Page tree
Skip to end of metadata
Go to start of metadata

Purpose

This page lists all of the SAML attributes that can be sent by the MyAccess Identity Provider (IdP) to a SAML Service Provider (SP).  If you're using the Shibboleth SP software as your SAML SP, you can download a pre-configured attribute-map.xml file which defines the most commonly used standard and UCSF attributes.

Attribute information

If you want to know more about the attributes, please refer to the EDS Attributes page.

Attribute definitions

KEY: 

  • Bold: Attribute name to use in MyAccess Integration Requests (italic: A brief description of the attribute)
    Unformatted body text: Attribute name as it appears in the SAML response to integrated SPs.
     
  • Blue attribute names: Automatically released to all InCommon Federation member SPs (thus, no need to submit any integration requests).
  • Green attribute names: Sent in the SAML NameID portion of the SAML response.  Only 1 of these can be sent at a time.


NAME ATTRIBUTRES:

  • displayName (full name as it should be presented to others)
    urn:oid:2.16.840.1.113730.3.1.241
  • displayNameFERPA (same as "displayName" above but pre-filtered to exclude students)
    urn:oid:2.16.840.1.113730.3.1.241
  • displayNameFERPANoResidents (same as "displayNameFERPA" above but also pre-filtered to exclude GME residents and fellows)
    urn:oid:2.16.840.1.113730.3.1.241
  • displayNameNoResidents (same as "displayName" above but pre-filtered to exclude GME residents and fellows, but include other students)
    urn:oid:2.16.840.1.113730.3.1.241
  • commonName (full name, a.k.a. "common name" in "Last, First Middle" format)
    urn:oid:2.5.4.3
  • cnFERPA (same as "commonName" above but pre-filtered to exclude students)
    urn:oid:2.5.4.3
  • cnFERPANoResidents (same as "cnFERPA" above but also pre-filtered to exclude GME residents and fellows)
    urn:oid:2.5.4.3
  • givenName (name given at birth, a.k.a. first name)
    urn:oid:2.5.4.42
  • givenNameFERPA (same as "givenName" above but pre-filtered to exclude students)
    urn:oid:2.5.4.42
  • givenNameFERPANoResidents (same as "givenNameFERPA" above but also pre-filtered to exclude GME residents and fellows)
    urn:oid:2.5.4.42
  • givenNameNoResidents (same as "givenName" above but pre-filtered to exclude GME residents and fellows, but include other students)
    urn:oid:2.5.4.42
  • surname (surname, a.k.a. family name or last name)
    urn:oid:2.5.4.4
  • snFERPA (same as "surname" above but pre-filtered to exclude students)
    urn:oid:2.5.4.4
  • snFERPANoResidents (same as "snFERPA" above but also pre-filtered to exclude GME residents and fellows)
    urn:oid:2.5.4.4
  • snNoResidents (same as "surname" above but pre-filtered to exclude GME residents and fellows, but include other students)
    urn:oid:2.5.4.4
  • initials (middle name initials)
    urn:oid:2.5.4.43
  • ucsfEduNameReleaseFlag ("true"/"false" flag indicating whether any part of the name can be released outside UCSF)
    urn:oid:1.3.6.1.4.1.20319.1.1.3.36

CONTACT ATTRIBUTES:

