eduPerson unique ID coreshow all attributes | |
Name | eduPersonUniqueId |
Description | A long-lived, non re-assignable, omnidirectional identifier The international version of the swissEduPersonUniqueID |
Vocabulary | not applicable, no controlled vocabulary |
References | eduPerson |
OIDC | n/a |
OID | 1.3.6.1.4.1.5923.1.1.1.13 |
LDAP Syntax | Directory String |
# of values | single |
Example values |
|
Definition
A long-lived, non re-assignable, omnidirectional identifier suitable for use as a principal identifier by authentication providers or as a unique external key by applications.
This identifier represents a specific principal in a specific identity system. Values of this attribute MUST be
assigned in such a manner that no two values created by distinct identity systems could collide. This identifier
is permanent, to the extent that the principal is represented in the issuing identity system.
Once assigned, it MUST NOT be reassigned to another principal. This identifier is meant to be freely sharable, is
public, opaque, and SHOULD remain stable over time regardless of the nature of association, interruptions in
association, or complexity of association by the principal with the issuing identity system. When possible, the
issuing identity system SHOULD associate any number of principals associated with a single person with a single
value of this attribute.
This identifier is scoped and of the form uniqueID@scope.
The uniqueID portion MUST be unique within the context of the issuing identity system and MUST
contain only alphanumeric characters (a-z, A-Z, 0-9). The
length of the uniqueID portion MUST be less than or equal to 64 characters.
The scope portion MUST be the administrative domain of the identity system where the identifier
was created and assigned. The scope portion MAY contain any Unicode character. The length of
the scope portion MUST be less than or equal to 256 characters. Note that the use of characters
outside the seven-bit ASCII set or extremely long values in the scope portion may cause issues
with interoperability.
Relying parties SHOULD NOT treat this identifier as an email address for the principal as it is unlikely (though not precluded) for it to be valid for that purpose. Most organizations will find that existing email address values will not serve well as values for this identifier.
Important
-
In the Switch edu-ID federation use swissEduPersonUniqueID if a non-targeted identifier is required.
-
For interfederation use, eduPersonUniqueId might be suitable, however, subject-id would be better.
-
Due to the caseIgnoreMatch matching rule from the LDAP schema one SHOULD only use uppercase OR lowercase characters to avoid potential clashes.
Example applications
-
Controlling access to resources where it is important to ensure a unique stable identifier for a principal that will be unique across time.
All attribute definitions in a single document: Switch edu-ID Attribute Specification