Principal name   coreshow all attributes
Name eduPersonPrincipalName
Description A scoped identifier for a person
Vocabulary not applicable, no controlled vocabulary
References eduPerson
OIDC n/a
OID 1.3.6.1.4.1.5923.1.1.1.6
LDAP Syntax Directory String
# of values single
Example values
  • hputter@hsww.wiz

Definition

A scoped identifier for a person. It should be represented in the form user@scope where user is a name-based identifier for the person and where the scope portion MUST be the administrative domain of the identity system where the identifier was created and assigned. Each value of scope defines a namespace within which the assigned identifiers MUST be unique.
Given this rule, if two eduPersonPrincipalName (ePPN) values are the same at a given point in time, they refer to the same person. There must be one and only one @ sign in valid values of eduPersonPrincipalName.

Important

  • In the Switch edu-ID federation, this attribute SHOULD NOT be used. Use swissEduPersonUniqueID if a non-targeted identifier is required.

  • For interfederation use, eduPersonPrincipalName might be suitable, however, subject-id would be better.

Notes

  • Values of eduPersonPrincipalName are often, but not required to be, human-friendly, and may change as a result of various business processes.
    Possibilities of changes and reassignments make this identifier unsuitable for many purposes. As a result, eduPersonPrincipalName is NOT RECOMMENDED for use by applications that provide separation between low-level identification and more presentation-oriented data such as name and email address.
    Common identity protocols provide for a standardized and more stable identifier for such applications, and these protocol-specific identifiers should be used whenever possible; where using a protocol-specific identifier is not possible, the eduPersonUniqueId attribute may be an appropriate "neutral" form.

  • Syntactically, ePPN looks like an email address but is not intended to be a person’s published email address, or to be used as an email address. Consumers must not assume this is a valid email address for the individual.

Syntax

In general Unicode characters are allowed. In LDAP, this data type implies UTF-8 encoding, and such characters are permitted. However, to reduce the risk of application errors, it is recommended that values contain only characters that could occur in account or login user names.
While the UTF-8 encoding will often be appropriate, the specific encoding depends on the technology involved, and may not be limited to UTF-8 when more than LDAP is involved.


All attribute definitions in a single document: Switch edu-ID Attribute Specification