- Tuakiri Optional Attributes
- Number of values
- A long-lived, non-reassignable, uni-directional identifier suitable for
use as a unique external key specific to a particular relying party.
Its value for a given subject depends upon the relying party to whom it is given,
thus preventing unrelated systems from using it as a basis for correlation.
The authoritative definition for this attribute can be found
here in the SAML V2.0 Subject Identifier Attributes Profile Version 1.0
- <uniqueID> "@" <scope>, where:
- The unique ID consists of 1 to 127 ASCII characters, each of which is either an alphanumeric ASCII character,
an equals sign (ASCII 61), or a hyphen (ASCII 45). The first character MUST be alphanumeric.
- The scope consists of 1 to 127 ASCII characters, each of which is either an alphanumeric ASCII character,
a hyphen (ASCII 45), or a period (ASCII 46). The first character MUST be alphanumeric.
- Notes on usage
- Service Providers should use this attribute to support aspects of its
service that depend on recognising the same user from session to session.
The most common use is to enable service personalisation, to record user
preferences such as stored search expressions across user sessions. A secondary
use is to enable tracking of user activity, to make it easier to detect
systematic downloading of content or other suspected breaches of licence conditions.
The attribute enables an organisation to provide a persistent, opaque, user
identifier to a service provider. For each user, the identity provider presents
a different value to each service provider to which the attribute is released.
Value comparison MUST be performed case-insensitively (that is,
values that differ only by case are the same, and MUST refer to the same subject).
A value MUST NOT be assigned to more than a single subject over its lifetime of use under any circumstances.
The value MUST NOT be mappable by a relying party into a non-pairwise identifier
for the subject through ordinary effort.
- Notes on privacy
- This attribute is intended to be a privacy-preserving attribute.