Page tree

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


  1. Which are the Recommended Attributes?
  2. Configure the Shibboleth IdP to release the Recommended Attributes to an example Service Provider.
  3. Test the release of the recommended attributes to the example Service Provider.


eduPersonTargetedID/persistentIDUnique, persistent, opaque and targeted identifier of the user. 

(Serialized) Example:!!yrVdvdAmohZY+cE6dcGvqu/Dubc=
eduPersonPrincipalNameUnique, persistent identifier of the user. 

displayNameName and Surname of the user. 

Example: John Doe
commonNameName and Surname of the user. Could be multi-valued but it is recommended to have only one value.

Example: Johne Doe
mailUser's personal eMail address.

eduPersonAffiliationSee the Controlled Vocabolaries. Multi-valued.

Example: student;member or staff;member
eduPersonScopedAffiliationSee the Controlled Vocabolaries. Multi-valued.

schacHomeOrganizationTypeSee the Controlled Vocabolaries. 

Example: urn:schac:homeOrganizationType:int:university

This attribute is unfortunately underspecified. Therefore, this attribute is of little use as of 2015.

The following paragraph describes how to support the recommended attributes listed above and how to create an attribute release rule to release the set of recommended attributes to a particular Service Provider. Please note that not all recommended attributes have to be release in general but only the ones that are required by the Service Provider.


Instead of manually configuring attribute release rules, you may also consider implementing the Data Protection Code of Conduct that (LINK NOT FOUND) that helps to automatically release attributes to a particular Service Provider that signed the Code of Conduct.

The Shibboleth Identity Provider comes with a script called AACLI that allows to test the release of attributes:
If you have installed the Shibboleth IdP into its default path, you can execute the command