...
Name identifiers can also be described by the following characteristics:
- persistent
...
- persistent - whether a given name identifier is intended to be used across multiple sessions. An identifier intended to be used for a single session only is called a transient identifier.
- revocable - whether a given name identifier can be revoked. An identifier that persists over the entire lifetime of a subject's relationship with an IdP is called a permanent identifier.
- reassignedreassignable - whether a given name identifier, once revoked, may be reassigned re-assigned to a different subject
- opaque - whether a relying party can positively identify the subject from a given name identifier. (A UUID is an example of an opaque identifier.) An identifier that can be used to positively identify the subject is called a transparent identifier. Many email addresses and network login IDs (such as
eduPersonPrincipalName
) are transparent when derived from a subject's name. - targeted - whether a given name identifier is intended for a specific relying party (or parties) and not for anyone else. An identifier that is not targeted is a shared identifier.
- portable - whether a given name identifier is usable across security domains.
- global - whether a given name identifier value is globally unique. However, a name identifier may be "qualified" to ensure global uniqueness. Typically, the qualifier is the identifier of the issuer or a DNS domain associated with the issuer.
...