The Shibboleth V1 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only.

NameIdentifier

Owned by Scott Cantor
Last updated: Dec 22, 2006Version comment
1 min read

A SAML NameIdentifier is a reference to a SAML subject. Accordingly, a <saml:NameIdentifier> element is nested inside a <saml:Subject> element:

<saml:Subject
  xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
  <saml:NameIdentifier 
	 Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
	 NameQualifier="https://idp.example.org/shibboleth">
	 user@example.org
  </saml:NameIdentifier>
</saml:Subject>

The specific NameIdentifierFormat illustrated above (=emailAddress=) is just one of several that may be used.

In a SAML BrowserProfile, the IdentityProvider creates a NameIdentifier and embeds the corresponding SAML subject in an authentication assertion. Subsequent requests from the ServiceProvider (to obtain attributes, for instance) include the SAML subject from the authentication assertion. To satisfy the request, the IdentityProvider relies on a NameIdentifierMapping to map a given NameIdentifier to a local principal.