The content (attribute value) of the
eduPersonTargetedID attribute is defined to be a SAML 2.0 persistent NameID (cf. MACE-Dir SAML Attribute Profiles, section 22.214.171.124, lines 390-393), i.e., an XML structure. Abstractly it's a 3-tuple made up of the IDP's entityID, the SP's entityID and the subject-specific part. It could be called a "service-specific pseudonym" in that it's an opaque identifier that differs for each service a subject is accessing.
The eduPersonTargetedID SAML Attribute will soon be officially deprecated. No new deployments should be making use of this attribute and any existing deployments should make plans to migrate to the SAML pairwise-id attribute. The new replacement attribute is simpler and therefore preferable in all regards: It's a simple attribute with simple string values (instead of a complex XML data structure), it has a single, consistent way of requirements signalling from the Service Provider and a single, consistent on-the-wire representation. So transitioning to the pairwise-id SAML attribute should be started ASAP.
This deprecation should come as no surprise to anyone as the eduPersonTargetedID SAML Attribute as container for persistent NameIDs was essentially obsoleted in 2005 when SAML 2.0 defined a standard method to send this same data structure (in the
Subject element of the SAML
eduPersonTargetedIDattribute as well as all forms of the SAML 2.0 persistent NameID itself suffer from a case folding issue (when using base64 encoding) that may lead to identifier collisions at Service Providers not treating identifiers as case-sensitive. Consider this an informal Security Advisory against any use of this attribute (or persistent NameIDs in general).
Subjectof the SAML Assertion, not as an eduPersonTargetedID Attribute (value). So use of eduPersonTargetedID within eduID.at actually constitutes a formal policy violation.
SPs MAY support legacy or historical
<saml:Attribute>identifier content for compatibility reasons but MUST NOT require their use.