A name identifier, represented by the <NameIdentifier>
element in SAML 1 SAML1 and the <NameID>
element in SAML 2SAML2, is generally used to identify the subject of a SAML assertion. Name identifiers can be anything; an email address or a Kerberos principal name are common, every-day everyday examples of such information. SAML 2 SAML2 also defines more specialized identifier types with particular properties useful in federated applications.
...
Every name identifier is associated with a format. Formats label the identifier at runtime to help applications process them appropriately. They're conceptually similar to an Attribute Name and in fact one conventional way to express a SAML Attribute as a name identifier is to encode its Name as a Format (assuming the Attribute Name is a URI).
Name identifiers can also be described by the following characteristics:
- persistent - whether a given name identifier is intended to be used across multiple sessions. An identifier intended to be used for a single session only is called a transient identifier.
- revocable - whether a given name identifier can be revoked. An identifier that persists over the entire lifetime of a subject's relationship with an IdP is called a permanent identifierpermanent identifier.
- reassignable - whether a given name identifier, once revoked, may be re-assigned reassigned to a different subject
- opaque - whether a relying party can positively identify the subject from a given name identifier. (A UUID is an example of an opaque identifier.) An identifier that can be used to positively identify the subject is called a transparent identifier. Many email addresses and network login IDs (such as
eduPersonPrincipalName
) are transparent when derived from a subject's name. - targeted - whether a given name identifier is intended for a specific relying party (or parties) and not for anyone else. An identifier that is not targeted is a shared identifier. An identifier targeted at a specific affiliation of relying parties is also a shared identifier. An identifier targeted at a single relying party is not shared.
- portable - whether a given name identifier is usable across security domains.
- global - whether a given name identifier value is globally unique. However, a name identifier may be "qualified" to ensure global uniqueness. Typically, the qualifier is the identifier of the issuer or a DNS domain associated with the issuer.
A special type of globally unique identifier is a scoped attribute, which has the form userid@scope
. In practice, the scope value is a DNS domain, which ensures global uniqueness.
Here are some examples:
Identifier / Attribute | Persistent | Revocable | Reassignable | Opaque | Targeted | Portable | Global | Qualifier |
---|---|---|---|---|---|---|---|---|
SAML2 Transient NameID | No | N/A | N/A | Yes | N/A | N/A | Yes | N/A |
SAML2 Persistent NameID | Yes | Yes | No | Yes | Yes | Yes | No | Issuer ID |
eduPersonTargetedID | Yes | Yes | No | Yes | Yes | Yes | No | Issuer ID |
eduPersonPrincipalName | Yes | Yes | Yes | No | No | No | Yes | Scoped |
eduPersonUniqueId | Yes | Yes | No | Yes | No | No | Yes | Scoped |
Social Security Number | Yes | No | N/A | No | No | Yes | No | US Citizens |
Phone Number | Yes | Yes | Yes | No | No | No | Yes | N/A |
OIDC public sub claim | Yes | Yes | No | Yes | No | No | No | Issuer ID |
OIDC pairwise sub claim | Yes | Yes | No | Yes | Yes | No | No | Issuer ID |
ORCID | Yes | Yes | No | Yes | No | Yes | Yes | N/A |
Notes:
- The SAML2 Persistent name identifier and the eduPersonTargetedID attribute are functionally equivalent. Indeed, the value of the latter is precisely a SAML2 Persistent
<NameID>
element. - The SAML2 Persistent name identifier (and hence eduPersonTargetedID) are portable in the sense that any issuer can assert a known SAML2 Persistent
<NameID>
element. For example, a SAML2 Persistent<NameID>
can transit a SAML IdP Proxy as-is, without modification. - The SAML2 Persistent name identifier and the OIDC pairwise
sub
claim differ with respect to the portability characteristic only. In particular, thesub
claim can not transit a gateway since theiss
claim is required for global uniqueness. - A Phone Number is not universally portable but within the US, Phone Number is indeed a portable identifier. In fact, it is one of the few portable identifiers with no qualifier.
...