What is wrong with persistent NameID?

What is useful about them? (wink)

Distinguish NameIDs from Attributes

  • NameIDs impact Logout, attributes don't
  • If we deprecate Persistent NameID and instead require Transient NameID, the need for inbound encryption at the IdP completely disappears

Should the profile be addressing current practice or desired practice or both?

If the latter, what is that?

What are the implications of case sensitivity on current and desired practice?

What do we do about the fact that everybody else uses email addresses?

Should we promote scoped identifiers (ePPN, ePUId)?

How do we address reassignability expectations? (Eric suggests we explicitly ignore it).

Non-domain-scoped identifiers (SAML2 Persistent NameID, OIDC 'sub' claim) are scoped to the IdP entityID. Is that better or worse than scoped identifiers (which do not depend on the IdP entityID)?

How do we handle the requests from our research VO friends, Scott Koranda and Jim Basney?  Specifically, they need identifiers to be:

  • Persistent
    • How rare can changes be before they become a problem for research VOs, and/or ORCID?
  • Unique
  • Non-reassigned
  • Non-targeted

Following the removal of persistent ID, what are the remaining questions?


  • No labels