== University of Alaska [[BR]] == Identity Provider attribute release information & [[BR]] == Privacy Statement regarding your data == The most current version of this document is actively maintained at https://iam.alaska.edu/trac/wiki/IamUaArp [[BR]] One of the most powerful aspects of Shibboleth-based Identity Provider (IdP) is the ability to release selected information about the person to a relying application. A relying application will not see your username and password but instead refer you back to the UA IdP to authenticate ("log in"). If you successfully authenticate ("log in") to the IdP, the IdP asserts a set of attributes about you back to the relying application using a standard protocol (SAML). Different applications can receive different information; in fact, some applications will not receive personally identifiable information about the person that has authenticated. [[BR]] ''Permission to release information about you'':[[BR]] If upon review of this information you do not want to release the indicated attributes about you to a service, you should not use (log into) that service. [[BR]][[BR]] ''Re-use or distribution of information about you'': [[BR]] Although the attributes released to a service are deemed necessary to appropriately use that service, that is the only purpose for which they are released. Any subsequent re-use for other purposes is not allowed; if you detect such misuse of your information, contact !iam@alaska.edu. == Attributes [AttributeDetailTable View Attribute Details]== The following explains some of terminology related to our attribute release policies. Other attributes based on data in the UA Directory (EDIR) (e.g., major, email addresses, office location, employee type) could be released as and if appropriate for other applications. Note that ''only the selected attributes'' indicated by the name of each service are sent to that service; if an attribute is not listed, it is not sent to that service. For a full list of your University of Alaska attributes as seen by the Identity Provider, click on this link and log in with your UA credentials:[[BR]] [https://staffcouncil.uaf.edu/login-info/ My UA Login Information] '''eduPerson attributes''' - these attributes defined in national standards provide identifiers in specific formats and indications of your relation to the University '''eduPersonAffiliation''' - (sometimes abbreviated as ePA) one or more of the following: Student, Employee, Staff, Faculty, Member, or Affiliate. Member designates a person who is part of the University of Alaska and generally entitled to information services, even if not formally a student or employee; it includes campus-based researchers with external funding, faculty emeriti, and some others. Affiliate designates merely that the person has a record in the UA IdP, but is not automatically eligible for services, and may be used for those with a limited specific affiliation with UA such as short-term guests. '''eduPersonEntitlement''' - permissions or entitlements based on your role(s) at UA; may additionally be scoped to a department or (in the future) course. For example: for a student in Chemistry at UAF-main campus, learner@urn:mace:alaska.edu:itunesu:UAF - Main Campus:Chemistry '''eduPersonInstitutionalMail''' - An email address assigned to the individual in the alaska.edu domain, Distinguished from email by requirement of UA domain ("!...@alaska.edu") and from EPPN and eduPersonUnique ID in that it is intended for use by services to send email to users within the domain: delivery (directly, via email routing, or via forward) to a mailbox under control of the user. [''in draft awaiting formal approval from standards body''] '''eduPersonPrincipalName''' (sometimes abbreviated as ePPN) - A unique identifier comprised of your UA username followed by "@alaska.edu"; while it has the look of an email address, it does not signify that this is a valid email address or your preferred email address; example: !jpjones3@alaska.edu. '''eduPersonTargetedID''' - An opaque identifier unique to the combination of the authenticated person and the application; because it is different for each application, and does not itself reveal the identity of the user, it enables the application to track preferences or make bookmarks for the user, but does not enable that use information to be correlated with use in other applications or to a real person; example: 84e411ea-7daa-4a57-bbf6-b5cc52981b73 '''eduPersonUniqueID''' - A non-changing unique identifier - specifically, not changing upon change of name or role at UA - scoped to alaska.edu; syntax is UA ID#@alaska.edu; example: !30123456@alaska.edu. [''in draft awaiting formal approval from standards body; currently relased as uakPersonID''] '''Group Memberships & Roles''' '''[=#edirRole edirRole]''' - roles defined within the UA Enterprise Directory that convey elevated privileges or permissions; examples: DEPTADMIN, SPONSORACCOUNT, HELPDESK '''[=#eduIsMemberOf eduIsMemberOf]''' - group membership recorded in the UA Enterprise Directory; often used to express privileges or permissions in other services; example: