Page History
...
The content (or attribute value) of the eduPersonTargetedID attribute is defined to defined to be a SAML 2.0 persistent NameID (cf. MACE-Dir SAML Attribute Profiles, section 3.3.1.1, lines 390-393), i.e., an XML structure that. Abstractly it's logically a 3-tuple . This data structure is sometimes made up of the IDP's entityID, the SP's entityID and the subject-specific part. It called a "long-lived service-specific pseudonym" in that it's a stable and an opaque identifier that differs for each service a subject is accessing. So Service A and Service B cannot profile (or match) subjects based on the identifier value alone, as each service will know the subject by a different NameID value.
Issues
- All forms of
eduPersonTargetedIDattribute as well as all forms of the SAML 2.0 persistent NameID itself suffer from a case folding issue (due to their use of the base64 encoding) that may lead to identifier collisions at Service Providers not treating identifiers as case-sensitive. Consider this an informal Security Advisory against any use of this attribute (or persistent NameIDs in general). - saml2int – the Interoperable SAML 2.0 Deployment Profile, a normative part of eduID.at via the eduID.at Technical Profile – states in Version 0.2 that persistent NameIDs should be transmitted in the
Subjectof the SAML Assertion, not as an eduPersonTargetedID Attribute (value). So use of eduPersonTargetedID within eduID.at actually constitutes a formal policy violation. - Also note that the new version of saml2int goes much farther and states that:
...
Overview
Content Tools
Tasks