Pairwise-ID has been defined in the SAML specification as a replacement and simplification of TargetedID. It will still be unique to the user and resource in the same kind of way as TargetedID, but is shorter and is designed to be passed as an attribute rather than the NameID. Resources should be updating to support it but it may take some time before they all do.
OpenAthens now supports this new attribute and you can find it in your release policies:
For customers who joined us after November 2023 it is turned on in the global release policy but for customers who joined earlier we’re mindful of a potential problem with this kind of ID migration.
Ideally when resources see both TargetedID and Pairwise-ID they will copy any personalisation linked to the old one to the new one, but should anything go wrong with that then end users could lose things like their bookshelves or other preferences.
At this time, our advice for existing customers is to release it to resources on a case by case basis when they announce support and migration.
How do I release it to a specific resource?
Clicking the add button at the top of the release policy page (Preferences > Attribute release) allows you to select a resource and then set a policy that releases additional attributes to that resource.
To add a resource, click the add button and start typing its name - the system will provide a short list to choose from that will get shorter as you continue to type. Once selected the resource will appear in edit mode in the list below the global policy; it will appear in its alphabetical position and you may have to scroll down.
Find Pairwise-ID in the list of pills and click it to show a tick and turn it green. Click on done, repeat for any other resources you want to change and then save changes.
Remember that the attributes released in a resource policy are in addition to those released by the global policy - they cannot restrict an attribute released via the global policy.
How do I release it as NameID?
It’s possible that the way a resource’s SAML login works might need the user identifier to be sent as NameID instead of an attribute. If this comes up, you need to first set up release of the attribute to the resource as above, and then hit the advanced button below the pills. This will let you set the SAML NameID format and attribute.
For NameID format select persistent
For NameID attribute select Pairwise-ID
Then click Done and Save.