...
Within higher education, and thus within InCommon, there are two principal mechanisms for user identification profiled for use with SAML: the eduPersonPrincipalName (EPPN) and eduPersonTargetedID attributes.
| Tip | ||
|---|---|---|
| ||
|
IdPs are encouraged to support both the eduPersonPrincipalName and eduPersonTargetedID attributes, particularly in the case that the institution reassigns EPPN values to different users after periods of disuse. Even for those that do not reassign, there is value in eduPersonTargetedID in contributing to the privacy of one's users as they interact with different services.
eduPersonTargetedID Considerations
...
eduPersonTargetedID, unlike EPPN, does not have a single, universal string representation. Rather, it's a data "triple" that different deployments will manipulate into forms that are appropriate for their needs. Many applications will also struggle with their length and appearance; such applications are commonly those that also expect to receive personally-identifying attributes such as name and email address, defeating most of the privacy benefits of eduPersonTargetedID in isolation. In such cases, EPPN may be a better choice. In the case that reassignment is allowed, EPPN can be accompanied by eduPersonTargetedID to detect reassignment, but most packaged applications will be unable to rely on such an approach.
...