Accepted SAML SSO Attributes

Overview

During the authentication and self-registration processes, your Identity Provider (IdP) sends SAML assertions containing SAML attributes with information about the user. In order for TeamDynamix to extract values from these assertions, the attributes must be released by the IdP according to the attribute list we accept below.

For SAML SSO authentication and self-registration to work, the IdP must be configured to in always release attributes (sometimes called an attribute profile) to TeamDynamix. These are released in the SAML <AttributeStatement> section of the SAML assertion.

Accepted SAML OID Attributes

This section describes which SAML OID attributes TeamDynamix can accept when examining incoming SAML assertions.

These are the preferred SAML attributes to send in SAML assertions. If at all possible, use these attribute names when releasing SAML attributes.

Accepted Formats

TeamDynamix accepts SAML OID attributes in all of the following SAML formats:

  • urn:oasis:names:tc:SAML:2.0:attrname-format:uri
  • urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
  • urn:oasis:names:tc:SAML:2.0:attrname-format:basic

Assertion Usage Example

<AttributeStatement>
    <Attribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" 
      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
        <AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
          john.doe@school.edu
        </AttributeValue>
    </Attribute>
    <Attribute Name="urn:oid:2.5.4.42" 
      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
        <AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
          John
        </AttributeValue>
    </Attribute>
    <Attribute Name="urn:oid:2.5.4.4" 
      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
        <AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
          Doe
        </AttributeValue>
    </Attribute>
    <Attribute Name="urn:oid:0.9.2342.19200300.100.1.3" 
      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
        <AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
          john.doe@school.edu
        </AttributeValue>
    </Attribute>

    ... More SAML Attributes here as needed ...

<AttributeStatement>

Attribute List

Name Value Format Description / Notes
urn:oid:1.3.6.1.4.1.5923.1.1.1.6 Scoped Username (eduPersonPrincipalName / eppn)
Example: user@school.edu

TeamDynamix uses the value of this attribute for username during the authentication process. The value must be a fully qualified username in the format of user@domain.

 

Finally, TeamDynamix only allows specific username domains through for usage during the SAML metadata exchange, and domain checking is case-sensitive. Due to this, it is highly recommended to transform values outbound from the IdP to lowercase if at all possible.
urn:oid:1.3.6.1.4.1.5923.1.1.1.9 Scoped Scoped Affiliation (eduPersonScopedAffiliation / affiliation)
Example: faculty@school.edu

Only accepts the following fully qualified values in the format of affiliation@domain:
  • faculty@mydomain.edu
  • student@mydomain.edu
  • staff@mydomain.edu
  • alum@mydomain.edu
  • member@mydomain.edu
  • affiliate@mydomain.edu
  • employee@mydomain.edu
  • library-walk-in@mydomain.edu
urn:oid:1.3.6.1.4.1.5923.1.1.1.11 String Level of Assurance (eduPersonAssurance / assurance)
urn:oid:2.5.4.15 String Business Category (businessCategory)
urn:oid:2.16.840.1.113730.3.1.1 String Car License (carLicense)
urn:oid:2.5.4.3 String Common Name (cn)
urn:oid:2.16.840.1.113730.3.1.2 String Department Number (departmentNumber)
urn:oid:2.5.4.13 String Description (description)
urn:oid:2.16.840.1.113730.3.1.241 String Display Name (displayName)
urn:oid:1.3.6.1.4.1.5923.1.6.1.2 String The specific role the person has with each course offering, such as Learner or Instructor. (eduCourseMember)
urn:oid:1.3.6.1.4.1.5923.1.6.1.1 String The course offerings with which the person has any role. (eduCourseOffering)
urn:oid:2.16.840.1.113730.3.1.3 String Employee Number (employeeNumber)
urn:oid:2.16.840.1.113730.3.1.4 String Employee Type (employeeType)
urn:oid:1.3.6.1.4.1.5923.1.1.1.7 String Entitlement (entitlement)
urn:oid:2.5.4.23 String Fax Number (facsimileTelephoneNumber)
urn:oid:2.5.4.42 String Given Name / First Name (givenName)
urn:oid:2.5.4.43 String Initials (initials)
urn:oid:2.5.4.7 String Locality Name (l)
urn:oid:0.9.2342.19200300.100.1.3 String Mail / Email Address (mail)
urn:oid:0.9.2342.19200300.100.1.10 String Manager (manager)
urn:oid:1.3.6.1.4.1.5923.1.5.1.1 String Member (member)
urn:oid:1.3.6.1.4.1.5923.1.1.1.2 String Nickname (nickname)
urn:oid:2.5.4.10 String Organization / Company (o)
urn:oid:1.3.6.1.4.1.5923.1.1.1.3 String Organization Distinguished Name (org-dn)
urn:oid:1.3.6.1.4.1.5923.1.1.1.4 String Organizational Unit Distinguished Name (orgunit-dn)
urn:oid:2.5.4.11 String Organizational Unit (ou)
urn:oid:1.3.6.1.4.1.5923.1.1.1.10 NameID Persistent ID / Targeted ID (persistent-id)
Example: user@school.edu
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent NameID Persistent ID / Targeted ID (persistent-id)
Example: user@school.edu
urn:oid:2.5.4.19 String Physical Delivery Office Name (physicalDeliveryOfficeName)
urn:oid:2.5.4.17 String Postal Code / Zip Code (postalCode)
urn:oid:2.5.4.18 String P. O. Box (postOfficeBox)
urn:oid:2.16.840.1.113730.3.1.39 String Preferred Language (preferredLanguage)
urn:oid:1.3.6.1.4.1.5923.1.1.1.5 String Primary Affiliation (eduPersonPrimaryAffiliation / primary-affiliation)

