Skip to main content
Identity and Access Management (IAM) 

Supported Authentication Attributes

The set of authentication attributes supported by Okta is smaller than the set formerly supported by CAS. Applications that need other data should retrieve that information from the system of record.

One of the following sets of attributes may be selected in DSA Manager.

  • Ideally, systems — particularly purpose-built/custom systems — should only need the IAM identifier for the user who has logged in. Those systems should then use this identifier to match application records and to request domain-specific information from other campus systems. Those systems MUST NOT use this identifier as the primary key for application data.

    • IAM ID - The identifier for the login account of the user. It should only be used as a correlation identifier.

  • This set of attributes should support the needs of the majority of application migrating from the CAS to the Okta user authentication service.

    • IAM ID - The identifier for the login account of the user. It should only be used as a correlation identifier.
    • BYU ID - A student domain correlation identifier.
    • NetID* - A short-form username. The netID is not an immutable identifier (users may change their netID at any time).
    • Worker ID - An employee domain correlation identifier.
    • Display Name - The name given by the user when they created their login account. It should be displayed to the user to show who signed in.
    • Username - {NetID}@byu.edu (also called, “NetID Scoped”) this attribute supplies usernames for systems that use email addresses for their user identifier.

    *NetID will be available “as-is” through at least 2028. It’s use as an identifier, however, should be phased out: NetID is a username, which can change, not a persistent identifier.

  • This larger set of attributes is intended primarily for third-party platforms that have no other way to retrieve information about users from other campus systems.

    • IAM ID - The identifier for the login account of the user. It should only be used as a correlation identifier.
    • BYU ID - A student domain correlation identifier.
    • NetID* - A short-form username. The netID is not an immutable identifier (users may change their netID at any time).
    • Worker ID - An employee domain correlation identifier.
    • Display Name - The name given by the user when they created their login account. It should be displayed to the user to show who signed in.
    • Username - {NetID}@byu.edu (also called, “NetID Scoped”) this attribute supplies usernames for systems that use email addresses for their user identifier.
    • BYU Internal Email - The internal BYU email assigned to students, faculty, and staff. The address will be either @byu.edu or @student.byu.edu.
    • Personal Email - The user’s personal email address.
    • IAM Given Name - The given name associated with the user’s login account (Okta).
    • IAM Surname - The surname associated with the user’s login account (Okta).
    • Student Given Name - The user’s given name, as recorded in the student information system (AIM).
    • Student Middle Name - The user’s middle name, as recorded in the student information system (AIM).
    • Student Surname - The user’s surname, as recorded in the student information system (AIM).
    • Student Preferred Given Name - The user’s preferred given name, as recorded in the student information system (AIM).
    • Student Preferred Surname - The user’s preferred surname, as recorded in the student information system (AIM).
    • Worker Given Name - The user’s given name, as recorded in the HR system (Workday).
    • Worker Middle Name - The user’s middle name, as recorded in the HR system (Workday).
    • Worker Surname - The user’s surname, as recorded in the HR system (Workday).
    • Worker Preferred Given Name - The user’s preferred given name, as recorded in the HR system (Workday).
    • Worker Preferred Surname - The User’s preferred surname, as recorded in the HR system (Workday).

    *NetID will be available “as-is” through at least 2028. It’s use as an identifier, however, should be phased out: NetID is a username, which can change, not a persistent identifier.

  • The InCommon attributes are only approved for integrations with vendors who have adopted the InCommon standard. [Put another way, if you don't know that this means you don't need these attributes.]

    • eduPersonPrincipalName
    • mail
    • sn (surname)
    • givenName (first name)
    • eduPersonScopedAffiliation (permissible values: faculty, student, staff, alum, member, affiliate, employee, library-walk-in)