Page History
...
| Warning |
|---|
Use of the |
| Info | ||||
|---|---|---|---|---|
| ||||
A persistent, non-reassigned, opaque (not revealing anything) and "targeted" (service-specific) identifier for a subject. |
The content (or attribute value) of the eduPersonTargetedID attribute is defined to be a SAML 2.0 persistent NameID, i.e., an XML structure that's logically a 3-tuple. This data structure is sometimes called a "long-lived service-specific pseudonym" in that it's a stable and opaque identifier that differs for each service a subject is accessing. So Service A and Service B cannot profile (or match) subjects based on the identifier value alone, as each service will know the subject by a different NameID value.
Issues
- All forms of
eduPersonTargetedIDattribute as well as all forms of the SAML 2.0 persistent NameID itself suffer from a case folding issue (due to their use of the base64 encoding) that may lead to identifier collisions at Service Providers not treating identifiers as case-sensitive. Consider this an informal Security Advisory against any use of this attribute (or persistent NameIDs in general). - saml2int – the Interoperable SAML 2.0 Deployment Profile, a normative part of eduID.at via the eduID.at Technical Profile – states in Version 0.2 that persistent NameIDs should be transmitted in the
Subjectof the SAML Assertion, not as an eduPersonTargetedID Attribute (value). So use of eduPersonTargetedID within eduID.at actually constitutes a formal policy violation. - Also note that the new version of saml2int goes much farther and states that:
...
Overview
Content Tools
Tasks