The Pairwise Subject Identifier is a long-lived, non-reassignable, uni-directional identifier suitable for use as a unique external person identifier (key). Its value for a given subject depends upon the relying party to whom it is given, thus preventing unrelated systems from using it as a basis for correlation.

Note: While this attribute is supported by SAFIRE’s infrastructure, it is not yet included in the list of officially supported attributes.

Single valued, scoped, case-insensitive. Syntax per section 3.4 of the SAML V2.0 Subject Identifier Attributes Profile.

The scope portion must match one of the <shibmd:Scope> elements in the identity provider’s metadata.

pairwise-id is generated by the Federation Operator if a corresponding subject-id is sent by the home organisation.

• SAML V2.0 Subject Identifier Attributes Profile Version 1.0

• 3cfd15cfbb4c76f60430a76e9a83be43@example.ac.za

The pairwise-id consists of two parts in the form uniqueID@scope. The uniqueID is an opaque, pseudonymous identifier for the subject at their home organisation, and the scope identifies the home organisation of the subject. The maximum combined length, including the “@” separator, is 255 characters.

In SAFIRE’s case, the uniqueID consists of a SHA256 hash of the supplied subject-id and the relying party’s identifier, making it a consistent length. However, this is not guarenteed and provision should be made to accomodate the full 127 character uniqueID provided for by the specification.