Technical Construction of Attributes

Groupcall IDaaS releases the following attributes when completing Shibboleth single sign-on requests.

NameId

This transient attribute is a randomly generated GUID that is assigned at the start of a login session within IDaaS and persists only for the duration of that session.

 

eduPersonalTargettedId

This is a persistent hash of the following information from IDaaS:

  • IDaaS person
  • IDaaS school
  • IDaaS entity ID
  • Service provider entity ID

 

The identifier is thus unique to the service provider but consistently presents the same value for each session.

 

Changes to properties of the person and school, such as names and usernames, do not affect the generation of this identifier.

 

eduPersonScopedAffiliation

This attribute releases the role of the person and the organisation they are from.  The school is identified by its LA and DfE number at the time of school configuration in IDaaS.

 

The granularity of the role is limited to the following:

  • Student
  • Teaching staff
  • Non-teaching staff
  • Parental
  • Other

 

IDaaS also releases a related attribute eduPersonAffiliation that repeats the role of the person.

 

eduPersonPrincipalName

This attribute contains an internal record identifier for the person.  It is constructed from:

  • A short-code of person type
  • A fixed, persistent identifier from the school MIS
  • The IDaaS school identifier, typically the school LA and DfE number at the time of school configuration in IDaaS.

The same attribute value is released to all parties which means that parties could reconcile their activity records for the signed in IDaaS user with activity records from other parties or with corresponding data from the school MIS, where they to have agreed and permitted access to do so.

While common practice for UK federation identity providers, this attribute does not provide detail of the IDaaS username that was used to log into the service; this information is not released.

 

displayName

Unlike other technical attributes this attribute contains the display name of the logged in IDaaS user.

 

The specific contents of this value are driven by both source MIS data and per-school configuration of IDaaS but typically the following rules apply:

  • Students: {Forename} {Surname}
  • Staff: {Title} {Initial} {Surname}
  • Parents: {Title} {Forename} {Surname}

 

Any issues with this value must be addressed at the school MIS level and will then cascade through IDaaS on the next update.

transparent_10x10