  • email (email address as found in EDS)
    urn:oid:0.9.2342.19200300.100.1.3
  • mail_unspecified (same as "email" above but sent as a SAML NameID instead of an attribute)
    NameID: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
  • emailNameID (same as "mail_unspecified" but using a different NameID format when sent)
    NameID: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
  • emailPersistentNameID (same as "mail_unspecified" above but using yet a different NameID format when sent)
    NameID: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
  • emailFERPA (same as "email" above but pre-filtered to exclude students)
    urn:oid:0.9.2342.19200300.100.1.3
  • emailFERPANoResidents (same as "emailFERPA" above but also pre-filtered to exclude GME residents and fellows)
    urn:oid:0.9.2342.19200300.100.1.3
  • emailNoResidents (same as "email" above but pre-filtered to exclude GME residents and fellows, but include other students)
    urn:oid:0.9.2342.19200300.100.1.3
  • ucsfEduMailReleaseFlag ("true"/"false" flag indicating whether the email address can be released outside UCSF)
    urn:oid:1.3.6.1.4.1.20319.1.1.3.27
  • ucsfEduOfficialMail (list of official campus, medical center and CLS email addresses as found in EDS, multi-value)
    urn:oid:1.3.6.1.4.1.20319.1.1.3.28
  • ucsfEduMailList (list of email addresses in AD and EDS)
    urn:oid:1.3.6.1.4.1.20319.1.1.3.35
  • ucsfEduPrimaryMail (the email address found in the user's mail enabled AD account, or the value of "email" above if no mail enabled AD account exists)
    urn:oid:1.3.6.1.4.1.20319.1.1.3.33
  • telephoneNumber (work telephone number)
    urn:oid:2.5.4.20
  • homePhone (home phone number, if it exists)
    urn:oid:0.9.2342.19200300.100.1.20
  • homePostalAddress (home postal address, if it exists)
    urn:oid:0.9.2342.19200300.100.1.39
  • mobileNumber (mobile phone number, if it exists)
    urn:oid:0.9.2342.19200300.100.1.41
  • pagerNumber (pager phone number, if it exists)
    urn:oid:0.9.2342.19200300.100.1.42
  • locality (city of work place)
    urn:oid:2.5.4.7
  • stateProvince (state or province of work place)
    urn:oid:2.5.4.8
  • street (street address of work place)
    urn:oid:2.5.4.9
  • postalAddress (primary physical work address, including building ID)
    urn:oid:2.5.4.16
  • postalCode (ZIP or other postal code of the primary physical work address)
    urn:oid:2.5.4.17
  • postOfficeBox (UCSF postal "box" number used to route mail to your physical location)
    urn:oid:2.5.4.18

IDENTITY DATA ATTRIBUTES:

  • uid (UCSF "SF ID" sent as a "userid" as defined in the public OID repository)
    urn:oid:0.9.2342.19200300.100.1.1
  • uidNoResidents (same as "uid" above but pre-filtered to exclude GME residents and fellows, but including other students)
    urn:oid:0.9.2342.19200300.100.1.1
  • principal (same as "uid" above but sent as a SAML NameID instead of an attribute)
    NameID: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
  • uidNameID (same as "uid" above but sent as a SAML NameID instead of an attribute)
    NameID: urn:oasis:names:tc:SAML:2.0:nameid-format:transient
  • ucsfEduSFID (UCSF "SF ID")
    urn:oid:1.3.6.1.4.1.20319.1.1.3.26
  • ucsfEduIdNumber (UCSF student/employee ID number, a.k.a. "02 ID")
    urn:oid:2.16.840.1.113730.3.1.3
  • principalNameID (same as "ucsfEduIdNumber" above but sent as a SAML NameID instead of an attribute)
    NameID: urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified
  • username (the username string used to successfully login to the IdP. Because many users have multiple valid usernames, this should never be used in production)
    urn:oid:1.3.6.1.4.1.20319.1.1.4.22
  • ucsfEduIdNumberNoResidents(same as "ucsfEduIdNumber" above but pre-filtered to exclude GME residents and fellows, but including other students)
    urn:oid:2.16.840.1.113730.3.1.3
  • ucNetID (University of California UCNet ID number)
    urn:oid:2.16.840.1.113916.1.1.4.1
  • UCemployeeID(University of California wide ID which is the full UCSF ID followed by "@ucsf.edu". This is different from the UCNet ID)
    urn:oid:2.16.840.1.113916.1.1.6
  • UCstudentID(same as "UCemployeeID" above but sent with a different OID in the SAML response for compatibility with some UC systems)
    urn:oid:2.16.840.1.113916.1.1.9
  • UCPathEmplID (University of California wide ID which is defined by the central UCPath HR system. This is different from both the UCNet ID and UCSF ID)
    urn:oid:2.16.840.1.113730.3.1.3 
  • eduPersonPrincipalName (Internet2 standard unique, unchangeable ID. Has the format of characters 3 through 8 of the "ucsfEduIdNumber" followed by "@ucsf.edu")
    urn:oid:1.3.6.1.4.1.5923.1.1.1.6
  • eduPersonPrincipalNameNoResidents(same as "eduPersonPrincipalName" above but pre-filtered to exclude GME residents and fellows, but including other students)
    urn:oid:1.3.6.1.4.1.5923.1.1.1.6
  • eppn_nameId (same as "eduPersonPrincipalName" above but sent as a SAML NameID instead of an attribute)
    NameID: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
  • EppnNameID (same as "eppn_nameid" above but with a different NameID format)
    NameID: urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified OR
    NameID: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent OR
    NameID: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
  • eduPersonTargetedID (a unique identifier created by computing the SHA-1 hash of the attribute requester's entity ID, the value of the "ucsfEduIdNumber" above, and a salt value in the IdP configuration)
    urn:oid:1.3.6.1.4.1.5923.1.1.1.10
  • ucsfedupsftid (UCSF PeopleSoft ID)
    urn:oid:1.3.6.1.4.1.20319.1.1.1.26
  • ucsfEduWeblinksId (UCSF WebLinks ID)
    urn:oid:1.3.6.1.4.1.20319.1.1.1.54
  • ucsfEduLDAPUID (internal EDS uid value assigned to the user's LDAP entry)
    urn:oid:1.3.6.1.4.1.20319.1.1.1.55
  • sAMAccountName (Active Directory username, multi-value if user has more than 1 AD account)
    urn:oid:1.2.840.113556.1.4.221
  • sAMAccountNameNoResidents(same as "sAMAccountName" above but pre-filtered to exclude GME residents and fellows, but include other students)
    urn:oid:1.2.840.113556.1.4.221

