Some SPs use eduPersonPrincipalName (EPPN) as a user identifier instead of the more usual targetedID. This page covers how to release it.

What is EPPN?

If you find and read the eduPerson specification (don't) it is essentially described as a scoped, name based identifier for a person in the form user@scope that is unique to that user (but might be recycled). What that generally means though is that it looks like an email address, and must use the same domain (after the @) as your domain or organisation's scope as seen in the organisation summary. If you are a large organisation, your scope may have differences to represent different parts, so whilst it may look like an email, it may or may not match up.

The next steps depend on the type of accounts you use:

If you use OpenAthens accounts

If you have a field on your accounts that would be suitable if it had your scope tacked on the end, then you can use that - e.g. staff / student number - and then simply release that under an alias. You can't use an email field because the system will automatically add your scope for this particular attribute and that will leave you with something along the lines of name@emaildoman.com@scope.net... which won't work. Anything with a space in it is bad too, but for different reasons.

What we need to do is release the attribute you're using under a different target name.  I'll assume Staff/student number for this example. 

  1. Go to Attribute release (Preferences > Attribute release)
  2. Click the button to add a policy
  3. Search and select the resource you want to release it to
  4. Click on the edit button (right side of the resource's window)
  5. Click on Staff/student number to set it as releasable
  6. Click on the advanced button and go to the attribute aliases section
  7. Set:
    1. From the dropdown select Identifier (this is the target name for Staff/student number - you can see it if you hover over the attribute in the selection section)
    2. In the box to the right enter: urn:oid:1.3.6.1.4.1.5923.1.1.1.6 (this is the target name for EPPN)
  8. Click on Done and then on Save changes.

You will need to ensure the field is populated on relevant accounts - if it's more than a few accounts then the Download data and Bulk upload functions can help.

If you do not have an existing field with suitable data you can either add data to an existing field and proceed as above, or create a new field specific to EPPN

First we set up the attribute

  1. Go to the schema editor (Preferences > Schema editor
  2. Drag a text attribute to the main window
  3. Set:
    1. Target: urn:oid:1.3.6.1.4.1.5923.1.1.1.6
    2. Display name: EPPN
    3. Required: depends on if you need this for all users or just some of them
    4. Releasable: Yes
    5. Reportable: If you like
    6. Multi-line: No
  4. Click on Done and then on Save changes.

Then we set it as releasable 

  1. Go to Attribute release (Preferences > Attribute release)
  2. Click the button to add a policy
  3. Search and select the resource you want to release it to
  4. Click on the edit button (right side of the resource's window)
  5. Click on EPPN to set it as releasable
  6. Click on Done and then on Save changes.

You will also have to populate the field on the relevant accounts - if it's more than a few accounts then the Bulk upload function can help.

If you use local accounts

If your local directory is from Microsoft such as ActiveDirectory or Azure, there will already be a userPrincipalName (UPN) attribute that looks like it should be useful, but there's a very strong possibility that it is formed as firstname.lastname@yourdomain.com which not only might raise privacy or data protection concerns in your jurisdiction but won't work because our system automatically adds the relevant scope to attributes that should be scoped (it would end up looking something like name@emaildoman.com@scope.net). 

The source attribute you want is one that is unique to the user and ideally pseudonymous - objectSId and objectGuid are great choices but anything that is unique to the user and doesn't include an @ character or a space is good enough. If there's a suitable thing you're already sending, you can reuse that if you like.

First we set up the attribute (or it won't be releasable)

  1. Go to the schema editor (Preferences > Schema editor
  2. Drag a text attribute to the main window
  3. Set:
    1. Target: urn:oid:1.3.6.1.4.1.5923.1.1.1.6
    2. Display name: EPPN
    3. Required: No
    4. Releasable: Yes
    5. Reportable: If you like
    6. Multi-line: No
  4. Click on Done and then on Save changes.

Next we set up the mapping from your connection

  1. Confirm with your IT team the name of the attribute that holds the data (it'll be case sensitive)
  2. Go to your connection (Management > Connections > your connection)
  3. Go to the Attributes tab and add a mapping rule
  4. Set:
    1. Target name: urn:oid:1.3.6.1.4.1.5923.1.1.1.6 (if it's not available as a typeahead you may need to go back to the schema editor)
    2. Source attribute / claim: the value you got for your IT guys
    3. Display name: EPPN
  5. Click on Done and then on Save changes

Finally we set it as releasable 

  1. Go to Attribute release (Preferences > Attribute release)
  2. Click the button to add a policy
  3. Search and select the resource you want to release it to
  4. Click on the edit button (right side of the resource's window)
  5. Click on EPPN to set it as releasable
  6. Click on Done and then on Save changes.

When you test this for the first time you will need to sign out of OpenAthens and back in again so that the system picks up the new attribute mapping.



  • No labels