You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 24 Next »

Use of the eduPersonTargetedID attribute – as well as SAML 2.0 persistent NameIDs in general – should be phased out and replaced with the pairwise-id attribute from the OASIS SAML 2.0 SubjectID Attributes Profile.

The content (or attribute value) of the eduPersonTargetedID attribute is defined to be a SAML 2.0 persistent NameID (cf. MACE-Dir SAML Attribute Profiles, section 3.3.1.1, lines 390-393), i.e., an XML structure. Abstractly it's a 3-tuple made up of the IDP's entityID, the SP's entityID and the subject-specific part. It could be called a "service-specific pseudonym" in that it's an opaque identifier that differs for each service a subject is accessing.

Issues

  • All forms of eduPersonTargetedID attribute as well as all forms of the SAML 2.0 persistent NameID itself suffer from a case folding issue (due to their use of the base64 encoding) that may lead to identifier collisions at Service Providers not treating identifiers as case-sensitive. Consider this an informal Security Advisory against any use of this attribute (or persistent NameIDs in general).
  • saml2int – the Interoperable SAML 2.0 Deployment Profile, a normative part of eduID.at via the Technical Profile – states in Version 0.2 that persistent NameIDs should be transmitted in the Subject of the SAML Assertion, not as an eduPersonTargetedID Attribute (value). So use of eduPersonTargetedID within eduID.at actually constitutes a formal policy violation.
  • Also note that the new version of saml2int goes much farther and states that:

SPs MAY support legacy or historical <saml:NameID> and <saml:Attribute> identifier content for compatibility reasons but MUST NOT require their use.

  • No labels