Skip to McMaster Navigation Skip to Site Navigation Skip to main content
McMaster Logo McMaster logo

SAML/Shibboleth Attributes

Default Set of Attributes

To simplify the integration, we have established a set of default attributes for release to qualified Service Providers (SPs). These attributes are normally released when the only requirement for the integration is authentication. The default release includes the following attributes:

ATTRIBUTE SAML NAME POSSIBLE # RECORDS DESCRIPTION AND EXAMPLE
urn:oid:0.9.2342.19200300.100.1.1 “uid” one record only This is the person’s Mac ID | jdoe
urn:oid:2.5.4.42 “givenName” one record only given name as specified in the Mosaic user record | first name, ex: john
urn:oid:2.5.4.4 “sn” one record only surname as specified in the Mosaic user record | surname/last name, ex: doe

The following extended set of attributes are also available on request, and can be selectively released depending on what is required for the authorization component of the integration.

Extended Set of Attributes

ATTRIBUTE SAML NAME POSSIBLE # RECORDS DESCRIPTION AND EXAMPLE
urn:oid:2.16.840.1.113730.3.1.241   “displayName” one record only  The displayName attribute from our Active Directory domain | Prof. John Doe
urn:oid:0.9.2342.19200300.100.1.3   “mail” one record only  Contact email address as specified in the Mosaic user record | john_doe@mcmaster.ca
urn:oid:2.5.4.3 “cn” one record only  Just a concatenation of “GivenName” and “sn”
urn:oid:2.16.840.1.113730.3.1.3   “employeeNumber” one record only  employee number as specified in the Mosaic user record | 999999999
urn:oid:13.6.1.4.1.5923.1.1.1.6   “eduPersonPrincipalName” one record only  Authenticated principals receive the value “MacID@mcmaster.ca”. MacID is the value of “cn” (common name) in AD | jdoe@mcmaster.ca
urn:oid:1.3.6.1.4.1.5923.1.1.1.9 “eduPersonScopedAffiliation”  one  record only  affiliation@mcmaster.ca
urn:oid:1.3.6.1.4.1.22306.1.1.29   “job” more than one record could be present  Authenticated principals that are employees receive some details of their employee record (see a sample here)
urn:oid:1.3.6.1.4.1.5923.1.1.1.1   “eduPersonAffiliation” more than one record could be present  Authenticated principals receive the value “affiliate”. Principals that have the “job” attribute receive also the value “staff”. Principals that have the “course” attribute and whose term is current, receive the value “student” | some principals could have more than one status
urn:oid:1.3.6.1.4.1.22306.1.1.32   “career” more than one record could be present  Authenticated principals receive details of their academic roll such as enrollment year, full/part time, residence status | multiple academic rolls could be presented
urn:oid:1.3.6.1.4.1.22306.1.1.30   “program” more than one record could be present  Authenticated principals receive details of their academic term, enrolled program, program description, term, level, academic group | multiple academic rolls could be presented

Notes:

InCommon and CAF SPs are included in the above default attribute release.
McMaster faculty and staff members can request the release of the above attributes to their SPs via a Help Desk ticket.
Other attributes that an application might need visible could be released, previous approval from the IT security team.
If you need any specific attributes, please file a data owner approval request clearly stating your entityID and the desired attributes.
To migrate from McAuth to SAML, a system administrator should file a Help Desk ticket with this information: the previously approved data-owner approval request-id, the new SAML sites (entityID), and the attributes you want the IDP to release.
The default attribute release automatically applies to new SPs during the SAML integration, unless they specify the need for extended attributes.