...
The user's identity is transmitted in the form of the NameID element of the SAML statement. Every Identity Provider must supply a NameID, but SURFconext will generate a new one regardless. For convenience, this identifier is duplicated in the SAML attribute eduPersonTargetedID (see below).
...