Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

A name identifier, represented by the <NameIdentifier> element in SAML 1 SAML1 and the <NameID> element in SAML 2SAML2, is generally used to identify the subject of a SAML assertion. Name identifiers can be anything; an email address or a Kerberos principal name are common, every-day everyday examples of such information. SAML 2 SAML2 also defines more specialized identifier types with particular properties useful in federated applications.

...

Every name identifier is associated with a format. Formats label the identifier at runtime to help applications process them appropriately. They're conceptually similar to an Attribute Name and in fact one conventional way to express a SAML Attribute as a name identifier is to encode its Name as a Format (assuming the Attribute Name is a URI).

Name identifiers can also be described by the following characteristics:

  • persistent - whether a given name identifier is intended to be used across multiple sessions. An identifier intended to be used for a single session only is called a transient identifier.
  • revocable - whether a given name identifier can be revoked. An identifier that persists over the entire lifetime of a subject's relationship with an IdP is called a permanent identifierpermanent identifier.
  • reassignable - whether a given name identifier, once revoked, may be re-assigned reassigned to a different subject
  • opaque - whether a relying party can positively identify the subject from a given name identifier. (A UUID is an example of an opaque identifier.) An identifier that can be used to positively identify the subject is called a transparent identifier. Many email addresses and network login IDs (such as eduPersonPrincipalName) are transparent when derived from a subject's name.
  • targeted - whether a given name identifier is intended for a specific relying party (or parties) and not for anyone else. An identifier that is not targeted is a shared identifier. An identifier targeted at a specific affiliation of relying parties is also a shared identifier. An identifier targeted at a single relying party is not shared.
  • portable - whether a given name identifier is usable across security domains.
  • global - whether a given name identifier value is globally unique. However, a name identifier may be "qualified" to ensure global uniqueness. Typically, the qualifier is the identifier of the issuer or a DNS domain associated with the issuer.

A special type of globally unique identifier is a scoped attribute, which has the form userid@scope. In practice, the scope value is a DNS domain, which ensures global uniqueness.

Here are some examples:

Identifier / AttributePersistentRevocableReassignableOpaqueTargetedPortableGlobalQualifier
SAML2 Transient NameIDNoN/AN/AYesN/AN/AYesN/A
SAML2 Persistent NameIDYesYesNoYesYesYesNoIssuer ID

eduPersonTargetedID

YesYesNoYesYesYesNoIssuer ID

eduPersonPrincipalName

YesYesYesNoNoNoYesScoped

eduPersonUniqueId

YesYesNoYesNoNoYesScoped
Social Security NumberYesNoN/ANoNoYesNoUS Citizens
Phone NumberYesYesYesNoNoNoYesN/A
OIDC public sub claimYesYesNoYesNoNoNoIssuer ID
OIDC pairwise sub claimYesYesNoYesYesNoNoIssuer ID
ORCIDYesYesNoYesNoYesYesN/A

Notes:

  1. The SAML2 Persistent name identifier and the eduPersonTargetedID attribute are functionally equivalent. Indeed, the value of the latter is precisely a SAML2 Persistent <NameID> element.
  2. The SAML2 Persistent name identifier (and hence eduPersonTargetedID) are portable in the sense that any issuer can assert a known SAML2 Persistent <NameID> element. For example, a SAML2 Persistent <NameID> can transit a SAML IdP Proxy as-is, without modification.
  3. The SAML2 Persistent name identifier and the OIDC pairwise sub claim differ with respect to the portability characteristic only. In particular, the sub claim can not transit a gateway since the iss claim is required for global uniqueness.
  4. A Phone Number is not universally portable but within the US, Phone Number is indeed a portable identifier. In fact, it is one of the few portable identifiers with no qualifier.

...