The Shibboleth V1 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only.

NameIdentifierFormat

Owned by Scott Cantor
Last updated: Dec 22, 2006Version comment
1 min read

A NameIdentifierFormat is a URI associated with a particular type of NameIdentifier. Specifically, a NameIdentifierFormat is a value of the Format attribute of a <saml:NameIdentifier> element in SAMLOneDotOne or a <saml:NameID> element in SAMLTwoDotZero. SAMLOneDotOne defines a handful of such formats (see section 7.3 of [SAMLCore]):

urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName

None of the SAMLOneDotOne formats provide anonymity, which may be an issue for deployments that hope to maintain user privacy. The proprietary ShibHandle format specifically addresses this issue. Shibboleth also supports a PrincipalNameIdentifier format, primarily for testing.

SAMLTwoDotZero specifies the above formats together with the following formats (see section 8.3 of [SAML2Core]):

urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos
urn:oasis:names:tc:SAML:2.0:nameid-format:entity
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
urn:oasis:names:tc:SAML:2.0:nameid-format:transient

In Shib 2.0, the transient format (above) will replace the current ShibHandle format.