SAML2NameID deprecated (and therefore eduPersonTargetedId?)

Matthew Slowe matthew.slowe at
Tue Nov 15 16:09:30 UTC 2022

Hello list,

I've been sat on this question for a long time and never got around to 
asking it but with IdP v5 around the corner, I thought I'd better get in 
quick before I miss the opportunity.

Since the early days of IdP v4 (not sure exactly when) this deprecation 
warning has been littering the logs:

2022-11-14 14:10:13,044 - - WARN [DEPRECATED:125] - xsi:type 
'SAML2NameID', (file [/opt/idp4/conf/attribute-resolver.xml]): This will 
be removed in the next major version of this software; replacement is (none)

This is related to the presence of an AttributeDefinition that is really 
common in the UK Federation (and possibly others!) for defining 
eduPersonTargetedId - usually something like:

<AttributeDefinition id="eduPersonTargetedID" xsi:type="SAML2NameID" 
     <InputDataConnector attributeNames="computedId" ref="computed"/>
     <AttributeEncoder xsi:type="SAML1XMLObject" 
     <AttributeEncoder xsi:type="SAML2XMLObject" 

I'm aware there is a replacement for this in the form of pairwise-id but 
in the mean time and given the number of SPs expecting eptid, when IdP 
v5 comes out, will this functionality _actually_ be removed and 
therefore will Shib IdP 5 deployments stop being able to emit a SAML 2 

Matthew Slowe [he/him] (GPG: 0x6BE0CF7D04600314)
Senior Technical Consultant and Support specialist, Jisc
Team: 01235 822185
Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG

More information about the users mailing list