Posted by Dedra Chamberlin on Jul 23, 2015 9:00:00 PM

One of the most widely adopted unique identifiers in higher education federated identity management is eduPersonPrincipalName (ePPN), defined as part of the eduPerson LDAP schema established by Internet2’s Middleware Architecture Committee for Education (MACE-dir). Historically, ePPN is defined by a campus and includes a local, unique identifier (netID) scoped at the campus domain, e.g. netID@university.edu.

Many campuses are now integrating social identities (Google, Facebook, Twitter, etc) with their federated services, and those social providers do not natively assert ePPN. Campuses or gateway services, such as the Cirrus Gateway Service, must decide how to map attributes asserted by social providers into MACE-Dir/SAML equivalents.

One key consideration when deciding on this mapping is persistence. In the case of Twitter, for example, a gateway could choose to assert the Twitter handle as the first portion of ePPN (before the @ sign), but users can change their Twitter handle at any time. It makes more sense to choose a more persistent identifier, such as the Twitter ID, which persists even when the user changes handles. LinkedIn provides a unique ID for their users, but integrators should be aware that changes to the API key/secret will result in a regeneration of unique IDs, though LinkedIn has indicated they will work with developers to mitigate the re-mapping of all user accounts triggered by API key regeneration (for details, see https://developer.linkedin.com/forum/different-id-same-user-using-oauth).

In the case of Google, Service Providers and gateway operators may choose to map Google's unique ID (the ID that shows for a user on their Google+ Profile page) as ePPN, but in other cases they may choose to use email address, since Google asserts email and email can serve as a unique, scoped identifier. Service Providers and gateway operators should be careful, however, given that there is no easy way to “pre-register” and predict what will show up as the scope for any Google email address (after the @ sign), as Google hosts many thousands of domains. Google’s unique ID is likely the best bet for a unique identifier predictably scoped @google.com.

Cirrus Identity has finalized ePPN mappings for all the social providers it currently supports. 

Topics: Higher Education, OpenID Connenct, SAML, Federated Identity Management, EdTech