Skip to content Skip to site navigation Skip to service navigation

SAML Attribute Release Policy

For many SAML-enabled sites to allow a user to access protected materials, certain information about the user must be provided. Some sites need to know name, e-mail address, or a specific entitlement (Stanford handles entitlement through workgroup memberships). Some others merely want to know whether the user is Stanford faculty, staff, or student, and don’t depend upon the particular identity of the user in question — only that Stanford is willing to vouch for them. For sites using SAML on campus, attribute release policies are commensurate with the policies for sites using Stanford Authentication and Authorization (SAML or WebAuth).

Default Attribute Release

To simplify the attribute release, we have implemented the default attribute release for qualified Service Providers (SPs). The blanket attribute release includes the following attributes:

uid
  • SAML Name: urn:oid:0.9.2342.19200300.100.1.1
  • LDAP source attribute: uid
  • Example: SUNet ID, jdoe
eduPersonPrincipalName
  • SAML Name: urn:oid:1.3.6.1.4.1.5923.1.1.1.6
  • LDAP source attribute: eduPersonPrincipalName
  • Example: SUNet ID + @stanford.edu , jdoe@stanford.edu
mail*
  • SAML Name: urn:oid:0.9.2342.19200300.100.1.3
  • LDAP source attribute: mail
  • Example: john_doe@cs.stanford.edu
givenName
  • SAML Name: urn:oid:2.5.4.42
  • LDAP source attribute: suDisplaynameFirst
  • Example: first name, ex: John
sn
  • SAML Name: urn:oid:2.5.4.4
  • LDAP source attribute: suDisplaynameLast
  • Example: surname/last name , ex: Doe
displayName
  • SAML Name: urn:oid:2.16.840.1.113730.3.1.241
  • LDAP source attribute: suDisplayname
  • Example: Prof. John Doe
eduPersonAffiliation
  • SAML Name: urn:oid:1.3.6.1.4.1.5923.1.1.1.1
  • LDAP source attribute: eduPersonAffiliation
  • Example: faculty member
eduPersonScopedAffiliation
  • SAML Name: urn:oid:1.3.6.1.4.1.5923.1.1.1.9
  • LDAP source attribute: eduPersonScopedAffiliation
  • Example: faculty@stanford.edu member@stanford.edu
eduPersonOrcid
  • SAML Name: urn:oid:1.3.6.1.4.1.5923.1.1.1.16
  • LDAP source attribute: eduPersonOrcid
  • Example: http://orcid.org/0000-0002-1825-0097
subject-id
  • SAML Name: urn:oasis:names:tc:SAML:attribute:subject-id
  • LDAP source attribute: suRegID
  • Example: 123457788ffe4884b200e487654c6a43@stanford.edu
pairwise-id
  • SAML Name: urn:oasis:names:tc:SAML:attribute:pairwise-id
  • Example: PA0VGFTVJ1M8IYKDGCAOM0KHR0YIIAKH@stanford.edu
eduPersonEntitlement**
  • SAML Name: urn:oid:1.3.6.1.4.1.5923.1.1.1.7
  • LDAP source attribute: suPrivilegeGroup
  • Example: stem_x:workgroup_y (see note #6)
suAffilliation
  • SAML Name: suAffiliation
  • LDAP source attribute: suAffiliation
  • Example: stanford:faculty (but see also the note #7)

*WARNING! The mail attribute is not a mandatory attribute at Stanford and might have no value for some users. In particular, if your SP creates an account using one of the attributes as the identifier for that account, do NOT use the mail attribute for that identifier!

Notes:

  1. All attribute releases are governed by and subjected to data owners' approval.
  2. InCommon Research and Scholarship SPs are included in the R&S default attribute release.
  3. Faculty, students, and staff can request to release the above attributes to InCommon Service Providers (SPs) via Stanford SPDB. Additionally, if the `eduPersonPrincipalName` (urn:oid:1.3.6.1.4.1.5923.1.1.1.6) is listed as a RequestedAttribute in the SP's InCommon metadata, it will be respected.
  4. Other attributes that a person has set to "world" visible in StanfordYou may also be released.
  5. If you need any other attributes, please file a data owner approval request clearly stating your entityID and the desired attributes.
  6. For SPs that are unable to consume the default attribute release and need the IdP to perform additional transformation for attribute names or format; additional charges may apply.
  7. The owners of the SP can request IdP to release any non-private workgroups (as eduPersonEntitlement) via Stanford SPDB interface.
  8. The suAffilliation attribute is specific to Stanford and will not be recognized by most Service Providers; use eduPersonAffiliation or eduPersonScopedAffiliation instead. See the Directory Service: People Tree page for more detail on the suAffilliation attribute.
  9. Sample attribute-map.xml .
  10. The new default attribute release policy automatically applies to “new” SPs that joined the FarmFed Federation on or after Feb. 10, 2017.
Last modified August 2, 2024