A name identifier, represented by the
<NameIdentifier> element in SAML 1 SAML1 and the
<NameID> element in SAML 2SAML2, is generally used to identify the subject of a SAML assertion. Name identifiers can be anything; an email address or a Kerberos principal name are common, every-day everyday examples of such information. SAML 2 SAML2 also defines more specialized identifier types with particular properties useful in federated applications.
Every name identifier is associated with a format. Formats label the identifier at runtime to help applications process them appropriately. They're conceptually similar to an Attribute Name and in fact one conventional way to express a SAML Attribute as a name identifier is to encode its Name as a Format (assuming the Attribute Name is a URI).
Name identifiers can also be described by the following characteristics:
- persistent - whether a given name identifier is intended to be used across multiple sessions. An identifier intended to be used for a single session only is called a transient identifier.
- revocable - whether a given name identifier can be revoked. An identifier that persists over the entire lifetime of a subject's relationship with an IdP is called a permanent identifierpermanent identifier.
- reassignable - whether a given name identifier, once revoked, may be re-assigned reassigned to a different subject
- opaque - whether a relying party can positively identify the subject from a given name identifier. (A UUID is an example of an opaque identifier.) An identifier that can be used to positively identify the subject is called a transparent identifier. Many email addresses and network login IDs (such as
eduPersonPrincipalName) are transparent when derived from a subject's name.
- targeted - whether a given name identifier is intended for a specific relying party (or parties) and not for anyone else. An identifier that is not targeted is a shared identifier. An identifier targeted at a specific affiliation of relying parties is also a shared identifier. An identifier targeted at a single relying party is not shared.
- portable - whether a given name identifier is usable across security domains.
- global - whether a given name identifier value is globally unique. However, a name identifier may be "qualified" to ensure global uniqueness. Typically, the qualifier is the identifier of the issuer or a DNS domain associated with the issuer.
A special type of globally unique identifier is a scoped attribute, which has the form
userid@scope. In practice, the scope value is a DNS domain, which ensures global uniqueness.
Here are some examples:
|Identifier / Attribute||Persistent||Revocable||Reassignable||Opaque||Targeted||Portable||Global||Qualifier|
|SAML2 Transient NameID||No||N/A||N/A||Yes||N/A||N/A||Yes||N/A|
|SAML2 Persistent NameID||Yes||Yes||No||Yes||Yes||Yes||No||Issuer ID|
|Social Security Number||Yes||No||N/A||No||No||Yes||No||US Citizens|
|OIDC public ||Yes||Yes||No||Yes||No||No||No||Issuer ID|
|OIDC pairwise ||Yes||Yes||No||Yes||Yes||No||No||Issuer ID|
- The SAML2 Persistent name identifier and the eduPersonTargetedID attribute are functionally equivalent. Indeed, the value of the latter is precisely a SAML2 Persistent
- The SAML2 Persistent name identifier (and hence eduPersonTargetedID) are portable in the sense that any issuer can assert a known SAML2 Persistent
<NameID>element. For example, a SAML2 Persistent
<NameID>can transit a SAML IdP Proxy as-is, without modification.
- The SAML2 Persistent name identifier and the OIDC pairwise
subclaim differ with respect to the portability characteristic only. In particular, the
subclaim can not transit a gateway since the
issclaim is required for global uniqueness.
- A Phone Number is not universally portable but within the US, Phone Number is indeed a portable identifier. In fact, it is one of the few portable identifiers with no qualifier.