Table of Contents
Picking a good value for eduPersonPrincipalName (ePPN) can be confusing. This confusion comes from both assumptions, and also insufficient clarity in the standard. Here is some information to help you better understand ePPN and make an informed decision about the appropriate ePPN value for your Higher Ed Community SSO SAML integrations.
What is eduPersonPrincipalName (ePPN)?
ePPN is often asserted as an attribute to access multilateral federated services. This enables individuals to use their home institution’s credentials to access resources and services provided by other institutions and organizations.
ePPN is a unique user identifier that is scoped and in the form “user@scope”. It is composed of the following:
user: An identifier for a person that may be either human-friendly like john.smith, or not-so-friendly like a GUID
@: There must be only one “@” sign.
scope: A domain to ensure global uniqueness for the user identity - identity providers authorized for a given scope are responsible for ensuring this global uniqueness.
Characteristics of a good ePPN value
A good ePPN should be:
• Unique -- All identifiers within a scope must be unique. Every ePPN with the same value should refer to the same person. Two individuals should never have the same ePPN
• Non-Reassignable -- Once an ePPN is assigned to an individual, it should not be reused for anyone or anything else.
• Persistent (long-lived) -- Once a person is assigned an ePPN, it should not change. Or, at the very least, a person’s ePPN should be expected to be painful to change.
• Not Case-Sensitive
Other important considerations
• The ePPN is not an email address, although it may look like one. ePPN does not need to resolve to a deliverable mailbox.
• The ePPN is generally not intended to be a user interface element, but is often abused in this way by service providers.
• Consider the impact on services before making scope changes. An institution with multiple campuses may have people who use the same login identifier across the different campus domains. (firstname.lastname@example.org, email@example.com) If your current user population includes folks at different campuses with the same user identifier, you may not be able to consolidate into one scope without impacting services that rely on a per-campus user principal name (UPN) for authorization.
Cirrus Identity is committed to supporting the REFEDS standards. We are also committed to helping our customers who, when engaging with multilateral federations for the first time, may need guidance to navigate nuances and requirements.