EPPN and eduPersonTargetedID

Tom Scavo trscavo at gmail.com
Tue Sep 2 16:29:20 EDT 2014

(I'll keep my responses brief since this is mostly off-topic. Ken, you
can contact me offline for more info.)

On Tue, Sep 2, 2014 at 3:12 PM, Ken Weiss <ken.weiss at ucop.edu> wrote:
> 1) Tom Scavo said, "To protect ourselves against reassignment (which is
> important in our case), we bind the ePPN to the user's mobile device." I
> assume by 'mobile device' you mean a single-use password token, like a
> SecurID? You're not talking about a phone, are you?

Yes, Duo Mobile (which is a native app) running on a smartphone.

> And, since you are concerned about reassignment

All but the simplest apps should be concerned about reassignment ;-)

> I assume you must be using EPPN as a key for something.

Not sure how to answer that...ePPN is a globally unique identifier for
a federated user, so we bind ePPN to a local identity, and then bind
it again to the user's mobile device.

> What do you do when an individual's EPPN changes? Do you
> consider them a new user?

Yes. If and when the ePPN is reassigned, MFA is broken, so the user
can't log in anymore. At that point, the user starts from scratch.

> Do you make any effort to re-associate them with
> data stored under their previous EPPN?

Nothing is lost if the user has to start from scratch (except some of
the user's time).

> If so, how do you connect the old identity to the new one?

There is only one local identity. Today it is bound this ePPN,
tomorrow it's bound to some other ePPN. Nothing is lost.

Our app is more like a typical vendor SaaS app. The customer tells the
vendor who gets access to the app. It's up to the vendor to make sure
only those users get access, nobody else.

Hope this helps,


More information about the users mailing list