This is a proposal for a new eduPerson identifier with the following characteristics:

  • globally unique
  • persistent
  • non-reassigned
  • transparent
  • value syntax: unspecified

Recall that a persistent identifier is not necessarily permanent. Indeed, the IdP or the user may discontinue use of a persistent identifier at any time.

A word about the transparency requirement: it must be possible to display the proposed identifier to a user for the purposes of consent. Note that the eduPersonTargetedID identifier does not satisfy this requirement.

The eduPersonPrincipalName identifier satisfies the above requirements if it happens to be non-reassigned in practice (which we now know is a common practice, at least within the InCommon Federation). However, unlike eduPersonPrincipalName, the value syntax of the proposed identifier is intentionally unspecified to allow for a portable identifier that persists even if the user changes their affiliation.

The advantages of the proposed identifier include the following:

  1. the proposed identifier meets the needs of the grid use cases
  2. the proposed identifier leverages the fact that a significant number of (InCommon) IdPs do not reassign eduPersonPrincipalName
  3. the proposed identifier is relatively easy to deploy since there is no requirement that it be scoped to the SP
  4. the proposed identifier is compatible with anticipated consent scenarios
  5. the proposed identifier leaves open the possible use of portable identifiers
  • No labels