Common Names in Shibboleth

We will soon be updating our common name handling in our UTORauth and UTORable systems and our Shibboleth attributes will reflect the new handling. If your service makes use of common names, you’ll want to take note that, for some UToronto users, these values will change. (Actually, even without this new name handling, a name is subject to change due to a correction or a change in a user’s legal/official names.)

Our UTORauth system is a hub that takes information from a collection of “Systems of Record”: the Student Information System (ACORN/ROSI), Human Resources (HRIS), et al. These systems primarily use only an official name. A user’s common name frequently differs from their official name. Non-English people frequently use an English given name that does not match their official name. And many English names have short forms: e.g. Robert » Bob. We’re enhancing UTORauth so that the common names will be more visible. The official name will still be available.

The SIS/ROSI and HRIS systems are being updated to support common names as well as official names. And they are providing both the official and common names to UTORauth. Not all Systems of Record will have this facility. We offer a means for users set the common name via UTORid management web interface though, where possible, users should update via the appropriate Systems of Record.

Common Name Attributes in UTORauth and UTORable

We currently provide three attributes that present a user’s name:

      givenName, sn (surname), and cn (full common name)

The cn attribute is the concatenation of givenName and sn joined by a space.

We’ll be using additional attributes: officialFirstName and displayName. Users will be able to choose a displayName. Going forward, the displayName will be preferred over officialFirstName when UTORable sets givenName and cn. For example,

Robert Smith Catherine Williams
displayName = Bob

officialFirstName: Robert
givenName: Bob
sn: Smith
cn: Bob Smith
no displayName

officialFirstName: Catherine
givenName: Catherine
sn: Williams
cn: Catherine Williams

These are the attributes that will be used in Shibboleth assertions.

Most of our Shibboleth Service Providers (SPs) use only distinguishing attributes—attributes that are distinct for each user: e.g. UTORid, eduPersonPrincipalName (ePPN), UTID or mail. Some SPs use common names, though only distinguishing attributes should be used as primary keys for users.

Service Providers and Common Names

Some SPs use common names, which are available upon request. SPs should not use common names as distinguishing names as they are not effectively distinguishing: there are people who share givenName, surname, and cn. We expect that service providers will take care not to use common names as primary keys in any datastore(s) and will use common names only to supplement/enhance the user interface.

If your system makes use of common names, you should prepare for some of them to change. Even without the new officialFirstName/cn feature, names are subject to change due to corrections or changes in the user’s official name (e.g. as the result of a change in marital status).

Service Providers and Official Names

Some services will want to make use of official names. There may be legal requirements for services that produce legal documents or provide data to systems that produce legal documents. Perhaps a site that manages awards or financial transactions may want or need official names. Such sites should use the officialFirstName. Please send us a request for the IdP to present officialFirstName in its SAML Assertions.

Contact

email: Shib Admin <shib.admin@utoronto.ca>