This is a proposal for a new eduPerson identifier with the following characteristics:
- globally unique
- persistent
- non-reassigned
- transparent
- value syntax: unspecified
Recall that a persistent identifier is not necessarily permanent. Indeed, the IdP or the user may discontinue use of a persistent identifier at any time.
A word about the transparency requirement: it must be possible to display the proposed identifier to a user for the purposes of consent. Note that the eduPersonTargetedID
identifier does not satisfy this requirement.
The eduPersonPrincipalName
identifier satisfies the above requirements if it happens to be non-reassigned in practice (which we now know is a common practice, at least within the InCommon Federation). However, unlike eduPersonPrincipalName
, the value syntax of the proposed identifier is intentionally unspecified to allow for a portable identifier that persists even if the user changes their affiliation.
The advantages of the proposed identifier include the following:
- the proposed identifier meets the needs of the grid use cases
- the proposed identifier leverages the fact that a significant number of (InCommon) IdPs do not reassign
eduPersonPrincipalName
- the proposed identifier is relatively easy to deploy since there is no requirement that it be scoped to the SP
- the proposed identifier is compatible with anticipated consent scenarios
- the proposed identifier leaves open the possible use of portable identifiers