SAML Attribute mapping

Lehigh's SSO Identity Provider (IDP) at entityID="https://sso.cc.lehigh.edu/sso/saml2/idp/metadata.php" automatically maps account attributes which are shared with the service provider (SP) when you authenticate and login to a service, using the SAML2 protocol.

Here are the default mappings based on the InCommon Federation standards and some examples -

Attribute Name	English Name	Example
urn:oid:0.9.2342.19200300.100.1.1	username	x057
urn:oid:0.9.2342.19200300.100.1.3	email address	x057@lehigh.edu
urn:oid:1.3.6.1.4.1.5923.1.1.1.6	eppn or eduPersonPrincipalName	x057@lehigh.edu
urn:oid:1.3.6.1.4.1.5923.1.1.1.7	eduPersonEntitlement	urn:mace:dir:entitlement:common-lib-terms
urn:oid:1.3.6.1.4.1.5923.1.1.1.1	eduPersonAffiliation	alum, employee, member, staff, faculty, student, affiliate, library-walk-in¹
urn:oid:1.3.6.1.4.1.5923.1.1.1.5	eduPersonPrimaryAffiliation	staff
urn:oid:2.5.4.3	commonName	Test Account
urn:oid:2.16.840.1.113730.3.1.241	displayName	Test Account
urn:oid:2.5.4.4	Last Name (sn or surname)	Account
urn:oid:2.5.4.42	First Name (givenName)	Test
urn:oid:1.3.6.1.4.1.5923.1.1.1.10	eduPersonTargetedID	dffd47824f4baccd481469fa428231f1f6e04
urn:oid:1.3.6.1.4.1.5923.1.1.1.9	eduPersonScopedAffiliation	alum@lehigh.edu, staff@lehigh.edu, student@lehigh.edu
urn:oid:1.3.6.1.4.1.5923.1.1.1.16	eduPersonOrcid	http://orcid.org/0000-0002-1825-0097²

Notes:

Library-walk-in isn't currently used at Lehigh.
eduPersonOrcid isn't currently included in our attributes.

A good discussion of the attributes and their mapping and usage can be found in the REFEDS eduPerson standard. The SAML Control Panel extension for Chrome and the SAML Tracer addon for firefox are excellent tools for debugging SAML login issues.

Our idp via the InCommon MDQ.

sha256 Fingerprint=90:75:76:42:A6:13:10:5F:29:44:0E:DC:32:4C:76:D0:E2:24:3F:15:E6:80:07:4E:E3:98:20:C4:E9:51:EB:BA