP combination. The same value will be released each time a user authenticates from the same SP but different values will be released if the user also authenticates from other SPs.	`0920ddf277bb2a06162e469631147f69`
eppnNameID	urn:oasis:names:tc:SAML:1.1: nameid-format:unspecified	ePPN² as a NameID	`jsmith@washington.edu`
idNameID	urn:oasis:names:tc:SAML:1.1: nameid-format:unspecified	uwNetID³ as a NameID	`jsmith`
uwEduEmailNameID	urn:oasis:names:tc:SAML:1.1: nameid-format:emailAddress	uwEduEmail⁴ as a NameID	`jsmith@uw.edu`

¹ All NameID formats the UW IdP releases have three parts: IDP entityID|SP entityID|value. For example, an eppnNameID might look like urn:mace:incommon:washington.edu|https://dept.uw.edu/shibboleth|netid@washington.edu. Only the last part is shown in the "Example Value" column. ² See ePPN description in table below. ³ See uwNetID description in table below. ⁴ See uwEduEmail description in table below.

Attributes

Attributes are returned to an SP in the IdP's authentication response. They are enclosed within the <AttributeStatement></AttributeStatement> block of XML. Some attributes provided by the UW IdP are defined by the eduPerson specification.

You request release of attributes via the UW Service Provider Registry. See instructions for requesting attributes for more information.
In the table below, "SP Registry Name" is how the attributes are labeled in the UW's SP registry. "FriendlyName" and "Name" are how the attributes are labeled in the SAML response from the IdP.
The attribute "FriendlyName" from the IdP can be mapped to any Service Provider attribute "ID" by configuration in the attribute-map.xml file. The Service Provider attribute "ID" is what will be populated into web server environment variables. There is rarely a good reason to change the "ID" to anything different from the default "FriendlyName".
Multi-valued string attributes normally show up in the environment as a string of semi-colon separated values.
Several attributes are sourced from the Person Directory Service (PDS). See the PDS Attribute Reference for more information.

Table 1. The information in this table is specific to personal UW NetIDs. For shared UW NetIDs, the IdP can only release UW NetID-based, uwRegID, and displayName attributes. A bolded SP Registry Name value highlights cases where the attribute name used in the SP Registry interface differs from the "FriendlyName" released by the IdP.

