What are the different NameID format used for

Question

In SAML metadata file there are several NameID format defined  for example    lt NameIDFormat gt urn mace shibboleth 1 0 nameIdentifier lt  NameIDFormat gt    lt NameIDFormat gt urn oasis names tc SAML 1 1 nameid-format unspecified lt  NameIDFormat gt    lt NameIDFormat gt urn oasis names tc SAML 2 0 nameid-format transient lt  NameIDFormat gt    Can anybody explain what are these used for  What are the differences

User · Accepted Answer

Refer to Section 8 3 of this SAML core pdf of oasis SAML specification   SP and IdP usually communicate each other about a subject  That subject should be identified through a NAME-IDentifier   which should be in some format so that It is easy for the other party to identify it based on the Format   All these   1 urn oasis names tc SAML 1 1 nameid-format unspecified  default   2 urn oasis names tc SAML 1 1 nameid-format emailAddress  3 urn oasis names tc SAML 2 0 nameid-format persistent  4 urn oasis names tc SAML 2 0 nameid-format transient   are format for the Name Identifiers   The name format for a transient ID in SAML 1 is urn mace shibboleth 1 0 nameIdentifier and in SAML 2 is urn oasis names tc SAML 2 0 nameid-format transient  Transient is for  section 8 3 8 of SAML Core      Indicates that the content of the element is an identifier with   transient semantics and SHOULD be treated as an opaque and temporary   value by the relying party    Unspecified can be used and it purely depends on the entities implementation on their own wish

User · Answer

1 and 2 are SAML 1 1 because those URIs were part of the OASIS SAML 1 1 standard  Section 8 3 of the linked PDF for the OASIS SAML 2 0 standard explains this      Where possible an existing URN is used to specify a protocol  In the case of IETF protocols  the URN of the most current RFC that specifies the protocol is used  URI references created specifically for SAML have one of the following stems  according to the specification set version in which they were first introduced   urn oasis names tc SAML 1 0  urn oasis names tc SAML 1 1  urn oasis names tc SAML 2 0

User · Answer

About this I think you can reference to http   docs oasis-open org security saml Post2 0 sstc-saml-tech-overview-2 0 html   Here re my understandings about this  with the Identity Federation Use Case to give a details for those concepts     Persistent identifiers-   IdP provides the Persistent identifiers  they are used for linking to the local accounts in SPs  but they identify as the user profile for the specific service each alone  For example  the persistent identifiers are kind of like   johnForAir  jonhForCar  johnForHotel  they all just for one specified service  since it need to link to its local identity in the service     Transient identifiers-   Transient identifiers are what IdP tell the SP that the users in the session have been granted to access the resource on SP  but the identities of users do not offer to SP actually  For example  The assertion just like    Anonymity Idp doesn   t tell SP who he is  has the permission to access  resource on SP     SP got it and let browser to access it  but still don   t know Anonymity  real name     unspecified identifiers-   The explanation for it in the spec is  The interpretation of the content of the element is left to individual implementations   Which means IdP defines the real format for it  and it assumes that SP knows how to parse the format data respond from IdP  For example  IdP gives a format data  UserName XXXXX Country US   SP get the assertion  and can parse it and extract the UserName is  XXXXX

User · Answer

It is just a hint for the Service Provider on what to expect from the NameID returned by the Identity Provider  It can be    unspecified emailAddress     e g  john company com X509SubjectName      e g  CN john O Company Ltd  C US WindowsDomainQualifiedName     e g  CompanyDomain John kerberos    e g  john realm entity     this one in used to identify entities that provide SAML-based services and looks like a URI persistent      this is an opaque service-specific identifier which must include a pseudo-random value and must not be traceable to the actual user  so this is a privacy feature  transient      opaque identifier which should be treated as temporary

[single-sign-on] What are the different NameID format used for?

Examples related to single-sign-on

Examples related to saml

Examples related to opensaml