peter.schober at univie.ac.at
Thu Jun 11 23:16:00 UTC 2020
* Lohr, Donald <lohrda at jmu.edu> [2020-06-12 01:05]:
> Our students have a student #, our employees have a employee # both are
> differently sequenced. When the SP only supports one number in the
> assertion to match as the record key, we've chosen to source another
> sequenced unique # managed by IT that is added to each loginID we create in
> LDAP & AD. This IT # number is also made available to our student system
> and employee system for when we externally feed data to an SP. Using
> something like the eduPersonTargetedID, which is sourced from inside of our
> Shibboleth code, would not work because it would not be available to an
> external data feed.
Taking a step back, what you have at hand how simply is a unique
identifier for (hopefully) all or at least the major parts of your
constituency, no? So why not use the SAML SubjectID attribute (or its
predecessor eduPersonUniqueId) for communicating this on the wire?
Provided you're not making any use of any of these already (with other
attribute values, presumably).
Of course the software doesn't care either way. You give it a name to
call the attribute and you release it. ;)
So maybe this is more of a topic for the EDUCAUSE IAM mailing list?
More information about the users