In the last email from Rhys about these identifiers that I've been able 
to find, they are defined as:

1) AAA attribute of moonshot-service-targetedid.
* A persistent identifier per user, per service
* Value a hash of Gss-Acceptor-Service-Name, NAI, salt.
* Representation: [log in to unmask] [log in to unmask]

2) AAA attribute of moonshot-realm-targetedid.
* A persistent identifier per user, common across all services within a particular RP realm
* Value a hash of Gss-Acceptor-Realm-Name, NAI, salt.
* Representation: [log in to unmask] [log in to unmask]

3) AAA attribute of moonshot-tr-coi-targetedid.
* A persistent identifier per user, common across all services within a particular COI.
* Value a hash of CoI-Identifier, NAI, salt.
* Represented as [log in to unmask] [log in to unmask]


Although, for option 1, the value of Gss-Acceptor-Service-Name seems 
that might not be unique if Gss-Acceptor-Host-Name is not concatenated. 
For instance, when using mod_auth_gssapi, Gss-Acceptor-Service-Name 
would be just "HTTP", shared amongst every Moonshot-enabled HTTP server.

If I'm right, then I guess 1) should actually be something like:

* Value a hash of Gss-Acceptor-Service-Name, Gss-Acceptor-Host-Name, NAI, salt.

Regards,
Alejandro



El 09/02/16 a las 19:28, Sam Hartman escribió:
>>>>>> "Alejandro" == Alejandro Pérez Méndez <[log in to unmask]> writes:
>      Alejandro> El 09/02/16 a las 16:13, Sam Hartman escribió:
>      >>>>>>> "Alejandro" == Alejandro Pérez Méndez <[log in to unmask]> writes:
>      >>> If not, they should be done on the IdP and then released. It is
>      >>> then up to the Moonshot RP Proxy to do something with them.
>      Alejandro> Since they are representing the end user's identity, I
>      Alejandro> was expecting that it would be somehow the identifier
>      Alejandro> passed to the Application, instead of the useless
>      Alejandro> "@realm" anonymous identifier.  Ej. if scoped ID is found
>      Alejandro> by the mech_eap, use that as the name exported by the
>      Alejandro> GSS-API layer, overriding the value of the User-Name
>      Alejandro> attribute. In this way, legacy GSS-API applications that
>      Alejandro> do not ask for additinal naming attributes might work
>      Alejandro> with these pseudonyms in a transparent way.  Nonetheless,
>      Alejandro> updated applications might scan for the presence of these
>      Alejandro> identifiers and use them. But, as said, they need to know
>      Alejandro> they are being used.  Regards, Alejandro
>      >>
>      >> I don't think it would be a great idea for mech_eap to do this by
>      >> default.  Those IDs are I think fairly scoped to the
>      >> education/research community and mech_eap tries to be broader.
>      >> If I were deploying, I'd do what Stefan says and remap to
>      >> username in the RP proxy if that's what my application needed.
>
>      Alejandro> That's doable, right.
>
> Yes.  If an RP proxy sends back a username in the reply, that will be
> used.