Tuakiri attributes are based on the attributes used  by AAF (for more information, visit our Attributes Documentation). Detailed information about these attributes can be found in the auEduPerson Definition and Attribute Vocabulary document.

Tuakiri Identity Providers need to collect or generate core attributes about their end users. When an end user tries to access a service via the federation, the Service Provider may request some or all of these attributes about the end user from the Identity Provider. With end user permission, the Identity Provider may release the attributes to the Service Provider.

The attributes are used by the Service Provider to make authorisation decisions and to manage the user’s experience with the service. Service Providers should consider which attributes they need in order to provide the service effectively and only request those attributes that are needed. The list of core attributes may evolve over time in response to the needs of Tuakiri members.

This page provides background information on how to map Tuakiri/AAF attributes to your own Identity Management System (IdMS). For detailed instructions, refer to Installing a Shibboleth 3.x IdP.

Attributes Overview

  • Attributes are classified as Core, Recommended, or Optional.
  • The attribute set is based on multiple formal attribute specifications:
    • Basic LDAP schema (person)
    • eduPerson – additional attributes useful for academic environment
    • auEduPerson – additional extensions developed by CAUDIT
    • schac - SCHema for ACademia
  • The IdP can pull some attributes directly from the IdMS (LDAP, AD):
    • Core attributes: displayName, mail, cn
    • Recommended: givenName, sn
  • Some attributes are hashes calculated on the fly
    • Core: eduPersonTargetedID, auEduPersonSharedToken (SharedToken should be stored back in the IdMS or a DB)
  • Some attributes have to be synthesized from existing IdMS information
    • eduPersonPrincipalName: + ‘@’ + ‘’
    • eduPersonAffiliation: using a scriptlet:

      IF isStaff==TRUE THEN 'staff'
  • Some attributes may have to be added to the identity management system (e.g, eduPersonEntitlement, eduPersonAssurance)

Attribute Matrix

Attribute Name (on IdP) Attritbute Name (on SP) Required? Typical source
commonName cn Core LDAP (“cn” or “displayName”)
displayName displayName Core LDAP (“displayName”)
email mail Core LDAP (“mail”)
givenName givenName Recommended LDAP (“givenName”)
surname sn Recommended LDAP (“sn”)
eduPersonTargetedID persistent-id Core Hash-on-the-fly
auEduPersonSharedToken auEduPersonSharedToken Core Hash-with-write-back
eduPersonPrincipalName eppn Recommended LDAP + rename + add Scope
eduPersonAffiliation unscoped-affiliation Core Scripted definition
eduPersonScopedAffiliation affiliation Core Take eduPersonAffiliation + rename + add Scope
eduPersonPrimaryAffiliation primary-affiliation Recommended Scripted definition
homeOrganization schacHomeOrganization Recommended static - “”
homeOrganizationType schacHomeOrganizationType Recommended static - “”
organizationName o Core static - “University of Your University”
eduPersonEntitlement entitlement Core LDAP (if available)/Static/Scripted. Most relevant value: urn:mace:dir:entitlement:common-lib-terms
eduPersonAssurance assurance Core LDAP (if available or synthesized from other available information)
Legal Name (auEduPersonLegalName) auEduPersonLegalName Optional LDAP (if available)
Business postal address (postalAddress) postalAddress Optional LDAP (if available)
Business phone number (telephoneNumber) telephoneNumber Optional LDAP (if available)
Mobile phone number (mobileNumber) mobile Optional LDAP (if available)
organizationalUnit ou Optional LDAP (“ou” or other if available)
auEduPersonAffiliation auEduPersonAffiliation Optional Scripted definition (if underlying information available in LDAP)
eduPersonOrcid eduPersonOrcid Optional LDAP (if available)