Page tree

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


Name identifiers can also be described by the following characteristics:

  • persistent - whether a given name identifier is intended to be used across multiple sessions. An identifier intended to be used for a single session only is called a transient identifier.
  • revocable - whether a given name identifier can be revoked. An identifier that persists over the entire lifetime of a subject's relationship with an IdP is called a permanent identifier.
  • reassignablereassigned - whether a given name identifier, once revoked, may be re-assigned reassigned to a different subject
  • opaque - whether a relying party can positively identify the subject from a given name identifier. (A UUID is an example of an opaque identifier.) An identifier that can be used to positively identify the subject is called a transparent identifier. Many email addresses and network login IDs (such as eduPersonPrincipalName) are transparent when derived from a subject's name.
  • targeted - whether a given name identifier is intended for a specific relying party (or parties) and not for anyone else. An identifier that is not targeted is a shared identifier.
  • portable - whether a given name identifier is usable across security domains.
  • global - whether a given name identifier value is globally unique. However, a name identifier may be "qualified" to ensure global uniqueness. Typically, the qualifier is the identifier of the issuer or a DNS domain associated with the issuer.