for saml2int
-No more use of subject identifiers at the assertion level
-No use of encrypted identifiers, but will use encrypted assertions, if you want to use redirect-based logout, you must use transientID
-Only use identifiers in the attributes in the assertion
-We cannot support non-string-based attributes any longer (eduPersonTargetedID)
-persistent nameID cannot be used because it's case-sensitive, that idea is unworkable
-in fact, targetedID and persistent nameID are now both dangerous to use due to case issues
for R&E federations
-Use ePUID
-Use non-reassigned ePPN
THAT'S IT
Pairwise IDs offer ZERO legal protection under EU privacy law, and come at a HUGE cost to deployers of IdPs and collaborative / research SPs.
SAML made an assumption that you'd just compare identifier strings, and it turns out that apps / implementations do not do this, they end up converting to all upper/all lower ('normalizing' case) and thus pairwise identifiers are dead.