Skip to content Skip to navigation

SAML Attribute Release Policy

For many SAML-enabled sites to allow a user to access protected materials, certain information about the user must be provided. Some sites need to know name, e-mail address, or a specific entitlement (Stanford handles entitlement through workgroup memberships). Some others merely want to know whether the user is Stanford faculty, staff, or student, and don’t depend upon the particular identity of the user in question — only that Stanford is willing to vouch for them. For sites using SAML on campus, attribute release policies are commensurate with the policies for sites using Stanford Authentication and Authorization (SAML or WebAuth).

Default Attribute Release

To simplify the attribute release, we have implemented the default attribute release for qualified Service Providers (SPs). The blanket attribute release includes the following attributes:

Attribute Description and Example
uid  SUNet ID,  jdoe 
eduPersonPrincipalName SUNet ID + @stanford.edu , jdoe@stanford.edu 
mail* john_doe@cs.stanford.edu
givenName first name, ex: john 
sn surname/last name , ex: doe 
displayName Prof. John Doe
eduPersonAffiliation faculty
eduPersonScopedAffiliation faculty@stanford.edu
suAffiliation stanford:staff
*Important Note: The mail attribute is not a mandatory attribute at Stanford and might have no value for some users.

Notes:

  • InCommon Research and Scholarship SPs are included in the above default attribute release.
  • Stanford faculty and staff member can request to release the above attributes to InCommon SPs via Help ticket.
  • If you need any other attributes, please file a data owner approval request clearly stating your entityID and the desired attributes.
  • To release workgroup information (as eduPersonEntitlement) to specific SPs, please include the stem owner’s/admin’s approval and submit a Help ticket. You do not need to submit data owner approval for workgroup release.
  • Sample attribute-map.xml .
  • The new default attribute release policy automatically applies to “new” SPs that joined the FarmFed Federation on or after Feb. 10, 2017.
Last modified February 15, 2017