eduPerson unique ID   coreshow all attributes
Name eduPersonUniqueId
Description A long-lived, non re-assignable, omnidirectional identifier
The international version of the swissEduPersonUniqueID
Vocabulary not applicable, no controlled vocabulary
References eduPerson
OIDC n/a
OID 1.3.6.1.4.1.5923.1.1.1.13
LDAP Syntax Directory String
# of values single
Example values
  • 28c5353b8bb34984a8bd4169ba94c606@foo.edu

Definition

A long-lived, non re-assignable, omnidirectional identifier suitable for use as a principal identifier by authentication providers or as a unique external key by applications.

This identifier represents a specific principal in a specific identity system. Values of this attribute MUST be assigned in such a manner that no two values created by distinct identity systems could collide. This identifier is permanent, to the extent that the principal is represented in the issuing identity system.
Once assigned, it MUST NOT be reassigned to another principal. This identifier is meant to be freely sharable, is public, opaque, and SHOULD remain stable over time regardless of the nature of association, interruptions in association, or complexity of association by the principal with the issuing identity system. When possible, the issuing identity system SHOULD associate any number of principals associated with a single person with a single value of this attribute.

This identifier is scoped and of the form uniqueID@scope.
The uniqueID portion MUST be unique within the context of the issuing identity system and MUST contain only alphanumeric characters (a-z, A-Z, 0-9). The length of the uniqueID portion MUST be less than or equal to 64 characters.
The scope portion MUST be the administrative domain of the identity system where the identifier was created and assigned. The scope portion MAY contain any Unicode character. The length of the scope portion MUST be less than or equal to 256 characters. Note that the use of characters outside the seven-bit ASCII set or extremely long values in the scope portion may cause issues with interoperability.

Relying parties SHOULD NOT treat this identifier as an email address for the principal as it is unlikely (though not precluded) for it to be valid for that purpose. Most organizations will find that existing email address values will not serve well as values for this identifier.

Important

  • In the Switch edu-ID federation use swissEduPersonUniqueID if a non-targeted identifier is required.

  • For interfederation use, eduPersonUniqueId might be suitable, however, subject-id would be better.

  • Due to the caseIgnoreMatch matching rule from the LDAP schema one SHOULD only use uppercase OR lowercase characters to avoid potential clashes.

Example applications

  • Controlling access to resources where it is important to ensure a unique stable identifier for a principal that will be unique across time.


All attribute definitions in a single document: Switch edu-ID Attribute Specification