问题
When doing authn against a SAML 2 IdP, what does the Subject Name Identifier supposed to be for? Does it track each user login?
I'm wondering if my SAML 2 service provider application should track these for different users. Since they are transient, they can be different for different logins (so I would need to track using a collection hanging off the user account).
回答1:
The <NameIdentifier> element is a SAML 1.1 concept. It has been superseded by the <NameID> element which identifies the subject. NameID is not necessarily transient - see section 8.3 of the SAML 2.0 core specification
回答2:
Name Identifier contains several attributes.
The first attribute is NameQualifier, which specifies the security domain of the user at the IDP. Security domain is useful to disambiguate different users that use the same name identifier.
The second attribute is SPNameQualifier, which specifies the security domain of the user at the SP.
The third attribute is Format, which specifies how the name identifier should be interpreted.
For example, Email Address name identifier format is used when the user wants to use the same name identifier in IDP and SP. This means that if the user is login as alice@domain.com in IDP, the user is also login as alice@domain.com in SP.
Another example, Persistent Identifier is used when the user does not want to use the same name identifier in IDP and SP. This means that a user can login as alice@idp.com in IDP, but login as bob@sp.com in SP. This is achieved by using an identifier, such as 12345, agreed by IDP and SP, which is mapped to alice@idp.com in IDP and mapped to bob@sp.com in SP. Persistent Identifier is useful when you do not want the SP to know the name identifier of the user in IDP.
来源:https://stackoverflow.com/questions/10149492/what-is-the-purpose-of-saml-2-subject-name-identifier