A name identifier, represented by the <NameIdentifier> element in SAML 1 and the <NameID> element in SAML 2, is generally used to identify the subject of a SAML assertion. Name identifiers can be anything; an email address or a Kerberos principal name are common, every-day examples of such information. SAML 2 also defines more specialized identifier types with particular properties useful in federated applications.

Strictly speaking, SAML assertions don't have to contain an identifier. The subject may be implicitly identified as the bearer of the token or anybody able to demonstrate possession of a key. In SSO use cases, one reason for including an identifier is to enable the relying party to refer to the subject later, such as in a query, or a logout request. So-called "transient" identifiers that are generated uniquely for each assertion are often used to support those use cases and are a common pattern in Shibboleth deployments.

Every name identifier is associated with a format. Formats label the identifier at runtime to help applications process them appropriately. They're conceptually similar to an Attribute Name and in fact one conventional way to express a SAML Attribute as a name identifier is to encode its Name as a Format (assuming the Attribute Name is a URI).

Name identifiers can also be described by the following characteristics:

A special type of globally unique identifier is a scoped attribute, which has the form userid@scope. In practice, the scope value is a DNS domain, which ensures global uniqueness.

Here are some examples:

Identifier / AttributePersistentRevocableReassignableOpaqueTargetedGlobalQualifier
SAML2 Transient NameIDNoN/AN/AYesN/AYesN/A
SAML2 Persistent NameIDYesYesNoYesYesNoIssuer ID

eduPersonTargetedID

YesYesNoYesYesNoIssuer ID

eduPersonPrincipalName

YesYesYesNoNoYesScoped

eduPersonUniqueID

YesYesNoYesNoYesScoped
Social Security NumberYesNoN/ANoNoNoUS Citizens
Phone NumberYesYesYesNoNoYesN/A
OpenID Connect sub claimYesYesNoYesNoNoIssuer ID
ORCIDYesYesNoYesNoYesN/A

Note that the SAML2 persistent name identifier and the eduPersonTargetedID attribute are functionally equivalent. Indeed, the value of the latter is precisely a SAML2 persistent <NameID> element, and the attribute should not, as a rule, be used in SAML 2 assertions.

Attributes vs. Identifiers

In SAML, subjects are also commonly described with Attributes. In contrast to name identifiers, SAML Attributes can have multiple values and aren't necessarily usable as identifiers, but any name identifier can usually be expressed as an Attribute.

Shibboleth deployments traditionally have focused on the use of Attributes to describe subjects, and default to the use of transient name identifiers (or omitting them). Commercial SAML deployments rarely make use of Attributes and tend to use loosely or improperly specified name identifiers.

The properties above used to describe name identifiers also apply to attributes when those attributes are themselves unique identifiers for a subject. Of course, many attributes are not identifiers at all, merely data of various kinds.

Note, however, that using this mechanism does not magically convey the reversibility property on an attribute. Whichever attribute is chosen to be encoded as the name identifier must already have this property. The encoding process does, however, add the scoped property and is not something that a deployer must explicitly configure.