| Description | A persistent, non-reassigned, privacy-preserving identifier for a user shared between an identity provider and service provider. An identity provider uses the appropriate value of this attribute when communicating with a particular service provider or group of service providers, and does not reveal that value to any other service provider except in limited circumstances.
Persistence: eduPersonTargetedID does not require a specific lifetime, but the association should be maintained longer than a single user interaction and long enough to be useful as a key for a particular service that is consuming it. Privacy: This attribute is designed to preserve the user's privacy and inhibit the ability of multiple unrelated services from correlating user activity by comparing values. It is therefore required to be opaque. Uniqueness: A value of this attribute is intended only for consumption by a specific audience of applications (often a single one). Values of this attribute therefore must be unique within the namespace of the identity provider and the namespace of the service provider(s) for whom the value is created. The value is "qualified" by these two namespaces and need not be unique outside them. Logically, the attribute value is made up of the triple of an identifier, the identity provider, and the service provider(s). Reassignment: A distinguishing feature of this attribute is that it prohibits reassignment. Since the values are opaque, there is no meaning attached to any particular value beyond its identification of the user. Therefore particular values created by an identity provider must not be reassigned such that the same value given to a particular Service Provider refers to two different users at different points in time. |
|---|---|
| Format | The eduPersonTargetedID value is an opaque string of no more than 256 characters. Note: Common implementations yield a hash in base64 encoding with a length of 28 characters. CAUDIT recommends the value does not exceed this length.
The value may be communicated to service providers in either of two forms at the service prodiver's request. The form in common use within the Shibboleth community has the attribute name urn:mace:dir:attribute-def:eduPersonTargetedID and comprises the opaque string value scoped with the identity provider's security domain. These strings are separated by the "@" symbol. A newer form, more compatible with commercial SAML implementations has the attribute name urn:oid:1.3.6.1.4.1.5923.1.1.1.10 and this new form comprises the entity name of the identity provider, the entity name of the service provider, and the opaque string value. These strings are separated by "!" symbols. This form is advocated by Internet2 and may overtake the other form in due course. |
| Classification | Linkage identifiers/Foreign keys |
| Origin/ObjectClass | eduPerson |
| OID | 1.3.6.1.4.1.5923.1.1.1.10 |
| SAML attribute name | urn:mace:dir:attribute-def:eduPersonTargetedID [Legacy Name and Syntax using the Structured Encoding rules] urn:oid:1.3.6.1.4.1.5923.1.1.1.10 [Uses Simple Encoding rules that are more compatible with vendor products] |
| LDAP syntax | directoryString [1.3.6.1.4.1.1466.115.121.1.15] |
| Number of values | Multiple |
| Example values | SAML2 encoding example: (Note:The following is a single string)
Legacy encoding example:
|
| Example values | https://unisa.edu.au/idp/shibboleth!urn:mace:federation.org.au:aaf:wiki.esecurity.edu.au!7eak0QQIEhygtPXtpgmu5l5hRnY |
| Notes on usage | If a Service Provider is presented only with the affiliation of an anonymous subject, as provided by eduPersonScopedAffiliation, it cannot provide service personalisation or usage monitoring across sessions. These capabilities are enabled by the eduPersonTargetedID attribute, which provides a persistent user pseudonym, distinct for each Service Provider. A Service Provider may use eduPersonTargetedID to support aspects of its service that depend on recognising the same user from session to session. The most common use is to enable service personalisation, to record user preferences such as stored search expressions across user sessions. A secondary use is to enable tracking of user activity, to make it easier to detect systematic downloading of content or other suspected breaches of licence conditions. The attribute enables an organisation to provide a persistent, opaque, user identifier to a Service Provider. For each user, the Identity Provider presents a different value of eduPersonTargetedID to each Service Provider to which the attribute is released. The eduPerson specification requires that a value of eduPersonTargetedID once assigned to a user for a given Service Provider shall never be reassigned to another user. Users and Service Providers should note, however, that not all Identity Providers may be able to guarantee that a user will always present the same value of eduPersonTargetedID; indeed, Identity Providers may offer their users the ability to generate new values of eduPersonTargetedID if they feel their privacy has been compromised. Identity Providers and users should note that changing a user's eduPersonTargetedID for a particular Service Provider may break the relationship with that Service Provider. |
| Notes on privacy | eduPersonTargetedID is intended to be a privacy-preserving attribute. |
| Available |  |
| Source | Generated by StoredId DataConnector |
eduPersonTargetedID Attribute Resolver
<!-- ==eduPersonTargetedID== --> <resolver:AttributeDefinition id="eduPersonTargetedID" xsi:type="SAML2NameID" xmlns="urn:mace:shibboleth:2.0:resolver:ad" nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" sourceAttributeID="persistentID"> <resolver:Dependency ref="myStoredId" /> <resolver:AttributeEncoder xsi:type="SAML1XMLObject" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" /> <resolver:AttributeEncoder xsi:type="SAML2XMLObject" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" friendlyName="eduPersonTargetedID" /> </resolver:AttributeDefinition>
StoredID Attribute Resolver
<!-- StoredID (persistentID) Connector --> <resolver:DataConnector id="myStoredId" xsi:type="StoredId" xmlns="urn:mace:shibboleth:2.0:resolver:dc" generatedAttributeID="persistentID" sourceAttributeID="uid" salt="CHANGE_THIS_TO_A_RANDOM_BUNCH_OF_CHARACTERS"> <resolver:Dependency ref="uid" /> <ApplicationManagedConnection jdbcDriver="oracle.jdbc.OracleDriver" jdbcURL="jdbc:oracle:thin:@(DESCRIPTION=(LOAD_BALANCE=yes)(ADDRESS_LIST= (ADDRESS=(PROTOCOL=TCP)(HOST=shibpid1.oracle.unisa.edu.au)(PORT=1521)) (ADDRESS=(PROTOCOL=TCP)(HOST=shibpid2.oracle.unisa.edu.au)(PORT=1521)) (ADDRESS=(PROTOCOL=TCP)(HOST=shibpid3.oracle.unisa.edu.au)(PORT=1521)) )(CONNECT_DATA=(SERVER=dedicated)(SERVICE_NAME=SHIBPID)))" jdbcUserName="SHIPID" jdbcPassword="YOUR_PASSWORD_HERE" /> </resolver:DataConnector>
If you are NOT using Oracle RAC then you can connect via the thin interface:
jdbc:oracle:thin:@shibpid.oracle.unisa.edu.au:1521:SHIBPID
 | sourceAttributeID should be immutable The use of sAMAccountName as the sourceAttributeID is unwise as this value isn't guaranteed to be persistent to a user (as usernames may get changed depending on institute policy). Pick an effective dated value instead and check its impact on the StoredID Data Connector. |