Use of the eduPersonTargetedID attribute – as well as SAML 2.0 persistent NameIDs in general – should be phased out and replaced with the pairwise-id attribute from the OASIS SAML 2.0 SubjectID Attributes Profile.
The content (or attribute value) of the eduPersonTargetedID attribute is defined to be a SAML 2.0 persistent NameID (cf. MACE-Dir SAML Attribute Profiles, section 3.3.1.1, lines 390-393), i.e., an XML structure. Abstractly it's a 3-tuple made up of the IDP's entityID, the SP's entityID and the subject-specific part. It called a "service-specific pseudonym" in that it's an opaque identifier that differs for each service a subject is accessing.
Issues
- All forms of
eduPersonTargetedIDattribute as well as all forms of the SAML 2.0 persistent NameID itself suffer from a case folding issue (due to their use of the base64 encoding) that may lead to identifier collisions at Service Providers not treating identifiers as case-sensitive. Consider this an informal Security Advisory against any use of this attribute (or persistent NameIDs in general). - saml2int – the Interoperable SAML 2.0 Deployment Profile, a normative part of eduID.at via the Technical Profile – states in Version 0.2 that persistent NameIDs should be transmitted in the
Subjectof the SAML Assertion, not as an eduPersonTargetedID Attribute (value). So use of eduPersonTargetedID within eduID.at actually constitutes a formal policy violation. - Also note that the new version of saml2int goes much farther and states that:
SPs MAY support legacy or historical
<saml:NameID>and<saml:Attribute>identifier content for compatibility reasons but MUST NOT require their use.
Overview
Content Tools
Tasks