Principal name coreshow all attributes | |
Name | eduPersonPrincipalName |
Description | A scoped identifier for a person |
Vocabulary | not applicable, no controlled vocabulary |
References | eduPerson |
OIDC | n/a |
OID | 1.3.6.1.4.1.5923.1.1.1.6 |
LDAP Syntax | Directory String |
# of values | single |
Example values |
|
Definition
A scoped identifier for a person. It should be represented in the form user@scope where
user
is a name-based identifier for the person and where the scope portion MUST be the
administrative domain of the identity system where the identifier was created and assigned. Each value of
scope
defines a namespace within which the assigned identifiers MUST be unique.
Given this rule, if two eduPersonPrincipalName (ePPN) values are the same at
a given point in time, they refer to the same person. There must be one and only one @ sign in
valid values of eduPersonPrincipalName.
Important
-
In the Switch edu-ID federation, this attribute SHOULD NOT be used. Use swissEduPersonUniqueID if a non-targeted identifier is required.
-
For interfederation use, eduPersonPrincipalName might be suitable, however, subject-id would be better.
Notes
-
Values of eduPersonPrincipalName are often, but not required to be, human-friendly, and may change as a result of various business processes.
Possibilities of changes and reassignments make this identifier unsuitable for many purposes. As a result, eduPersonPrincipalName is NOT RECOMMENDED for use by applications that provide separation between low-level identification and more presentation-oriented data such as name and email address.
Common identity protocols provide for a standardized and more stable identifier for such applications, and these protocol-specific identifiers should be used whenever possible; where using a protocol-specific identifier is not possible, the eduPersonUniqueId attribute may be an appropriate "neutral" form. -
Syntactically, ePPN looks like an email address but is not intended to be a person’s published email address, or to be used as an email address. Consumers must not assume this is a valid email address for the individual.
Syntax
In general Unicode characters are allowed. In LDAP, this data type implies UTF-8 encoding, and such characters are
permitted. However, to reduce the risk of application errors, it is recommended that values contain only
characters that could occur in account or login user names.
While the UTF-8 encoding will often be appropriate, the specific encoding depends on the technology involved, and
may not be limited to UTF-8 when more than LDAP is involved.
All attribute definitions in a single document: Switch edu-ID Attribute Specification