...
The user's identity is transmitted in the form of the NameID element of the SAML statement. Every Identity Provider must supply a NameID, but for privacy reasons SURFconext will generate a new one regardless. For convenienceBecause some software is (was) unable to read the NameID, this identifier is duplicated in the SAML attribute eduPersonTargetedID (see below).
...