A SAML NameIdentifier is a reference to a SAML subject. Accordingly, a <saml:NameIdentifier>
element is nested inside a <saml:Subject>
element:
<saml:Subject xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" NameQualifier="https://idp.example.org/shibboleth"> user@example.org </saml:NameIdentifier> </saml:Subject>
The specific NameIdentifierFormat illustrated above (=emailAddress=) is just one of several that may be used.
In a SAML BrowserProfile, the IdentityProvider creates a NameIdentifier and embeds the corresponding SAML subject in an authentication assertion. Subsequent requests from the ServiceProvider (to obtain attributes, for instance) include the SAML subject from the authentication assertion. To satisfy the request, the IdentityProvider relies on a NameIdentifierMapping to map a given NameIdentifier to a local principal.