IdP Provided Attributes vs. Other Sources of Information

This document provides guidance on deciding when to obtain user attributes from the UW Identity Provider (IdP) or from other institutional data sources.

Background

Applications often need information about the users logging in so that authorization and personalization functions can run. Shibboleth Service Providers (SPs) have the option to obtain user attributes from the UW IdP or from other institutional data sources. Pointers to information about commonly used data sources and considerations for using these and the UW IdP are provided below.

Data Sources

UW IdP

The attributes available from the UW IdP are sourced from the Person Directory Service (PDS), the Groups Web Service (GWS), or are computed by the IdP. See Guide to NameID Formats and Attributes Available from the UW IdP for more information.

Groups Directory Service

This directory service provides information on group memberships. Application integration is possible via a web service (preferred) or LDAP client technologies (with limitations).

• Groups Service Wiki
• Groups Service API v2
• UW Groups Directory Service

Person Directory Service

This directory service provides a variety of person data on faculty, staff, students, and alumni. Application integration is possible via a web service or LDAP client technologies.

• UW Person Directory Service
• Person Directory Attribute Reference
• Person Web Service | PWS

Guidance

Attributes provided by the IdP

If the attributes you need are available from the IdP, it’s often easiest to just use those. Once configured you don’t have to do anything special to use attributes from the IdP—they just show up in your application’s environment when the user authenticates.

• The attribute must be available from the UW IdP
• You must Request a NameID and Attributes from the UW IdP to have them released to your application
• You must Configure a Service Provider to Use Attributes after they have been released to your application
• Some attributes are available only from the IdP. If your application needs these you have no choice of sources.
  
  

Attributes from other sources

Some situations require you get user information from other sources. Common reasons are listed below.

The IdP doesn’t provide the information

• uwEWPDept1 from PDS, for example.

You are already retrieving information from another source

• If you already get information from PDS you might as well use that data source rather than requesting additional attributes from the IdP that originate from PDS.

You need more timely information

• Attributes from Shibboleth were collected when the user logged in and the user’s session may last up to 12 hours. The attributes will not be refreshed until the user gets a new session. You may need something more up-to-date.