An open discussion list for topics related to the eduGAIN interfederation service.

[Peter Schober <peter.schober AT univie.ac.at>]

Valeriu,

* Valeriu Vraciu <valeriu AT roedu.net> [2021-10-29 09:44]:
> Particularly, the construction of European Student Identifier (ESI) as it is
> suggested at [1] is in debate, the second form seems to be suitable
> (urn:schac:personalUniqueCode:int:esi:<sHO>:<code>), but we are seeking for
> information about what other federations recommended to their constituency,
> mainly regarding what to use for <code> part in above form, or/and if there
> are any country-level regulations dealing with this so uniqueness is somehow
> guaranteed if the other form
> (urn:schac:personalUniqueCode:int:esi:<country-code>:<code>) is used.

In Austria we have nationally unique matriculation numbers[1] from a
namespace managed by the Federal Ministry of Education, Science and
Research.  This was the obvious choice for the construction of ESIs of
the form <country-code>:<code>.

But not all Austrian institutions that need to produce ESIs are
recieving these matriculation numbers from the ministry (so they can't
be re-issuing those to students) and those have to use the <sHO>:<code>
form.

I.e., our institutions can't all use the same value scheme.
We created a local "profile" of the ESI specification (in German only):
https://wiki.univie.ac.at/display/federation/European+Student+Identifier
That just says "If you have matriculation numbers from the federation
ministry use them for construction of the ESI. (Only) If you don't,
use <sHO>:<code> with anything locally available as <code>."

(That profile initially included a third option based on another
nationally unique identifier[3] that institutions are increasingly
also provisioning into their IDM systems. But there was sufficient
resistance from the deployer community to even mention/"allow" this as
a possibility -- even if values were additionally hashed -- that we
removed this option from our local "profile"/guidance document. YMMV.)

Of course institutions are only formally bound by the actual ESI
specification, not by our local profile thereof, but it helps us to
provide support[2] (including instructions for configuring the
Shibboleth IDP software to produce ESIs) and it helps the the local
community to have simple rules that everyone can follow.

HTH,
-peter

[1] These never change for a given person and every person should only
    ever get one assigned. Though sometimes errors are being made,
    e.g. by a person being assigned (a second) one by mistake when
    s*he already has (another, earlier). Then "fixing" the mistake
    later leads to an effective change.
[2] E.g. as part of our IDP configuration documentation:
    
https://wiki.univie.ac.at/display/federation/IDP+4+Attribute+resolution#IDP4Attributeresolution-EuropeanStudentIdentifier
    https://wiki.univie.ac.at/display/federation/Erasmus
[3] The so-called "Sector-Specific Personal Identifier", which is
    "targeted" and differs per defined "sector" (not per SP, as we
    know from e.g. SAML PairwiseID or SAML 2.0 Persistent NameIDs):
    https://en.wikipedia.org/wiki/National_identification_number#Austria