Tuakiri Attribute Validator
Tuakiri Optional Attributes

Number of values
A long-lived, non-reassignable, uni-directional identifier suitable for use as a unique external key specific to a particular relying party. Its value for a given subject depends upon the relying party to whom it is given, thus preventing unrelated systems from using it as a basis for correlation.

The authoritative definition for this attribute can be found here in the SAML V2.0 Subject Identifier Attributes Profile Version 1.0

<uniqueID> "@" <scope>, where:
  • The unique ID consists of 1 to 127 ASCII characters, each of which is either an alphanumeric ASCII character, an equals sign (ASCII 61), or a hyphen (ASCII 45). The first character MUST be alphanumeric.
  • The scope consists of 1 to 127 ASCII characters, each of which is either an alphanumeric ASCII character, a hyphen (ASCII 45), or a period (ASCII 46). The first character MUST be alphanumeric.

Notes on usage
Service Providers should use this attribute to support aspects of its service that depend on recognising the same user from session to session. The most common use is to enable service personalisation, to record user preferences such as stored search expressions across user sessions. A secondary use is to enable tracking of user activity, to make it easier to detect systematic downloading of content or other suspected breaches of licence conditions.

The attribute enables an organisation to provide a persistent, opaque, user identifier to a service provider. For each user, the identity provider presents a different value to each service provider to which the attribute is released.

Value comparison MUST be performed case-insensitively (that is, values that differ only by case are the same, and MUST refer to the same subject).

A value MUST NOT be assigned to more than a single subject over its lifetime of use under any circumstances.

The value MUST NOT be mappable by a relying party into a non-pairwise identifier for the subject through ordinary effort.

Notes on privacy
This attribute is intended to be a privacy-preserving attribute.