What are the different NameID format used for?

single-sign-on saml opensaml
132,038

Solution 1

Refer to Section 8.3 of this SAML core pdf of oasis SAML specification.

SP and IdP usually communicate each other about a subject. That subject should be identified through a NAME-IDentifier , which should be in some format so that It is easy for the other party to identify it based on the Format.

All these 

1.urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified [default]

2.urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

3.urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

4.urn:oasis:names:tc:SAML:2.0:nameid-format:transient

are format for the Name Identifiers.

The name format for a transient ID in SAML 1 is urn:mace:shibboleth:1.0:nameIdentifier and in SAML 2 is urn:oasis:names:tc:SAML:2.0:nameid-format:transient

Transient is for [section 8.3.8 of SAML Core]

Indicates that the content of the element is an identifier with transient semantics and SHOULD be treated as an opaque and temporary value by the relying party.

Unspecified can be used and it purely depends on the entities implementation on their own wish.

Solution 2

About this I think you can reference to http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html.

Here're my understandings about this, with the Identity Federation Use Case to give a details for those concepts:

  • Persistent identifiers-

IdP provides the Persistent identifiers, they are used for linking to the local accounts in SPs, but they identify as the user profile for the specific service each alone. For example, the persistent identifiers are kind of like : johnForAir, jonhForCar, johnForHotel, they all just for one specified service, since it need to link to its local identity in the service.

  • Transient identifiers-

Transient identifiers are what IdP tell the SP that the users in the session have been granted to access the resource on SP, but the identities of users do not offer to SP actually. For example, The assertion just like “Anonymity(Idp doesn’t tell SP who he is) has the permission to access /resource on SP”. SP got it and let browser to access it, but still don’t know Anonymity' real name.

  • unspecified identifiers-

The explanation for it in the spec is "The interpretation of the content of the element is left to individual implementations". Which means IdP defines the real format for it, and it assumes that SP knows how to parse the format data respond from IdP. For example, IdP gives a format data "UserName=XXXXX Country=US", SP get the assertion, and can parse it and extract the UserName is "XXXXX".

Solution 3

It is just a hint for the Service Provider on what to expect from the NameID returned by the Identity Provider. It can be:

  1. unspecified
  2. emailAddress – e.g. [email protected]
  3. X509SubjectName – e.g. CN=john,O=Company Ltd.,C=US
  4. WindowsDomainQualifiedName – e.g. CompanyDomain\John
  5. kerberos– e.g. john@realm
  6. entity – this one in used to identify entities that provide SAML-based services and looks like a URI
  7. persistent – this is an opaque service-specific identifier which must include a pseudo-random value and must not be traceable to the actual user, so this is a privacy feature.
  8. transient – opaque identifier which should be treated as temporary.

Solution 4

1 and 2 are SAML 1.1 because those URIs were part of the OASIS SAML 1.1 standard. Section 8.3 of the linked PDF for the OASIS SAML 2.0 standard explains this:

Where possible an existing URN is used to specify a protocol. In the case of IETF protocols, the URN of the most current RFC that specifies the protocol is used. URI references created specifically for SAML have one of the following stems, according to the specification set version in which they were first introduced:

urn:oasis:names:tc:SAML:1.0:
urn:oasis:names:tc:SAML:1.1:
urn:oasis:names:tc:SAML:2.0:
Share:
132,038
performanceuser
Author by

performanceuser

Updated on July 30, 2020

Comments

  • performanceuser
    performanceuser almost 4 years

    In SAML metadata file there are several NameID format defined, for example:

    <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>

<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>

<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>

    Can anybody explain what are these used for? What are the differences?

  • Rob Starling
    Rob Starling over 10 years
    If you're returning your userId and it's public and you don't intend to change them anytime soon, then i believe you want "persistent".
  • alxgomz
    alxgomz almost 7 years
    I can't see anything in the spec that says the "unspecified" format should be treated as a [default]. I would be very interested in finding the reference for that. Do you remember where you got that from?
  • Mike Partridge
    Mike Partridge over 6 years
    @alxgomz - see line 455 and on in the spec, specifically Unless otherwise specified by an element based on this type, if no Format value is provided, then the value urn:oasis:names:tc:SAML:1.0:nameid-format:unspecified (see Section 8.3.1) is in effect.
  • Curtis Yallop
    Curtis Yallop over 6 years
    Transient indicates NameID will be something random for example MfJkZue5tTB0mSqfUMe4iPqLd4e. If the exact same person deletes their cookies and fully re-authenticates, the id will change. However sometimes the default value is "transient" and it is not changed but NameID is actually configured to be something else fixed like email or username. Note that a transient name-id in a saml response is only supposed to be consumed until the time set in NotOnOrAfter in the subject condition, if there is one.
  • chaserb
    chaserb over 5 years
    Kudos for "my understanding about this". Sometimes, the pondering of a human who's synthesized the information in the spec is more valuable than the spec itself. Appreciate the commentary.
  • Matt Shepherd
    Matt Shepherd over 4 years
    When you say "it is just a hint", can an IDP provide something other than what has been requested? And if so, can that still work?
  • kirelagin
    kirelagin over 4 years
    There is nothing about this in the specification.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to decode SAML Response and get the attribute values sent by Idp in PHP
SSO - SAML, Redirect a user to a specified landing page after successful log in
What's the difference between AWS SSO and AWS Cognito?
Simplesamlphp unhandled exception error while using as SP
SimpleSamlPhp as SP redirects incorrectly
What is the point of OpenSAML? Any alternative?
SAML 2.0 SSO for Ruby on Rails?
Splunk SAML SSO from an IdP with Apache mod_mellon fails
Adfs: Difference between token decrypting certificate and relying party signature verification certificate
What is the correct format for SAML 2.0 Assertions?