Skip to content Skip to navigation

Attribute Release Policy

Attribute Release Policies for Shibboleth at Stanford

For many Shibboleth-enabled sites to allow a user access to protected materials, they require certain information about the user. Some need to know name, e-mail address, or a specific entitlement (the Stanford analog of entitlement is workgroup membership). Some merely want to know whether the user is a Stanford faculty, staff, or student, and don't depend upon the particular identity of the user in question--only that Stanford is willing to vouch for them. For sites using Shibboleth on-campus, attribute release policies are commensurate with the policies for sites using WebAuth.

Requesting the Release of Attributes

The attributes available for release are similar to those included in the webAuthPrivileged attribute bundle. We also have standard shibboleth attributes such as eduPersonPrincipalName (equivalent to 'SUNetID@stanford.edu') and an opaque, unique identifier called persistentId, along with some custom attributes developed as needed. We release a number of attributes by default dependent on a user's privacy settings in StanfordYou but you generally do not want to rely on those and should request explicit release of any attributes that are required by the service provider site.

Once you have determined which attributes are required, either for your own website or for a partner SP, you must then request permission from the data owners to use the data for the given purpose.  The request process involves describing the application and how enabling single sign-on via SUNet ID on the site will benefit the Stanford community.

Default Attribute Release

The attributes your site will receive by default depends on a couple of factors. There are several that are based on a user's visibility settings in StanfordYou (visit "Maintain your directory" page and see right sidebar). Because those settings vary by user, you will not want to rely on them for attributes that are required for your site's functionality.

The other set of default attributes is based on whether the site is in the Stanford.edu domain.  Stanford sites will receive these oft requested attributes automatically:

uid
eduPersonPrincipalName
displayName
eduPersonAffiliation
eduPersonScopedAffiliation

Last modified April 29, 2013