...
To identify a user the Service Provider must use the NameID or eduPersonTargetedID. The NameID is guaranteed to be stable for a fixed user (, except in the case of transient identifiers). SURFconext will generate a NameID for each new user. It is unique for the user and specific to the SP, so SP's cannot correlate their received NameID's between each other. There are two types of NameIDs:
urn:oasis:names:tc:SAML:2.0:nameid-format:persistentA persistent NameID contains a unique string identifying the user for this SP and is persisting over multiple sessions.urn:oasis:names:tc:SAML:2.0:nameid-format:transientA transient NameID contains a unique string identifying the user for this SP during the session. If the user logs in again, a new transient identifier will be generated.
| Warning | ||
|---|---|---|
| ||
Although the The NameID and eduPersonTargetedID, which is basically a copy of the NameID, are least likely is unlikely to change and very privacy aware they but can change when service providers or identity provider make certain changes causing . This can cause user profiles for services to be lost. The NameID, as used in the SAML assertion to a service provider when loggin' on, is generated using the uid, schacHomeOrganisation, the Entity ID of the service provider together with a secret that uses a SHA algorithm. Institutions or services that are in production and change one of these attributes, will cause a new NameID and eduPersonTargetedID to be generated by SURFconext when doing so. This can cause loss of access to profiles at services. We will discuss this with identity providers and service providers when we see a change in one of these attributes. |
...