Attribute: subject-id

The General Purpose Subject Identifier is a long-lived, non-reassignable, omni-directional identifier suitable for use as a globally-unique external person identifier (key). Its value for a given subject is independent of the relying party to whom it is given.

Note: While this attribute is supported by SAFIRE’s infrastructure, it is not yet included in the list of officially supported attributes.

Attribute Definition

Friendly Name subject-id
OID urn:oasis:names:tc:SAML:attribute:subject-id
Description

The General Purpose Subject Identifier is a long-lived, non-reassignable, omni-directional identifier suitable for use as a globally-unique external person identifier (key). Its value for a given subject is independent of the relying party to whom it is given.

Note: While this attribute is supported by SAFIRE’s infrastructure, it is not yet included in the list of officially supported attributes.

Format

Single valued, scoped, case-insensitive. The syntax is per section 3.3 of the SAML V2.0 Subject Identifier Attributes Profile.

The scope portion must match one of the <shibmd:Scope> elements in the identity provider’s metadata.

References
Example
Additional Notes

The subject-id consists of two parts in the form uniqueID@scope. The uniqueID is a pseudonymous identifier for the subject at their home organisation, and the scope identifies the home organisation of the subject. The maximum combined length, including the “@” separator, is 255 characters.

Identity providers generating subject-id are encouraged to send opaque pseudonymous values for the uniqueID portion (specifically, it does not need to match eduPersonPrincipalName and probably should not).

South African Identity Federation