  • sAMAccountNameSingle(DEPRECATED. Same as "sAMAccountName" above. This used to provide a single result, but that is no longer possible)
    urn:oid:1.2.840.113556.1.4.221
  • sAMAccountNameSingleNoResidents(DEPRECATED. Same as "sAMAccountNameNoResidents" above. This used to provide a single result, but that is no longer possible)
    urn:oid:1.2.840.113556.1.4.221
  • userPrincipalName (all userPrincipalName values for the user as found in the AD Global Catalog, multi-value)
    urn:oid:1.2.840.113556.1.4.656
  • transientId (per-session randomly generated character string to uniquely identify the client. Sent as a SAML NameID, not an attribute)
    NameID: urn:oasis:names:tc:SAML:2.0:nameid-format:transient

EMPLOYMENT STATUS ATTRIBUTES:

  • ucsfEduStatus (employment status for each affiliation for the user found in IID, multi-value)
    urn:oid:1.3.6.1.4.1.20319.1.1.1.10
  • title (primary employment title based on the primary title code in the HR system of record)
    urn:oid:2.5.4.12
  • ucsfEduPrimaryTitleCode (UCSF primary title code, a.k.a. position number in OLPPS)
    urn:oid:1.3.6.1.4.1.20319.1.1.4.31

GROUP MEMBERSHIP ATTRIBUTES:

  • memberOf (Active Directory group membership, multi-value)
    urn:oid:1.2.840.113556.1.2.102
  • eduPersonEntitlement (list of Internet2 standardized entitlements granted to all UCSF users, multi-value)
    urn:oid:1.3.6.1.4.1.5923.1.1.1.7
  • eduPersonOrgDN (Internet2 standard formatted organization identifier. Almost always "dc=ucsf,dc=edu")
    urn:oid:1.3.6.1.4.1.5923.1.1.1.3
  • UCTrustAssurance (static value of "urn:mace:universityofcalifornia.edu:ucidentity:attributes:assurance:basic" sent to UC systems requiring it)
    urn:oid:2.16.840.1.113916.1.1.5
  • isMemberOf (EDS group membership list used by some applications to grant access, multi-value)
    urn:oid:1.3.6.1.4.1.5923.1.5.1.1
  • User.IsActive (Salesforce-specific SAML attribute that always sends the value "1")
    User.IsActive

AFFILIATION ATTRIBUTES:

  • eduPersonAffiliation (Internet2 standard affiliation types, multi-value)
    urn:oid:1.3.6.1.4.1.5923.1.1.1.1
  • eduPersonPrimaryAffiliation (Internet2 standard primary affiliation type)
    urn:oid:1.3.6.1.4.1.5923.1.1.1.5
  • eduPersonScopedAffiliation (Internet2 standard affiliation types, appended "@ucsf.edu", multi-value)
    urn:oid:1.3.6.1.4.1.5923.1.1.1.9

DEPARTMENT ATTRIBUTES:

  • ucsfEduWorkingDepartmentName (employee's working department name)
    urn:oid:1.3.6.1.4.1.20319.1.1.1.49
  • ucsfEduDepartmentCode (financial chart code for all departments for which the user is associated, multi-value)
    urn:oid:1.3.6.1.4.1.20319.1.1.1.8
  • ucsfEduPrimaryDepartmentCode (financial chart code for the user's primary department)
    urn:oid:1.3.6.1.4.1.20319.1.1.1.7
  • ucsfEduDepartmentName (official department name, multi-value if user is part of multiple departments)
    urn:oid:2.16.840.1.113916.1.1.4.1
  • organizationName (name of the work place organization. Almost always "University of California, San Francisco")
    urn:oid:2.5.4.10
  • organizationalUnit (same as "ucsfEduWorkingDepartmentName" above but with a different SAML attribute name)
    urn:oid:2.5.4.11
  • No labels