The content (or attribute value) of the eduPersonTargetedID attribute is defined to be a SAML 2.0 persistent NameID (see link below). This data structure is sometimes called a "service-specific pseudonym" in that it's an opaque identifier that differs for each service a subject is accessing. I.e., Service A and Service B cannot profile (or match) subjects based on the identifier alone, as each service will know the subject by a different NameID value.
Note that saml2int (the Interoperable SAML 2.0 Deployment Profile, a normative part of eduID.at, cf. section "Requirements" in the eduID.at Technical Profile) recommends to transmit persistent NameIDs in the Subject of the SAML Assertion, not as an (eduPersonTargetedID) Attribute (value). Our own documentation on PersistentIDs covers both cases, sending the NameID in the Assertion's Subject as well as sending it as an eduPersonTargetedID Attribute.
Any time you see mention of the eduPersonTargetedID attribute (esp. if the context is not SAML1.x specific) you should read that to mean "persistent SAML 2.0 NameID" and probably also assume "transmitted in the Subject of the SAML Assertion, not as a SAML Attribute (value)".
I.e., the use of the eduPersonTargetedID attribute should be phased out and replaced in SAML 2.0 usage, by sending the exact same data structure in a different part of the SAML Assertion (as detailed above and in the examples linkt to below).
More technical information:
- Persistent Name Identifiers
- MACE-Dir SAML Attribute Profiles, "3.3.1.1 eduPersonTargetedID", p.11f, and esp. lines 390-393
- saml2int.org
Overview
Content Tools
Tasks