...

Service Providers should use the NameID or eduPersonTargetedID (rather than email address, or other attributes that might change over time) to identify users. The NameId is guaranteed to be stable and never change for a fixed user (except in the case of transient identifiers, see below). It is generated for each new user by SURFconext and is based on a hash over the uid, schacHomeorganization (together a unique user accross the federation), the SP entityID and a secret. It is therefore both unique for that user and specific to the SP, so SP's cannot correlate their received NameID's between eachother.

SURFconext can provide NameIDs of 2 different types:

...

• urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
• urn:oasis:names:tc:SAML:2.0:nameid-format:transient

Attribute schemas

SURFconext supports two attributes schemas: a (SAML2.0 compliant) urn:oid schema and a (SAML1.1) named urn schema. Both of these can be used to convey the same information (except for the NameID, which is only available in the urn:oid schema). By default SURFconext will provide attributes in both schemata as part of the assertion. It is not recommended to mix the use of these schemata, but for legacy reason SURFconext offers both.

...