When integrating your new application with IAM Services, you may have the option to receive one or more attributes as part of the integration.
We have a fairly comprehensive list of those attributes on TED Directory Attributes but that might not help if you don’t fully understand the attributes or what you are getting.
As we write on our Concepts page, an identifier is a special type of attribute consisting of a (generally) unique label for an identity.
An identity will typically have several identifiers, used in various situations and contexts. For example, your identity may have one or more of: a Social Security Number (SSN), a Texas Driver’s License (TXDL) number, and a U.S. Passport number. With many cloud-based services, your email address is used as an identifier.
Identifiers may be compound, composed of several values. For example, if you have an identifier which identifies you in comparison to individuals at other universities, it might combine your UT EIDUT EID The University of Texas Electronic Identity (UT EID or EID) is the public records identifier for principals at the university. See EID in the service catalog for more information. with your institution information. For instance, the
eduPersonPrincipalName (ePPNePPN The eduPersonPrincipalName (ePPN) (format: <eid>@utexas.edu) is an attribute which is part of the eduPerson LDAP schema.) takes the format
Some identifiers which you may see at The University of Texas at Austin:
|UT Electronic Identifier (UT EID)||2-8 characters, alphanumeric as well as hyphen (||The official public records identifier for the University.|
|eduPersonPrincipalNameePPN The eduPersonPrincipalName (ePPN) (format: <eid>@utexas.edu) is an attribute which is part of the eduPerson LDAP schema. (ePPN)||Part of the eduPerson LDAPLDAP Lightweight Directory Access Protocol (LDAP) is a set of protocols for accessing information directories based on the standards contained within the X.500 standard, but is significantly simpler. schema.|
|Institutional IdentifierIID The Institutional Identifier (IID) (format: <eid>@eid.utexas.edu) is designed for use with cloud-based services whose usernames are e-mail addresses. When used as an email address, will forward to the user’s email address on record. Guest-class EIDs do NOT have IIDs unless they have been granted a special entitlement. (IIDIID The Institutional Identifier (IID) (format: <eid>@eid.utexas.edu) is designed for use with cloud-based services whose usernames are e-mail addresses. When used as an email address, will forward to the user’s email address on record. Guest-class EIDs do NOT have IIDs unless they have been granted a special entitlement.)||Designed for use with cloud-based services whose usernames are e-mail addresses. When used as an email address, will forward to the user’s email address on record. Guest-class EIDs do NOT have IIDs unless they have been granted a special entitlementEntitlement An attribute which defines what an account is allowed or authorized to do. An EID holder may have many entitlements, each with a start and end date (end dates may be in perpetuity)..|
These are but a small sampling of the identifiers out there. If you are working on an Integration to add UT EID-based authenticationAuthentication Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to a system’s resources. to your application, you will probably use one of the above.
Identifiers Can Change
One important thing to be aware of is that there are no truly immutable identifiers. That is, once you leave the scope of a system, you cannot rely upon an identifier to never change. For example:
- Your Social Security Number (SSN) can change under limited circumstances .
- Your driver’s license number can change. For example, if you moved to a different state or country.
- Your U.S. Passport Number changes every time you renew it.
Likewise, your UT EID can change.
eduPersonPrincipalName and the Institutional Identifier are based on your UT EID, if your UT EID changes then your
eduPersonPrincipalName and Institutional Identifier will change, as well.
If you are developing your own application, it helps to keep this in mind. It’s entirely reasonable to have a separate, local, unique identifier which is scoped to your application. You might also then develop your system to be able to assign one or many identifiers to that local identifier.
If you are obtaining a third-party application, it’s a good idea to ask the vendor how they handle these sorts of situations. Importantly, if an identifier changes, what is the process for getting a person’s data re-associated with them? Who will be responsible for that process?
There are many name attributes available. Whenever possible, we recommend that you use the Display Name. This will always be populated with the individual’s preferred or chosen name and should be used unless you have a legitimate business need to use the individual’s legal name. (Some groups at the University do have this need, such as UTPD and the ID Center.)
Names vs. Codes
If you’ve been at the University (or any university) for a sufficient length of time, you will know that reorganizations, rebranding, and renaming happens all of the time.
So what happens when your application is looking for “Department ABC” and they change their name to “Department XYZ?” The answer is that your customers will no longer be able to get into your application.
The IAM Team always recommends that you key off of corresponding codes instead of names since those tend to be longer-lived (though not necessarily permanent).
|Instead of…||Use this!|
It’s perfectly okay (and preferred) to take and display the name attribute in real-time, but if you are making decisions in your application you should consider using the code instead.
While reviewing the TED Directory Attributes page, you many notice that some attributes are single-values and some attributes are multi-valued. This can be an important distinction!
Let us use the
utexasEduPersonAffiliation attribute as an example.
- This attribute is not listed as required, so there may be zero values for this attribute!
- A community member who only uses the UT Libraries will have the
library-patronaffiliationAffiliation An affiliation is an attribute which reflects, at a high level, how an individual is related to the university. At any point in time, an individual may have no defined relationship, one defined relationship, or many defined relationships with the university. For example, and individual may be a current student, a future faculty member, a former employee, or all three.. If that is the only way in which that individual interacts with the University, then they will only have one value for this affiliation.
- A student employee can be expected to have, at the least, a
employee-currentaffiliation. They will probably also have a
prospective-studentaffiliation. If they had participated in the OnRamps program while they were in high school, they might also have an
onramps-student-formeraffiliation. In this example, the individual has many values.
An important thing to know about multi-value attributes is that they will be provided to you in no particular order, unless you sort it on your own. So, for the example student employee above, you will receive all four attribute values, but not necessarily in any consistent order.
If the order in which the values of multi-valued attributes is returned to you is important, you will need to make allowances for this in your application.