Only accepts the following values:
  • faculty
  • student
  • staff
  • alum
  • member
  • affiliate
  • employee
  • library-walk-in
urn:oid:1.3.6.1.4.1.5923.1.1.1.8 String Primary Organizational Unit Distinguished Name (primary-orgunit-dn)
urn:oid:2.5.4.34 String See Also (seeAlso)
urn:oid:2.5.4.4 String Surname / Last Name (sn)
urn:oid:2.5.4.8 String State or Province (st)
urn:oid:2.5.4.9 String Street (street)
urn:oid:2.5.4.20 String Telephone Number (telephoneNumber)
urn:oid:2.5.4.12 String Title (title)
urn:oid:1.3.6.1.4.1.5923.1.1.1.1 String Unscoped Affiliation (eduPersonAffiliation / unscoped-affiliation)

Only accepts the following values:
  • faculty
  • student
  • staff
  • alum
  • member
  • affiliate
  • employee
  • library-walk-in

Accepted SAML MACE Attributes

This section describes which SAML MACE attributes TeamDynamix can accept when examining incoming SAML assertions. These are less commonly used as they are a compatibility for the legacy SAML 1.0 attribute names. There is also no support for accepting these attributes with basic formats (as shown below).

Accepted Formats

TeamDynamix accepts SAML OID attributes in all of the following SAML formats:

  • urn:oasis:names:tc:SAML:2.0:attrname-format:uri
  • urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified

Assertion Usage Example

<AttributeStatement>
    <Attribute Name="urn:mace:dir:attribute-def:eduPersonPrincipalName" 
      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
        <AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
          john.doe@school.edu
        </AttributeValue>
    </Attribute>
    <Attribute Name="urn:mace:dir:attribute-def:givenName" 
      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
        <AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
          John
        </AttributeValue>
    </Attribute>
    <Attribute Name="urn:mace:dir:attribute-def:sn" 
      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
        <AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
          Doe
        </AttributeValue>
    </Attribute>
    <Attribute Name="urn:mace:dir:attribute-def:mail" 
      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
        <AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
          john.doe@school.edu
        </AttributeValue>
    </Attribute>

    ... More SAML Attributes here as needed ...

<AttributeStatement>

Attribute List

Name Value Format Description / Notes
urn:mace:dir:attribute-def:eduPersonPrincipalName Scoped Username (eduPersonPrincipalName / eppn)
Example: user@school.edu

TeamDynamix uses the value of this attribute for username during the authentication process. The value must be a fully qualified username in the format of user@domain.
urn:mace:dir:attribute-def:eduPersonScopedAffiliation Scoped Scoped Affiliation (eduPersonScopedAffiliation / affiliation)
Example: faculty@school.edu