cn=appusers:onbaseprep:ad_confidential,ou=group,dc=alaska,dc=edu '''[=#adIsMemberOf adIsMemberOf]''' - group membership recorded in the UA Domain (Active Directory), usually assigned programmatically on the basis of UA campus and/or role; example: CN=UAA_Students,OU=UAA,DC=ua,DC=ad,DC=alaska,DC=edu '''Names''' any of the following can be provided, depending on the requirements of the service '''common name''' - (or cn) usually a combination of given name and surname; may be multi-valued to include preferred first name and middle initial; example: William Smith, William A Smith, Bill Smith '''display name''' - a concatenation of your first and last name; it is based on your legal surname and preferred first name as recorded in UA's Human Resources and/or Student Information Systems (Banner); example: John Doe. '''given name''' - legal individual or first name; example: William '''surname''' - (or sn) legal family or last name; examples: Smith, Costa-Gavras. Note: the systems of record at UA sometimes combine family or last name with a generational title or suffix and if present these are carried over in the released value of surname; examples: Carter Jr, Arnaz III '''email''' - an email address indicated as your preferred email address in the UA Enterprise Directory; it may or may not be an @alaska.edu address; examples: !gene.kelly@alaska.edu, !peterq@arsc.edu '''[=#mailRoutingAddress mailRoutingAddress]''' - the email destination address to which email to other recorded addresses is delivered (routed); for most people, mailRoutingAddress is the email account issued to you by your campus, but users may change this address in the UA Enterprise Directory; unlike the email (mail) attribute, it is always single-valued. '''telephone number''' - phone number as recorded in the UA Enterprise Directory; in international format starting with "+" and country code, no punctuation other than spaces; example: +1 907 474 0123 '''UA identifiers''' '''[=#bannerID UA ID# or bannerID]''' (released as bannerID)- the unique numeric identifier assigned to all employees and students ("employee ID#", "student ID#") commonly used for UA login and account ids; example: 30123456 '''[=#uaUsername UA Username]''' (released as uaSystemID and as uaUsername) - the unique name-based identifier commonly used for UA login and account ids; example: jpmorgan, pdsmith3 '''[=#uakPersonID uakPersonID]''' - see eduPersonUniqueID. UA-defined unique identifier using UA ID# parallel to the name-based EPPN, but using the unchanging numeric ID # assigned to all students and employees; intended to substitute for EPPN when the Service Provider needs an unchanging identifier for each user; example: !30123456@alaska.edu '''[=#uaksAMAccountName UA sAMAccountName]''' (released as uaksAMAccountName) - the key identifier in the UA (Microsoft Windows) Domain; in the UA Domain this has value identical to UA Username for all students and employees. '''[=#uakSystemLegacyID uakSystemLegacyID]''' - usernames based on the prior UA convention that is used in some legacy systems, based on one letter designation of your MAU (a, f, j, s), role (s, f, n, x, h) and initials; examples: asabc2, fxpqr '''[=#UDCID UDCID]''' (Banner UDC Identifier) - an unchanging, Banner-generated, 32-character, alphanumeric value; it is an opaque (not intended to be human-readable) identifier used in Banner-related applications; example: GXgX9A£4LhGpthOsuyjvu-SKmae2IRzo '''UA faculty/staff information''' '''[=#assignmentCount assignmentCount]''' - UA employee's number of current assignments or jobs; value of 1 is typical and indicates an active employee; value of 0 indicates an employee with no current assignment or job, such as an occasional employee, adjunct faculty not currently teaching, faculty on sabbatical or other leave. '''[=#dlevel dlevel]''' - code from Banner HR indicating an employee's home department; examples: D8ARCH, D1ASHE. More human-friendly attributes are uakEmployeeDepartment, uakEmployeeAffiliation '''employee type''' - indication of employment category from HR record, examples: Exempt Staff - Regular or Faculty - Regular - <12 month '''title''' - working or informal title at UA; examples: Professor of Biology or Instructional Designer '''[=#TKL TKL]''' - "Time Keeping Location" from employees' HR record; example: T801; deprecated for non-HR use or authorization because it has no uniform simple connection to the employee's department, work location, or role, but rather indicates one of the distributed locations or control points for managing employee records. '''[=#uakEmployeeCampus uakEmployeeCampus ]''' - campus to which the employee's home department belongs; example: UAF Main, UAA Kenai Peninsula College '''[=#uakEmployeeDept uakEmployeeDept]''' - department name of an employee's home department from personnel record in Banner HR; example: CLA Philosophy & Humanities '''[=#uakEmployeeAffiliation uakEmployeeAffiliation]''' '''[=#uakEmployeeFacultyAffiliation uakEmployeeFacultyAffiliation]''' - academic program(s) in which a faculty member is currently an instructor of record; note that academic program names are not identical to employee department