This document provides guidance on deciding when to obtain user attributes from the UW Identity Provider (IdP) or from other institutional data sources.
Background
Applications often need information about the users logging in so that authorization and personalization functions can run. Shibboleth Service Providers (SPs) have the option to obtain user attributes from the UW IdP or from other institutional data sources. Pointers to information about commonly used data sources and considerations for using these and the UW IdP are provided below.
Data Sources
UW IdP
The attributes available from the UW IdP are sourced from the Person Directory Service (PDS), the Groups Web Service (GWS), or are computed by the IdP. See Guide to NameID Formats and Attributes Available from the UW IdP for more information.
Groups Directory Service
This directory service provides information on group memberships. Application integration is possible via a web service (preferred) or LDAP client technologies (with limitations).
Person Directory Service
This directory service provides a variety of person data on faculty, staff, students, and alumni. Application integration is possible via a web service or LDAP client technologies.
Guidance
Attributes provided by the IdP
If the attributes you need are available from the IdP, it’s often easiest to just use those. Once configured you don’t have to do anything special to use attributes from the IdP—they just show up in your application’s environment when the user authenticates.
- The attribute must be available from the UW IdP
- You must Request a NameID and Attributes from the UW IdP to have them released to your application
- You must Configure a Service Provider to Use Attributes after they have been released to your application
- Some attributes are available only from the IdP. If your application needs these you have no choice of sources.
Attributes from other sources
Some situations require you get user information from other sources. Common reasons are listed below.
Other institutional data sources are generally available only to UW applications for UW users.
The IdP doesn’t provide the information
uwEWPDept1
from PDS, for example.
You are already retrieving information from another source
- If you already get information from PDS you might as well use that data source rather than requesting additional attributes from the IdP that originate from PDS.
You need more timely information
- Attributes from Shibboleth were collected when the user logged in and the user’s session may last up to 12 hours. The attributes will not be refreshed until the user gets a new session. You may need something more up-to-date.