Page tree

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.

A name identifier, represented by the <NameIdentifier> element in SAML 1 SAML1 and the <NameID> element in SAML 2SAML2, is generally used to identify the subject of a SAML assertion. Name identifiers can be anything; an email address or a Kerberos principal name are common, every-day everyday examples of such information. SAML 2 SAML2 also defines more specialized identifier types with particular properties useful in federated applications.


Every name identifier is associated with a format. Formats label the identifier at runtime to help applications process them appropriately. They're conceptually similar to an Attribute Name and in fact one conventional way to express a SAML Attribute as a name identifier is to encode its Name as a Format (assuming the Attribute Name is a URI).

Name identifiers can also be described by the following characteristics:

  • persistent - whether a given name identifier is intended to be used across multiple sessions. An identifier intended to be used for a single session only is called a transient identifier.
  • revocable - whether a given name identifier can be revoked. An identifier that persists over the entire lifetime of a subject's relationship with an IdP is called a permanent identifierpermanent identifier.
  • reassignable - whether a given name identifier, once revoked, may be re-assigned reassigned to a different subject
  • opaque - whether a relying party can positively identify the subject from a given name identifier. (A UUID is an example of an opaque identifier.) An identifier that can be used to positively identify the subject is called a transparent identifier. Many email addresses and network login IDs (such as eduPersonPrincipalName) are transparent when derived from a subject's name.
  • targeted - whether a given name identifier is intended for a specific relying party (or parties) and not for anyone else. An identifier that is not targeted is a shared identifier. An identifier targeted at a specific affiliation of relying parties is also a shared identifier. An identifier targeted at a single relying party is not shared.
  • portable - whether a given name identifier is usable across security domains.
  • global - whether a given name identifier value is globally unique. However, a name identifier may be "qualified" to ensure global uniqueness. Typically, the qualifier is the identifier of the issuer or a DNS domain associated with the issuer.

A special type of globally unique identifier is a scoped attribute, which has the form userid@scope. In practice, the scope value is a DNS domain, which ensures global uniqueness.

Here are some examples:

Identifier / AttributePersistentRevocableReassignableOpaqueTargetedPortableGlobalQualifier
SAML2 Transient NameIDNoN/AN/AYesN/AN/AYesN/A
SAML2 Persistent NameIDYesYesNoYesYesYesNoIssuer ID


YesYesNoYesYesYesNoIssuer ID




Social Security NumberYesNoN/ANoNoYesNoUS Citizens
Phone NumberYesYesYesNoNoNoYesN/A
OIDC public sub claimYesYesNoYesNoNoNoIssuer ID
OIDC pairwise sub claimYesYesNoYesYesNoNoIssuer ID


  1. The SAML2 Persistent name identifier and the eduPersonTargetedID attribute are functionally equivalent. Indeed, the value of the latter is precisely a SAML2 Persistent <NameID> element.
  2. The SAML2 Persistent name identifier (and hence eduPersonTargetedID) are portable in the sense that any issuer can assert a known SAML2 Persistent <NameID> element. For example, a SAML2 Persistent <NameID> can transit a SAML IdP Proxy as-is, without modification.
  3. The SAML2 Persistent name identifier and the OIDC pairwise sub claim differ with respect to the portability characteristic only. In particular, the sub claim can not transit a gateway since the iss claim is required for global uniqueness.
  4. A Phone Number is not universally portable but within the US, Phone Number is indeed a portable identifier. In fact, it is one of the few portable identifiers with no qualifier.