Page History

...

The first variant (uid + scope) has the disadvantage of exposing part of the login credentials (though the userid shouldn't generally be considered secret as there usually are many ways to discover it). But it's guaranteed to exist and can be assumed to be well-known to the subject (as it has to be entered for authentication purposes), at least in its "unscoped" form.
The second variant (re-using email address values) has the problem that this only works if you're issuing email addresses in your domain (IDP scope) for all subjects that should also should have an eduPersonPrincipalName attribute values value (which is all your population, basically). This is required because SAML Service Providers check the scope (domain part) of eduPersonPrincipalName attibute values against the published (i.e., allowed) scopes of IDPs (column "scope"), in order to protect themselfs from one IDP impersonating subjects from another IDP. So if your IDM system hands over external email addresses to your SAML IDP (e.g. @gmx.net, @gmail.com, etc.) you cannot re-use email addresses as eduPersonPrincipalName attributes (at least not for that part of the population that you provide the IDP with external email addresses for).

...