...
To identify a user the relying party can use the subject. This subject is made available in the "sub" claim. In SAML this is called the NameID in SAML. This subject is guaranteed to be stable for a fixed user, except in the case of transient identifiers. SURFconext will generate a subject for each new user. It is unique for the user and specific to the relying party, so RP's cannot correlate their received subject's between each other. There are two types:
...