subject-id - Attributes - Documents - Support - SWITCHaai

Subject ID othershow all attributes
Name	`subject-id`
Description	This is a long-lived, non-reassignable, omni-directional identifier suitable for use as a globally-unique external key. Its value for a given subject is independent of the relying party to whom it is given.
Vocabulary	not applicable, no controlled vocabulary
References	SAML-subject-id
OIDC	n/a
OID	n/a
URN	`urn:oasis:names:tc:SAML:attribute:subject-id`
LDAP Syntax	Directory String
# of values	single
Example values	`idm123456789@example.com`

Definition

The value consists of two substrings (termed a unique ID and a scope in the remainder of this definition) separated by an @ symbol (ASCII 64) as an inline delimiter. The unique ID consists of 1 to 127 ASCII characters, each of which is either an alphanumeric ASCII character, an equals sign (ASCII 61), or a hyphen (ASCII 45). The first character MUST be alphanumeric.
The scope consists of 1 to 127 ASCII characters, each of which is either an alphanumeric ASCII character, a hyphen (ASCII 45), or a period (ASCII 46). The first character MUST be alphanumeric.
The scope deliberately resembles, and often is, a DNS domain name, but is drawn from a more limited character set due to case folding considerations, and no attempt is made to limit the allowable grammar to legal domain names (e.g., it allows consecutive periods).
The ABNF [RFC5234] grammar is therefore:

<value> = <uniqueID> "@" <scope>

<uniqueID> = (ALPHA / DIGIT) 0*126(ALPHA / DIGIT / "=" / "-")

<scope> = (ALPHA / DIGIT) 0*126(ALPHA / DIGIT / "-" / ".")

Value comparison MUST be performed case-insensitively (that is, values that differ only by case are the same, and MUST refer to the same subject).
In the grammar above, the ALPHA production contains characters that can be expressed in both upper and lower case. It is RECOMMENDED that the unique ID be exclusively upper- or lower-case when expressed or stored to facilitate ease of comparison.
Further, it is RECOMMENDED that scopes be expressed in lower case, since they are generally chosen independently of more “entrenched” decisions and are frequently, though not required to be, in the form of DNS domains.

Important

In the Switch edu-ID federation, home organizations MUST provide the same value as for swissEduPersonUniqueID .

All attribute definitions in a single document: Switch edu-ID Attribute Specification