IdP Provided Attributes vs. Other Sources of Information

Last updated: May 31, 2024
Audience: IT Staff / Technical

This document provides guidance on deciding when to obtain user attributes from the UW Identity Provider (IdP) or from other institutional data sources.

Background

Applications often need information about the users logging in so that authorization and personalization functions can run. Shibboleth Service Providers (SPs) have the option to obtain user attributes from the UW IdP or from other institutional data sources. Pointers to information about commonly used data sources and considerations for using these and the UW IdP are provided below.

Data Sources

UW IdP

The attributes available from the UW IdP are sourced from the Person Directory Service (PDS), the Groups Web Service (GWS), or are computed by the IdP. See Guide to NameID Formats and Attributes Available from the UW IdP for more information.

Groups Directory Service

This directory service provides information on group memberships. Application integration is possible via a web service (preferred) or LDAP client technologies (with limitations).

Person Directory Service

This directory service provides a variety of person data on faculty, staff, students, and alumni. Application integration is possible via a web service or LDAP client technologies.

Guidance

Attributes provided by the IdP

If the attributes you need are available from the IdP, it’s often easiest to just use those. Once configured you don’t have to do anything special to use attributes from the IdP—they just show up in your application’s environment when the user authenticates.

Attributes from other sources

Some situations require you get user information from other sources. Common reasons are listed below.

Other institutional data sources are generally available only to UW applications for UW users.

The IdP doesn’t provide the information
  • uwEWPDept1 from PDS, for example.
You are already retrieving information from another source
  • If you already get information from PDS you might as well use that data source rather than requesting additional attributes from the IdP that originate from PDS.
You need more timely information
  • Attributes from Shibboleth were collected when the user logged in and the user’s session may last up to 12 hours. The attributes will not be refreshed until the user gets a new session. You may need something more up-to-date.
  • No labels