Pairwise subject ID othershow all attributes | |
Name | pairwise-id |
Description | This is a long-lived, non-reassignable, uni-directional identifier suitable for use as a unique external key specific to a particular relying party. Its value for a given subject depends upon the relying party to whom it is given, thus preventing unrelated systems from using it as a basis for correlation. |
Vocabulary | not applicable, no controlled vocabulary |
References | SAML-subject-id |
OIDC | n/a |
OID | n/a |
URN | urn:oasis:names:tc:SAML:attribute:pairwise-id |
LDAP Syntax | Directory String |
# of v alues | single |
Example values |
|
Definition
The value consists of two substrings (termed a unique ID and a scope in the
remainder of this definition) separated by an @ symbol (ASCII 64) as an inline delimiter.
The unique ID consists of 1 to 127 ASCII characters, each of which is either an alphanumeric
ASCII character, an equals sign (ASCII 61), or a hyphen (ASCII 45). The first character MUST be
alphanumeric.
The scope consists of 1 to 127 ASCII characters, each of which is either an alphanumeric ASCII
character, a hyphen (ASCII 45), or a period (ASCII 46). The first character MUST be alphanumeric.
The scope deliberately resembles, and often is, a DNS domain name, but is drawn from a more limited character set
due to case folding considerations, and no attempt is made to limit the allowable grammar to legal domain names
(e.g., it allows consecutive periods).
The ABNF [RFC5234] grammar is therefore:
<value> = <uniqueID> "@" <scope>
<uniqueID> = (ALPHA / DIGIT) 0*126(ALPHA / DIGIT / "=" / "-")
<scope> = (ALPHA / DIGIT) 0*126(ALPHA / DIGIT / "-" / ".")
Value comparison MUST be performed case-insensitively (that is, values that differ only by case are the same, and MUST refer to the same subject).In the grammar above, the ALPHA production contains characters that can be expressed in both upper and lower case. It is RECOMMENDED that the unique ID be exclusively upper- or lower-case when expressed or stored to facilitate ease of comparison.
Further, it is RECOMMENDED that scopes be expressed in lower case, since they are generally chosen independently of more “entrenched” decisions and are frequently, though not required to be, in the form of DNS domains.
Important
-
The pairwise-id is the replacement for the deprecated eduPersonTargetedID .
All attribute definitions in a single document: Switch edu-ID Attribute Specification