SP Registry Name	FriendlyName	Name	Type	Source	Example Value
affiliation	eduPersonAffiliation	urn:oid:1.3.6.1.4.1.5923.1.1.1.1	multi-value string	PDS: eduPersonAffiliation	member;staff;employee
attributePersistentID¹	eduPersonTargetedID	urn:oid:1.3.6.1.4.1.5923.1.1.1.10	string	computed	See nameIDPersistentID in table above.
awsname	RoleSessionName	https://aws.amazon.com/SAML/Attributes/RoleSessionName	string	computed as ePPN	smith@washington.edu
awsrole	Role	https://aws.amazon.com/SAML/Attributes/Role	string	computed from group memberships in the u_weblogin_aws stem	arn:aws:iam::227741503957:role/sandbox-myteam
awssession	SessionDuration	https://aws.amazon.com/SAML/Attributes/SessionDuration	string	IdP	43200
cn	cn	urn:oid:2.5.4.3	string	PDS: "uwPersonPreferredFirst uwPersonPreferredMiddle uwPersonPreferredSurname" will be used if available, otherwise PDS: cn.	John P. Smith
displayName	displayName	urn:oid:2.16.840.1.113730.3.1.241	string	PDS: displayName	John P. Smith
displayNameAndPronouns	displayNameAndPronouns	urn:oid:1.2.840.113994.200.52	string	PDS: displayName (PDS: uwPersonPronoun)	John P. Smith (he/him/his)
email	mail	urn:oid:0.9.2342.19200300.100.1.3	string	Returns first match from: PDS: uwEWPEmail1 (employee) PDS: uwSWPEmail (student) Computed: uwNetID@uw.edu	smith@uw.edu smith@u.washington.edu smith@chem.washington.edu smith@somedomain.com(May contain alternate emails for employees self-managed inside Workday and https://identity.uw.edu)
employeeNumber	employeeNumber	urn:oid:2.16.840.1.113730.3.1.3	string	PDS: uwEmployeeID	880000000
entitlement_lib²	eduPersonEntitlement	urn:oid:1.3.6.1.4.1.5923.1.1.1.7	multi-value string	computed	urn:mace:dir:entitlement:common-lib-terms
entitlement_sln	eduPersonEntitlement	urn:oid:1.3.6.1.4.1.5923.1.1.1.7	multi-value string	computed	urn:mace:washington.edu:courses:win2012:17417
ePPN	eduPersonPrincipalName	urn:oid:1.3.6.1.4.1.5923.1.1.1.6	string	computed	smith@washington.edu
ePTID³	eduPersonTargetedID	urn:oid:1.3.6.1.4.1.5923.1.1.1.10	string	computed	0920ddf277bb2a06162e469631147f69@washington.edu
givenName	givenName	urn:oid:2.5.4.42	string	PDS: "uwPersonPreferredFirst uwPersonPreferredMiddle" will be used if set by user, otherwise PDS: uwPersonRegisteredFirstMiddle	John P.
gws_groups⁴	isMemberOf	urn:oid:1.3.6.1.4.1.5923.1.5.1.1	multi-value string	GWS	urn:mace:washington.edu:groups:uw_employee
homedept⁵	homeDepartment	urn:oid:2.5.4.11	string	PDS: uwEmployeeHomeDepartment	OFFICE OF PROGRESS
mailstop	mailstop	urn:oid:2.5.4.18	string	PDS: uwEmployeeMailstop	359000
phone⁶	phone	urn:oid:2.5.4.20	string	PDS: uwEWPPhone1	+1 206 221-5000
preferredFirst	preferredFirst	urn:oid:1.2.840.113994.200.47	string	PDS: uwPersonPreferredFirst	John
preferredMiddle	preferredMiddle	urn:oid:1.2.840.113994.200.48	string	PDS: uwPersonPreferredMiddle	P.
preferredSurname	preferredSurname	urn:oid:1.2.840.113994.200.49	string	PDS: uwPersonPreferredSurname	Smith
registeredGivenName	registeredGivenName	urn:oid:1.2.840.113994.200.32	string	PDS: uwPersonRegisteredFirstMiddle (does not incorporate preferred name)	John
registeredSurname	registeredSurname	urn:oid:1.2.840.113994.200.31	string	PDS: uwPersonRegisteredSurname (does not incorporate preferred name)	Smith-Jones
scopedAffiliation	eduPersonScopedAffiliation	urn:oid:1.3.6.1.4.1.5923.1.1.1.9	multi-value string	PDS: eduPersonAffiliation	member@washington.edu
surname	surname	urn:oid:2.5.4.4	string	PDS: uwPersonPreferredSurname will be used if set by user, otherwise uwPersonRegisteredSurname	Smith
title	title	urn:oid:2.5.4.12	string	PDS: uwEWPTitle1	Technical Lead
uwEduEmail	uwEduEmail	urn:oid:1.2.840.113994.200.45	string	Computed: uwNetID@uw.edu	smith@uw.edu
uwNetID	uid	urn:oid:0.9.2342.19200300.100.1.1	string	PDS: uwNetID	smith
uwPronouns	uwPronouns	urn:oid:1.2.840.113994.200.51	string	PDS: uwPersonPronoun	he/him/his
uwRegID	uwRegID	urn:oid:1.2.840.113994.200.24	string	PDS: uwRegID	B778D7CE539311D6B3850004AC494FFE
uwStudentID	uwStudentID	urn:oid:1.2.840.113994.200.21	string	PDS: uwStudentID	1234567
uwStudentSystemKey	uwStudentSystemKey	urn:oid:1.2.840.113994.200.20	string	PDS: uwStudentSystemKey	000524591

¹ attributePersistentID is the most common way to use the persistent id attribute. It replaces the SAML1 ePTID. TargetedID and PersistentID vales are equivalent. PersistentID is constructed using the IdP entityID, the SP entityID, and an opaque ID for the user. ² The entitlement_lib always generates a value of "urn:mace:dir:entitlement:common-lib-terms" ³ ePTID is a SAML 1 construct that has been replaced with PersistentID in SAML 2. You probably want nameIDPersistentID or attributePersistentID instead. ⁴ The IdP doesn't normally release all groups to an SP. You will need to specify the particular group(s) or stem(s) that are of interest to your application. ⁵ Departmental affiliation based on an employee's supervisory org in Workday. ⁶ Does not include student whitepages phone number data at this time.

Default Behavior

By default, the UW IdP will release a few attributes to any UW SP, where "UW SP" is defined as any SP registered in UW DNS with a domain name ending in washington.edu or uw.edu. These attributes are:

uwNetID
ePPN
affiliation
scopedAffiliation

By default, the UW IdP will release the following attributes to any SP that is registered in the InCommon Federation or in eduGain, and that is designated with the Research & Scholarship (R&S) Category:

ePPN
ePTID
givenName
surname
mail

No attributes will be released by default to other SPs. Additional attributes may be requested by any UW or non-UW SP administrator. UW IdP signs the overall SAML response, not each SAML assertion. If your SP expects the SAML assertion(s) to be signed and/or encrypted, we can configure this as a special case. By default:

Responses ARE signed
Assertions ARE NOT signed
Assertions ARE NOT encrypted

By request:

Responses can be unsigned
Assertions can be signed
Assertions can be encrypted