Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


As to other contexts, that is unclear. The definition of eduPersonTargetedID is suitably generalized to be compatible with the SAML concepts it was copying, but may or may not be suitable as a way of describing similar concepts in other standards. This is an open question.

Why are there two seemingly similar identifiers eduPersonPrincipalName and eduPersonUniqueId?

eduPersonPrincipalName has the format of a name-based identifier, scoped to the domain of the Identity Provider; it will seem familiar to many users, but because it is name-based, the ePPN assigned to a given person is subject to change, which is a problem for services that maintain a user profile or record. In contrast, eduPersonUniqueId is intended never to change; it is more suitable as a permanent identifier of a specific user.

Under what circumstances would one use eduPersonEntitlement rather than LDAP group membership to indicate specific access privileges?

MACE-Dir Working Group Space