UK federation position: Persistent Identifiers

In federated identity and access management, persistent identifiers are required for personalisation of services and may be used for authorisation. They are provided by the Identity provider to the Service provider.

Within the UK federation, we recommend using eduPersonTargetedID as a pseudonymous persistent identifier, which preserves privacy for end users. This is documented in our Technical Recommendations for Participants

eduPersonTargetedID was standardised in 2006 for the Research and Education sector, and we now understand its limitations. In 2019, SAML subject identifiers were developed to fix those deficiencies. In 2020, eduPersonTargetedID was marked as deprecated (no longer recommended for use), and will be marked as obsolete in a future version of the eduPerson specification.

The UK federation recognises the need for entities in the federation to evolve, whereby a migration from the pseudonymous persistent identifier eduPersonTargetedID to SAML subject identifiers (pairwise-id) is required.

Identity Providers (IdP) could support the SAML subject identifiers with relative ease. The burden of migration lies largely with Service Providers (SP), who will need to support the new attribute in their SAML software, and where personalisation needs to be retained, develop a process and code to allow a seamless migration for end-users.

SAML software used within the UK federation will need to support both eduPersonTargetedID and SAML subject identifiers for a transition period. It is highly likely that other parts of the federated access ecosystem will need to support this transition period including eduGAIN member federations and OpenAthens.

Other work

• In 2022, the Federated Identity for Libraries FIM4L group – recommended Pairwise-id user identifier over eduPersonTargetedID and SAML 2.0 persistent NameID
• Since 2021, entity categories standardised by REFEDS (the voice of Research and Education identity federations) have required SAML subject identifiers
  • Pseudonymous Access entity category only requires Pairwise-id user identifier
  • Personalized Access entity category requires Subject-id user identifier
• Other eduGAIN participant federations InCommon (US federation) have this on their Technical Advisory Committee - 2023 WorkPlan

Next steps

• Encourage Shibboleth Project to maintain eduPersonTargetedID throughout the lengthy transition. The Project agreed to convert the deprecation warnings to at-risk warnings for version 5 of the IdP, to reflect that removal is under consideration but not planned.
• Work with OpenAthens and other major vendors in the UK federation to enable support for SAML Subject identifiers in their products
• Ensure UK federation metadata signaling support (UK federation toolchain) and test services to support SAML subject identifier (Test IdP and SP) are in place and working as expected. (indicative start 2023Q4)
• IdP Exploration (indicative start 2024Q1)
  • Instruction to IdPs to begin configuring SAML Subject Identifiers.
  • Focused workshops with IdPs
• SP Exploration (indicative start 2024Q1)
  • Understand how many SPs need a persistent-id for personalisation
  • Establish pathfinder relationships SPs
  • Focused workshops with SPs

Last update: 2023-10-04

Version: 1.1