It is just a hint for the Service Provider on what to expect from the NameID returned by the Identity Provider. It can be:
unspecified
emailAddress
– e.g. [email protected]
X509SubjectName
– e.g. CN=john,O=Company Ltd.,C=US
WindowsDomainQualifiedName
– e.g. CompanyDomain\John
kerberos
– e.g. john@realm
entity
– this one in used to identify entities that provide SAML-based services and looks like a URIpersistent
– this is an opaque service-specific identifier which must include a pseudo-random value and must not be traceable to the actual user, so this is a privacy feature.transient
– opaque identifier which should be treated as temporary.