Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: fix urls


The content (attribute value) of the eduPersonTargetedID attribute is defined to be a SAML 2.0 persistent NameID (cf. MACE-Dir SAML Attribute Profiles, section, lines 390-393), i.e., an XML structure. Abstractly it's a 3-tuple made up of the IDP's entityID, the SP's entityID and the subject-specific part. It could be called a "service-specific pseudonym" in that it's an opaque identifier that differs for each service a subject is accessing.


  • All forms of eduPersonTargetedID attribute as well as all forms of the SAML 2.0 persistent NameID itself suffer from a case folding issue (when using base64 encoding) that may lead to identifier collisions at Service Providers not treating identifiers as case-sensitive. Consider this an informal Security Advisory against any use of this attribute (or persistent NameIDs in general).
  • saml2int – the Interoperable SAML 2.0 Deployment Profile, a normative part of via the Technical SAML WebSSO Technology Profile – states in Version 0.2 that persistent NameIDs should be transmitted in the Subject of the SAML Assertion, not as an eduPersonTargetedID Attribute (value). So use of eduPersonTargetedID within actually constitutes a formal policy violation.
  • Also note that the new version of saml2int goes much farther further and states that:

SPs MAY support legacy or historical <saml:NameID> and <saml:Attribute> identifier content for compatibility reasons but MUST NOT require their use.