About Pairwise-ID
Pairwise-ID has been defined in the SAML specification as a replacement and simplification of TargetedID. It will still be unique to the user in the same kind of way as TargetedID, but is shorter than the longer form version of TargetedID and is designed to be passed as an attribute rather than the NameID.
Full name: urn:oasis:name:tc:SAML:attribute:pairwise-id
OpenAthens IdPs created after November 2023 will release it by default, whilst older ones are advised to release it on a resource by resource basis when publishers add support in case there are any problems maintaining personalisation.
If you link user personalisation to federated logins, you are probably doing so using TargetedID and you should expect to migrate those personalisations to Pairwise-ID where both are sent.
At the moment, TargetedID is marked as depreciated in the SAML specification rather than end of life so you have some time to manage any migration, but there are already some IdPs in other federations who have stopped passing TargetedID.
For Keystone
Keystone already supports Pairwise-ID and, if you have the Common EduPerson ruleset turned on, will already pass it to your systems as Pairwise-ID
for any IdPs already sending it.
For external apps such as Shibboleth
If it is sent as an attribute, it should just show up in the decoded attribute statement, but you should check the relevant documentation for your SP to be sure.
Upgrading to Keystone is not necessary but is always an option.
How to test it with an OpenAthens account
If you want to see how it will appear to you when IdPs are passing it, you can set this up in the account admin area (https://admin.openathens.net) and use an OpenAthens account. You will need your administrator username and password, and the owner role. Our service desk will be happy to help.
Go to the preferences menu and select attribute release
Click edit on your global policy
Click the Pairwise-ID pill so that it displays a tick and turns green
Click done and save
This will leave TargetedID as the NameID and start including Pairwise-ID as an attribute for your test accounts.