Pairwise subject ID   othershow all attributes
Name pairwise-id
Description This is a long-lived, non-reassignable, uni-directional identifier suitable for use as a unique external key specific to a particular relying party. Its value for a given subject depends upon the relying party to whom it is given, thus preventing unrelated systems from using it as a basis for correlation.
Vocabulary not applicable, no controlled vocabulary
References SAML-subject-id
OIDC n/a
OID n/a
URN urn:oasis:names:tc:SAML:attribute:pairwise-id
LDAP Syntax Directory String
# of v alues single
Example values
  • HATINBZGYZDOZBZMZRGKNZTME3TMNBXGYYTIOBYGMYWKNLFMYYDAYY=@example.edu

Definition

The value consists of two substrings (termed a unique ID and a scope in the remainder of this definition) separated by an @ symbol (ASCII 64) as an inline delimiter. The unique ID consists of 1 to 127 ASCII characters, each of which is either an alphanumeric ASCII character, an equals sign (ASCII 61), or a hyphen (ASCII 45). The first character MUST be alphanumeric.
The scope consists of 1 to 127 ASCII characters, each of which is either an alphanumeric ASCII character, a hyphen (ASCII 45), or a period (ASCII 46). The first character MUST be alphanumeric.
The scope deliberately resembles, and often is, a DNS domain name, but is drawn from a more limited character set due to case folding considerations, and no attempt is made to limit the allowable grammar to legal domain names (e.g., it allows consecutive periods).
The ABNF [RFC5234] grammar is therefore:

<value> = <uniqueID> "@" <scope>

<uniqueID> = (ALPHA / DIGIT) 0*126(ALPHA / DIGIT / "=" / "-")

<scope> = (ALPHA / DIGIT) 0*126(ALPHA / DIGIT / "-" / ".")

Value comparison MUST be performed case-insensitively (that is, values that differ only by case are the same, and MUST refer to the same subject).
In the grammar above, the ALPHA production contains characters that can be expressed in both upper and lower case. It is RECOMMENDED that the unique ID be exclusively upper- or lower-case when expressed or stored to facilitate ease of comparison.
Further, it is RECOMMENDED that scopes be expressed in lower case, since they are generally chosen independently of more “entrenched” decisions and are frequently, though not required to be, in the form of DNS domains.

Important


All attribute definitions in a single document: Switch edu-ID Attribute Specification