Attributes are pieces of information about a user, such as name or email address. 

This page provides background information on how to map the AAF attributes to your own Identity Management System (IdMS). For detailed instructions, refer to Installing a Shibboleth 2.x IdP.

We recommend you visit the  AAF core attributes and the AAF Optional Attributes and understand the guidelines for implementation. 

Attributes Overview
  • The AAF has Core, Recommended, and Optional attributes
  • The AAF attribute set is based on multiple formal attribute specifications:
    • Basic LDAP schema (person)
    • eduPerson – additional attributes useful for academic environment
    • auEduPerson – additional extensions developed by AAF
  • The IdP can pull some attributes directly from the IdMS (LDAP, AD):
    • Core attributes: displayName, mail, cn
    • Recommended: givenName, sn
  • Some attributes are hashes calculated on the fly
    • Core: eduPersonTargetedID, auEduPersonSharedToken (SharedToken should be stored back in the IdMS or a DB)
  • Some attributes have to be synthesized from existing IdMS information
    • eduPersonPrincipalName: <uid> + ‘@’ + ‘’
    • eduPersonAffiliation: using a scriptlet:
IF isStaff==TRUE THEN ‘staff’
  • Some attributes may have to be added to the identity management system (e.g, eduPersonEntitlement, eduPersonAssurance)

Attribute Matrix

AAF Core Attributes
 Attribute Name     Typical source  Description
 auEduPersonSharedToken   Hash with write  back   A unique identifier enabling federation spanning services such as Grid and Repositories.
 displayName  LDAP  Preferred name of a person to be used when displaying entries.
 eduPersonAffiliation    Scriptlet definition   Specifies the person’s relationship(s) to the institution in broad categories such as student, faculty, staff, alum, etc. 
 eduPersonEntitlement   LDAP (if available)   URI (either URN or URL) that indicates a set of rights to specific resources. 
 eduPersonScopedAffiliation   Take eduPersonAffiliation + rename + add Scope   Specifies the person’s affiliation within a particular security domain in broad categories such as student, faculty, staff, alum, etc.    
 eduPersonTargetedID    Hash with write back    A persistent, non-reassigned, privacy-preserving identifier for a user shared between an identity provider and service provider. An identity provider uses the appropriate value of this attribute when communicating with a particular service provider or group of service providers, and does not reveal that value to any other service provider except in limited circumstances.  
 authenticationMethod  IdP Set of URIs that assert compliance with specific standards for authentication method. 
 eduPersonAssurance    LDAP (if available or synthesized from other available information)   Set of URIs that assert compliance with specific standards for identity assurance. 
 cn  LDAP  User’s first name then surname.
 o (or organizationName) Static   Standard name of the top-level organization (institution) with which this person is associated.
 mail    LDAP   Email address, single value. User’s preferred outward facing email address with regard to the organisation.  

AAF Recommended Attributes 
 Attribute Name Typical Source   Description  
 givenName   LDAP A persons first name or preferred name 
 sn (surname)   LDAP A persons surname  
 schacHomeOrganization  Static                  Specifies a person’s home organisation using the domain name of the organisation. 
 schacHomeOrganizationType Static Specifies a person’s home organisation's type. 
 organizationalUnit LDAP Specifies a person's unit within their home organisation.
 postalAddress LDAP Specifies a person's postal address.
 telephoneNumber LDAP Specifies a person's telephone number.
 mobileNumber LDAP Specifies a person's mobile telephone number.
 businessCategory LDAP Define the type of business in which organisation is involved.


 departmentNumber LDAP Specify a person’s department code within their organisation.
 division LDAP Specify a person’s division within their organisation.
 LDAP A persistent digital identifier that distinguishes the account holder from every other researcher.