names; examples: UAF - eLearning & Distance Ed|Philosophy, UAF - Fairbanks Campus|Biology & Wildlife '''UA student information''' '''[=#creditHoursCurrent creditHoursCurrent]''' - current student enrollment in credit hours; some services may require a minimum number of credit hours '''[=#uakStudentCampus uakStudentCampus]''' - campus(es) providing courses in which a student is currently enrolled or has a major declared; note that these campus names from Banner SIS are not identical to the names from Banner HR for employee campus; the possible values are: {{{ UAA - Kenai Peninsula Campus, UAA - Kodiak Campus, UAA - Main Campus, UAA - Mat-Su Campus, PWSCC - Prince William Sound UAF - eLearning & Distance Ed, UAF - Bristol Bay (RB), UAF - Chukchi Campus, UAF - Correspondence Study(CS), UAF - Fairbanks Campus, UAF - Interior-Aleutians (RI), UAF - Juneau Fisheries (JU), UAF - Kuskokwim Campus, UAF - Northwest Campus, UAF - Rural College (RE) UAS - Juneau Campus, UAS - Ketchikan Campus, UAS - Sitka Campus) }}} '''[=#uakStudentDept uakStudentDept]''' - academic program(s) in which a student is currently enrolled or has declared a major == Applications == The following applications rely on the UA IdP for authentication and receive the information (attributes) indicated upon successful authentication (login). '''ARSC''' - ePPN '''AskUA''', aka '''Right Answers''' (Help Desk Knowledgebase Portal): UA Username, group membership, eduPersonAffiliation '''Atomic Learning''' (instructional videos) : surname, given name, UA ID#, EPPN, email, eduPersonAffiliation, and "!AtomicLearningCampus" (combined set of values of uakStudentCampus and uakEmployeeCampus) '''Blackboard Connect''' (Emergency Communications) ePPN, UA ID#, givenName, surname [released under specific attribute names required by this vendor: BBConnectFedID, !ContactRefCode, !FirstName, !LastName] '''Course Evaluation''' - tool at U Washington - ePPN, eduPersonScopedAffiliation, displayName, sn, givenName, mail '''CTSI''' (Clinical and Translational Sciences) - see IndianaCTSI '''Data Cookbook''' (Data analysis, limited to licensed users) - bannerID '''!DigitalMeasures''' (Faculty activity reporting) - ePPN '''!DocuSign''' (electronic signatures) - ePPN (in test) '''Dreamspark''' (Microsoft's full suite of software development tools): (none!) '''EDUCAUSE''' (EDUCAUSE Portal): eduPersonTargetedID (PersistentID), ePPN, surname, givenName, email, eduPersonScopedAffiliation (!affiliation@alaska.edu) '''eduroam''' (roaming wireless network access) Attributes released by UA IdP: EPPN '''EZProxy''' (access to UAF Rasmuson Library licensed scholarly databases): ePPN, eduPersonEntitlement and standard values of eduPersonAffiliation '''Faculty180''' (Faculty Activity Reporting) UA ID#, common name, givenName, surname, email '''Filesender''' - Utility to send / receive / short term store files up to 1TB - ePPN, eduPersonScopedAffiliation, displayName, sn, givenName, mail '''GENI Experimenter Portal''' - Site for network researchers - ePPN, eduPersonScopedAffiliation, displayName, sn, givenName, mail '''GINA''' ePPN '''Google''' (Google Apps for Higher Ed, including email, calendar, docs; currently only in proof-of-concept): UA Username '''Grouper @ UA''' - Group & Privilege Management (proof of concept stage) - ePPN '''IAM @ UA''' - this IAM wiki - ePPN '''IndianaCTSI''' (research, research grant, and collaboration tools): ePPN (researchers will be promoted to provide name and email to the service) '''Internet2 mailing lists''' eduPersonAffiliation, email '''iTunesU''' (University of Alaska section for podcasts in Apple's iTunes): ePPN, Transient ID, eduPersonTargetedID (old format), eduPersonEntitlement '''!InfoEd''' (research administration): ePPN, UA ID# '''Intellex''' (Environmental Health & Safety training): UA Username, UA ID#, email '''Kuali Ready''' (Disaster Recovery Planning) UA ID# scoped, displayName, given name, surname, email, telephone number '''NSF''' (National Science Foundation, including !FastLane for PIs): ePPN, given name, surname, common name, email '''NIH''' (National Institutes of Health resources; services tbd): given name, surname, email '''Parking @ UAF''' : ePPN, UA ID# '''People.alaska.edu''' - web gateway for UA Enterprise Directory: uaUsername '''Shibboleth.net''' (wiki and issues tracking for Shibboleth project) - ePPN, givenName, sn, cn, '''Spaces''' (Internet2 wiki at spaces.internet2.edu): ePPN, eduPersonEntitlement and standard values of eduPersonAffiliation '''Staff Council @ UAF''' : EePPNPN, UA ID#, given name, surname, email, telephone number, employee type, TKL, title, employee affiliation '''Study Abroad @ UAF''' : UA ID#, given name, surname, email, '''TAB @ UAF''' : UA ID#, ePPN, display name, email, telephone number, employee affiliation, eduPersonAffiliation '''Trac''' (wiki, technical documentation and internal tracking for IAM-related projects): ePPN '''UAA Tickets''' : cn (common name), displayName, eduPersonAffiliation, mail, uakStudentCampus, creditHoursCurrent '''UAlaska network''' (authenticated access to UA wired network): ePPN '''Win for Alaska''' (Wellness programs for UA Employees): ePPN