eduPersonTargetedID
eduPersonTargetedID is a persistent, non-reassigned, privacy-preserving identifier designed to provide a service provider with a unique identifier for a logged in person while preserving the person's privacy.
Unlike other commonly used person identifiers, each service provider receives a separate eduPersonTargetedID for the same person. In other words, each eduPersonTargetedID is unique per person per service provider. This practice prevents service providers from using this value to compare and correlating user data from multiple data sources, hence preserving user's privacy.
Usage in Shibboleth
eduPersonTargetedID is expressed as a SAML Attribute Assertion attribute with a parameter name of "urn:mace:dir:attribute-def:eduPersonTargetedID".
The Shibboleth Service Provider by default maps this to the HTTP header field SHIBTARGETEDID.
You can override the SAML to HTTP header mapping in the Service Provider by modifying the aap.xml file on your server.
Remark
At UCLA, eduPersonTargetedID is a calculated value generated on the fly within the Shibboleth Identity Provider. UCLA's Identity Provider generates a different eduPersonTargetedID for each service provider per user.
Release Policy
eduPersonTargetedID is released to all service providers by default.
See Also
The Official eduPerson Object Class Definition
Usage
This is the usage of this attribute in the attribute-map.xml file. For more information about Mapping the attribute please visit Shibboleth wiki.
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" id="SHIBEDUPERSONTARGETEDID">
<AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$Name"/>
</Attribute>