Service Providers are strongly encouraged to support all of the specified alternatives for the shared user identifier and person name attributes described in Section 5 to maximize interoperability. Failure to do so will result in problems even when working exclusively with Identity Providers that claim support for the category.
In the case of the
eduPersonTargetedID attribute, this recommendation includes the ability to support SAML 2.0's "persistent" Name Identifier format, which is the recommended modern expression of the
eduPersonTargetedID attribute in SAML 2.0.
Pursuant to the requirements in Section 7, Service Providers can rely on the non-reassignment of
eduPersonPrincipalName values being provided that the asserting Identity Provider exhibits the R&S entity attribute in its metadata AND no accompanying
eduPersonTargetedID attribute is recieved.
Alternatively, Service Providers can obtain a non-reassigned shared user identifier by combining (e.g., concatenating) the
eduPersonTargetedID values. If a given combination of the two values ever changes, Service Providers can assume that the
eduPersonPrincipalName has been reassigned and now represents a different subject.
A Service Provider that conforms to R&S would exhibit the following entity attribute in SAML metadata: