The OIDC sub claim is omitted from the list

[trscavo]

In the section entitled "eduPerson and SAML Considerations," the OpenID Connect 'sub' claim is omitted from the identifier list. Is this intentional? If so, why? If not, can you add it?

Some commentary follows:

As you know, there are two types of OIDC Subject Identifiers: public and pairwise. However, these are indistinguishable on the wire, and moreover, it is ultimately up to the OP to decide which one to assert to any given client.

Given that neither the SAML protocol nor the OIDC protocol can guarantee the identifier type (public or pairwise), I don't understand why that property is used to order the identifiers. It seems the only properties that matter are: long-lived and non-reassigned.

[jbasney]

I think the "eduPerson and SAML Considerations" is about the situation where a relying party can receive a complex bundle of identifiers in a SAML assertion, so which one should be put in voPersonExternalID to be used for identity matching? Since OIDC just has a single sub claim, I'm not sure it has the same challenge, though we could add a separate "OIDC Considerations" section talking about, for example, the need to store both the sub and iss claims. Probably something to address if/when we generalize beyond eduPerson and SAML (#16).