Child pages
  • NameIdentifier

The Shibboleth 1.x software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only.

Skip to end of metadata
Go to start of metadata

A SAML NameIdentifier is a reference to a SAML subject. Accordingly, a <saml:NameIdentifier> element is nested inside a <saml:Subject> element:

<saml:Subject
  xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
  <saml:NameIdentifier 
	 Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
	 NameQualifier="https://idp.example.org/shibboleth">
	 user@example.org
  </saml:NameIdentifier>
</saml:Subject>

The specific NameIdentifierFormat illustrated above (=emailAddress=) is just one of several that may be used.

In a SAML BrowserProfile, the IdentityProvider creates a NameIdentifier and embeds the corresponding SAML subject in an authentication assertion. Subsequent requests from the ServiceProvider (to obtain attributes, for instance) include the SAML subject from the authentication assertion. To satisfy the request, the IdentityProvider relies on a NameIdentifierMapping to map a given NameIdentifier to a local principal.

  • No labels