swissEduPersonUniqueID - Attributes - Documents - Support - SWITCHaai

Unique ID coreshow all attributes
Name	`swissEduPersonUniqueID`
Description	A unique, long-lived, never reassigend, opaque identifier for a person, mainly for inter-institutional user identification on personalized services
Vocabulary	not applicable, no controlled vocabulary
References	none
OIDC	Claim: `swissEduPersonUniqueID` Type: string Scope: `https://login.eduid.ch/authz/User.Read`
OID	`2.16.756.1.2.5.1.1.1`
LDAP Syntax	Directory String
# of values	single
Example values	`845938727494@ethz.ch` `288aac23dbf9e1460c86b1a5a04c6afb75f724ce@uzh.ch`

Definition

This identifier represents a specific principal in a specific identity system. Values of this attribute MUST be assigned in such a manner that no two values created by distinct identity systems could collide. This identifier is permanent, to the extent that the principal is represented in the issuing identity system. Once assigned, it MUST NOT be reassigned to another principal.

This identifier is scoped and of the form uniqueID@scope.

scope (domain part)

It is equivalent to the registered Internet domain the home organization uses, i.e. the same value as the content of the attribute swissEduPersonHomeOrganization .

uniqueID (local part)

It is an ID uniquely allocated by the home organization for a user they correctly authenticated according to the local authentication policy.

The uniqueID portion MUST be unique within the context of the issuing identity system (no reassignment to another principal).
It MUST contain only alphanumeric characters (a-z, A-Z, 0-9).
Due to the caseIgnoreMatch matching rule from the LDAP schema one SHOULD only use uppercase OR lowercase characters to avoid potential clashes.
The length of the uniqueID portion MUST be less than or equal to 64 characters.
The uniqueID portion SHOULD be opaque, i.e. it should not provide any hint about the user, unlike e.g. the local part of an email address usually does.

Deprecated former definition of uniqueID part

Deprecated in March 2017 (PDF document version 1.6) in favor of a definition aligned with the eduPersonUniqueId attribute:
The uniqueID part can contain any characters which can be part of the local part of an e-mail address according to [RFC5322], namely: -._%.

Notes

One SHOULD NOT expose the Unique ID to end users; especially one SHOULD NOT require a user to provide the Unique ID manually!
The uniqueID part MAY be a Base32 RFC4648 hash value based on unique information about the user.
The minimum length of the local part SHOULD be 6 and the maximum length of the whole value SHOULD be 255 characters.

All attribute definitions in a single document: Switch edu-ID Attribute Specification