Versions Compared

Old Version 18

changes.mady.by.user Peter Brand

Saved on

compared with

New Version 19

changes.mady.by.user Peter Brand

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Info
iconfalse
titleDefinition

A persistent, non-reassigned, opaque (not revealing anything) and "targeted" (service-specific) identifier for a subject.
http://macedir.org/specs/eduperson/#eduPersonTargetedID

The content (or attribute value) of the eduPersonTargetedID attribute is defined to be a SAML 2.0 persistent NameID (see link below), i.e., an XML structure that's logically a 3-tuple (cf. MACE-Dir spec below). This data structure is sometimes called a "long-lived service-specific pseudonym" in that it's a stable and opaque identifier that differs for each service a subject is accessing. I.e., :So Service A and Service B cannot profile (or match) subjects based on the identifier value alone, as each service will know the subject by a different NameID value.

Note that saml2int (the Interoperable SAML 2.0 Deployment Profile v0.2, which is a normative part of eduID.at, cf. section "Requirements" in the eduID.at Technical Profile) recommends to transmit persistent NameIDs in the Subject of the SAML Assertion, not as an (eduPersonTargetedID) Attribute (value). So any time you see mention of the eduPersonTargetedID attribute (esp. if the context is not specific to SAML1.x only) you should read that to mean "persistent SAML 2.0 NameID" and also assume "transmitted in the Subject of the SAML Assertion, not as a SAML Attribute (value)".

...

  • MACE-Dir SAML Attribute Profiles, "3.3.1.1 eduPersonTargetedID", p.11f, and esp. lines 390-393
  • saml2int.orgTODO: Instructions for the Shibboleth 3.x IDP to generate the SAML 2.0 persistent NameID in the recommended format.