Principal name   coreshow all attributes
Name eduPersonPrincipalName
Description A scoped identifier for a person
Vocabulary not applicable, no controlled vocabulary
References eduPerson
LDAP Syntax Directory String
# of values single
Example values
  • hputter@hsww.wiz


A scoped identifier for a person. It should be represented in the form user@scope where user is a name-based identifier for the person and where the scope portion MUST be the administrative domain of the identity system where the identifier was created and assigned. Each value of scope defines a namespace within which the assigned identifiers MUST be unique.
Given this rule, if two eduPersonPrincipalName (ePPN) values are the same at a given point in time, they refer to the same person. There must be one and only one @ sign in valid values of eduPersonPrincipalName.


  • In SWITCHaai, this attribute SHOULD NOT be used. eduPersonTargetedID is preferred or use swissEduPersonUniqueID if a non-targeted identifier is required.

  • eduPersonPrincipalName is suitable for interfederation use cases.


  • Syntactically, ePPN looks like an email address but is not intended to be a person's published email address or be used as an email address. In general, name-based identifiers tend to be subject to some degree of expected change and/or reassignment.

  • Values of eduPersonPrincipalName are often, but not required to be, human-friendly, and may change as a result of various business processes. They may also be reassigned after a locally-defined period of dormancy. Applications that require a guarantee of non-reassignment and more stability, but can tolerate values unfriendly (and unknown) to humans should refer to the eduPersonTargetedID attribute.


In general Unicode characters are allowed. In LDAP, this data type implies UTF-8 encoding, and such characters are permitted. However, to reduce the risk of application errors, it is recommended that values contain only characters that could occur in account or login user names.
While the UTF-8 encoding will often be appropriate, the specific encoding depends on the technology involved, and may not be limited to UTF-8 when more than LDAP is involved.

Find the complete list of attribute definitions in one single document: Attribute Specification