The General Purpose Subject Identifier is a long-lived, non-reassignable, omni-directional identifier suitable for use as a globally-unique external person identifier (key). Its value for a given subject is independent of the relying party to whom it is given.

Note: While this attribute is supported by SAFIRE’s infrastructure, it is not yet included in the list of officially supported attributes.

Single valued, scoped, case-insensitive. The syntax is per section 3.3 of the SAML V2.0 Subject Identifier Attributes Profile.

The scope portion must match one of the <shibmd:Scope> elements in the identity provider’s metadata.

• SAML V2.0 Subject Identifier Attributes Profile Version 1.0

• d06df5c2-24dd-4506-b44d-fe99719dac5d@example.ac.za

The subject-id consists of two parts in the form uniqueID@scope. The uniqueID is a pseudonymous identifier for the subject at their home organisation, and the scope identifies the home organisation of the subject. The maximum combined length, including the “@” separator, is 255 characters.

Identity providers generating subject-id are encouraged to send opaque pseudonymous values for the uniqueID portion (specifically, it does not need to match eduPersonPrincipalName and probably should not).