This is a summary of the origins, issues, and SP best practices associated with the eduPersonTargetedID attribute.
...
Tip | ||
---|---|---|
| ||
See the IdPPersistentNameIdentifier topic for information on producing this result. The main requirement is to attach an "AttributeEncoder" of type |
SAML 2.0 Attribute
As an alternative, it's possible to embed the same syntax above inside a SAML attribute with the formal name "urn:oid:1.3.6.1.4.1.5923.1.1.1.10". The main reason for doing this would be to preserve the ability to pass a different kind of identifier in the assertion subject. One use case for this is to support the use of computed/non-reversible values for the "targeted" ID, but use transient, reversible values in the subject to support attribute queries or logout.
...