One of the attributes the Stanford Identity Provider releases to many Service Providers is eduPersonAffiliation. This attribute is defined by the Internet2 eduPerson Object Class Specification and is one of the standard attributes released by Identity Providers and consumed by Service Providers. The Specification states that the eduPersonAffiliation attribute
Specifies the person's relationship(s) to the institution in broad categories such as student, faculty, staff, alum, etc
Several Stanford University web sites allow access based on the eduPersonAffiliation values. In particular, many of the Stanford University Library's resources are accessible only to those authenticated users who have an eduPersonAffiliation value of "member". Thus, it is important that everyone understands how this attribute is constructed and who it affectes. This document describes how the eduPersonAffiliation values are determined by Stanford University's Identity Provider.
Stanford releases five values for eduPersonAffiliation: faculty, staff, student, affiliate, and member. Note that eduPersonAffiliation is a multiple-valued attribute, that is, the IdP releases multiple values of eduPersonAffiliation for any one person. For example, if someone is a student and a staff member, they will get three values for eduPersonAffiliation: student, staff, and member.
The following table shows how we determine each value of eduPersonAffiliation. The second column lists the LDAP suPrivilegeGroups, at least one of which a person must have in order to get the value listed in the first column.
|From the standard: "The "affiliate" value for eduPersonAffiliation indicates that the holder has some definable affiliation to the university NOT captured by any of faculty, staff, student, [...] and/or member."|
From the standard: ""Member" is intended to include faculty, staff, student, and other persons with a basic set of privileges that go with membership in the university community". At Stanford, we equate "member" with "Has Stanford University Library privileges".
Also, everyone who falls into the "faculty", "student", and "staff" also gets the "member"
- The "eduPerson Object Class Specification" allows other values of eduPersonAffiliation to be released including alum, employee, and library-walk-in. At this time, the Stanford Identity Provider does not release these other values.