eduPersonPrincipalName

This guide is intended to give you some ideas about how to generate an eduPersonPrincipalName (ePPN) for users.


Video

You can find a video introduction to ePPN on Skolfederation's YouTube channel here (in Swedish).

eduPerson

eduPersonPrincipalName is defined in eduPerson 1.0, OID:1.3.6.1.4.1.5923.1.1.1.6
A scoped identifier for a person. It should be represented in the form "user@scope" where 'user' is a name-based identifier for the person and where the "scope" portion MUST be the administrative domain of the identity system where the identifier was created and assigned. Each value of 'scope' defines a namespace within which the assigned identifiers MUST be unique. Given this rule, if two eduPersonPrincipalName (ePPN) values are the same at a given point in time, they refer to the same person. There must be one and only one "@" sign in valid values of eduPersonPrincipalName.

ePPN

In Skolfederation, ePPN must:

  • be properly scoped with a domain name owned by the Member Organization.
  • uniquely represent a single user.
  • never be reassigned.

One way to achieve this is, for example, to use a Base36 alphanumeric number that is stored as a string and padded with zeros on the left for sorting. ePPN is incremented for every new user. If we use a length of 6 (36^6), that gives us 2,176,782,336 ePPNs before overflow occurs. Either append the scope, an owned domain, before storing the ePPN, or do it later, e.g., in the IdP.

Example Scripts

This example shows how you can add the attribute to users by utilizing scripts. The script is built so that it should be possible to run it with a scheduler.

ePPN for Google Workspace on Github
ePPN for Microsoft AD on Github

  • No labels

5 Comments

  1. Anonymous

    A question: is there any problem with using personnummer as eppn?

    Something like AAMMDDXXXX@scholdomain.se can work?

    1. Rasmus Larsson

      Hi,

      It is not advisable due to privacy and data protection concerns. Use another persistent identifier, perferably a pseudonym, to minimize unnecessary sharing of personal information. 

  2. Anonymous

    Hello!

    Has anybody else tried the script at GitHub, ePPN for Google Workspace?
    Is there a bug or am doing something wrong? Has anybody else encountered the following?
    When I run it, it only generates 100 unique ePPN:s then it starts over from 1. See the example for clarification:

    Elev                                         ePPN generated. (After 00002s it starts over from 000001)
    elev-a@exempelskolan.org    00002r@exempelskolan.org
    elev-b@exempelskolan.org    00002s@exempelskolan.org
    elev-c@exempelskolan.org    000001@exempelskolan.org
    elev-d@exempelskolan.org    000002@exempelskolan.org

    1. You are not logged in. Any changes you make will be marked as anonymous. You may want to Log In if you already have an account.
       

    1. Anonymous

      Hi!

      I seem to have found a solution.
      The Google Admin API likely retrieves lists in batches of 100 users per page. After 100 users the program starts over from 1.
      This can be solved with a small modification of the Python script. Open eppn.py with notepad.
      Find those lines:

      def add_eppn(config, service):
          page_token = None
          while True:

      Look inside the "while True" loop and find the following line:
      high_eppn = ''

      Move this line to outside the loop. The code will then look like this:

      def add_eppn(config, service):
          page_token = None
          high_eppn = ''  # The line has been moved here from inside the while loop.
          while True:

      For me, the script behaved as expected, after this small modification.

      MVH
      Stefan M

      1. Anonymous

        Ok, it turned out to be more to it than this. Needed to do a more thorough modification to make it work.