Only accepts the following fully qualified values in the format of affiliation@domain:
  • faculty@mydomain.edu
  • student@mydomain.edu
  • staff@mydomain.edu
  • alum@mydomain.edu
  • member@mydomain.edu
  • affiliate@mydomain.edu
  • employee@mydomain.edu
  • library-walk-in@mydomain.edu
urn:mace:dir:attribute-def:businessCategory String Business Category (businessCategory)
urn:mace:dir:attribute-def:carLicense String Car License (carLicense)
urn:mace:dir:attribute-def:cn String Common Name (cn)
urn:mace:dir:attribute-def:departmentNumber String Department Number (departmentNumber)
urn:mace:dir:attribute-def:description String Description (description)
urn:mace:dir:attribute-def:displayName String Display Name (displayName)
urn:mace:dir:attribute-def:employeeNumber String Employee Number (employeeNumber)
urn:mace:dir:attribute-def:employeeType String Employee Type (employeeType)
urn:mace:dir:attribute-def:eduPersonEntitlement String Entitlement (entitlement)
urn:mace:dir:attribute-def:facsimileTelephoneNumber String Fax Number (facsimileTelephoneNumber)
urn:mace:dir:attribute-def:givenName String Given Name / First Name (givenName)
urn:mace:dir:attribute-def:initials String Initials (initials)
urn:mace:dir:attribute-def:l String Locality Name (l)
urn:mace:dir:attribute-def:mail String Mail / Email Address (mail)
urn:mace:dir:attribute-def:manager String Manager (manager)
urn:mace:dir:attribute-def:eduPersonNickname String Nickname (nickname)
urn:mace:dir:attribute-def:o String Organization / Company (o)
urn:mace:dir:attribute-def:eduPersonOrgDN String Organization Distinguished Name (org-dn)
urn:mace:dir:attribute-def:eduPersonOrgUnitDN String Organizational Unit Distinguished Name (orgunit-dn)
urn:mace:dir:attribute-def:ou String Organizational Unit (ou)
urn:mace:dir:attribute-def:physicalDeliveryOfficeName String Physical Delivery Office Name (physicalDeliveryOfficeName)
urn:mace:dir:attribute-def:postalCode String Postal Code / Zip Code (postalCode)
urn:mace:dir:attribute-def:postOfficeBox String P. O. Box (postOfficeBox)
urn:mace:dir:attribute-def:preferredLanguage String Preferred Language (preferredLanguage)
urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation String Primary Affiliation (eduPersonPrimaryAffiliation / primary-affiliation)

Only accepts the following values:
  • faculty
  • student
  • staff
  • alum
  • member
  • affiliate
  • employee
  • library-walk-in
urn:mace:dir:attribute-def:eduPersonPrimaryOrgUnitDN String Primary Organizational Unit Distinguished Name (primary-orgunit-dn)
urn:mace:dir:attribute-def:seeAlso String See Also (seeAlso)
urn:mace:dir:attribute-def:sn String Surname / Last Name (sn)
urn:mace:dir:attribute-def:st String Street (st)
urn:mace:dir:attribute-def:street String Street (street)
urn:mace:dir:attribute-def:eduPersonTargetedID Scoped Targeted ID (targeted-id)
Example: user@school.edu
urn:mace:dir:attribute-def:telephoneNumber String Telephone Number (telephoneNumber)
urn:mace:dir:attribute-def:title String Title (title)
urn:mace:dir:attribute-def:eduPersonAffiliation String Unscoped Affiliation (eduPersonAffiliation / unscoped-affiliation)

Only accepts the following values:
  • faculty
  • student
  • staff
  • alum
  • member
  • affiliate
  • employee
  • library-walk-in
100% helpful - 3 reviews

Details

Article ID: 8643
Created
Mon 8/31/15 5:15 PM
Modified
Thu 2/15/24 4:13 PM

Related Articles (9)

Login failed due to missing SAML EPPN attribute
This article providers details about how to troubleshoot and resolve Single Sign On (SSO) login errors related to the Login failed due to missing SAML EPPN attribute error page.
Single Sign On (SSO) with ADFS
This article demonstrates how other TeamDynamix clients have successfully configured ADFS to allow Single Sign On authentication with TeamDynamix. This includes tips for ADFS 2.0 and ADFS 3.0.
Single Sign On (SSO) with Apereo Central Authentication Service (CAS)
This article demonstrates how to configure Apereo Central Authentication Service (CAS) to allow Single Sign On authentication with TeamDynamix.
Single Sign On (SSO) with Azure Active Directory (Azure AD)
This article demonstrates how to configure Azure Active Directory (Azure AD) to allow Single Sign On authentication with TeamDynamix.
Single Sign On (SSO) with Okta
This article demonstrates how other TeamDynamix clients have successfully configured OKTA to allow Single Sign On authentication with TeamDynamix.
Single Sign On (SSO) with PortalGuard by BIO-key
This article demonstrates how to configure PortalGuard by BIO-key to allow Single Sign On authentication with TeamDynamix.
Single Sign On (SSO) with SimpleSAMLPHP
This article demonstrates how other TeamDynamix clients have successfully configured SimpleSAMLPHP to allow Single Sign On authentication with TeamDynamix.
Single Sign On (SSO) with Stoneware Unified Workspace by Lenovo
This article demonstrates how other TeamDynamix clients have successfully configured Stoneware Unified Workspace to allow Single Sign On authentication with TeamDynamix.
Troubleshooting Single Sign On (SSO) Issues
This article will cover several common issues experienced by clients who utilize Single Sign On authentication in TeamDynamix and troubleshooting steps you can take to resolve them.