I was setting up a new Shibboleth IdP in my lab to run some tests. When integrating it with my Active Directory domain, I wanted to use the objectGUID attribute as a unique user identifier. It meets the requirements of being unique and not reusable, while also not exposing any undesirable information like objectSID would.