generated from coulomb/repo-seed
Backfill all 23 research source notes with terminology extracts, modeling assumptions, conflicts, canonical mappings, and references. Refresh terminology artifacts, refine the conceptual model with explicit scenario paths, reconcile canon surfaces and open questions, and mark the workplan finished.
5.7 KiB
5.7 KiB
SAML NameID Federation
Source Type
Standard. OASIS SAML 2.0 Core and Profiles for Web Browser SSO; NameID formats and federation metadata conventions.
Domain
Enterprise federation, single sign-on, assertion semantics, and cross-domain identity correlation.
Why This Source Matters
SAML 2.0 remains central to enterprise federation. NameID formats, assertion subject statements, attribute statements, and IdP/SP metadata define how enterprise identities cross organizational boundaries.
Key Concepts
- Identity Provider (IdP): asserts authentication and attributes about a subject to service providers.
- Service Provider (SP): consumes assertions and establishes local session.
- Assertion: XML security token containing subject, conditions, authn statements, and attribute statements.
- Subject / NameID: identifier for the principal at the IdP; carries Format attribute defining syntax and semantics.
- NameID formats: transient, persistent, emailAddress, X509SubjectName, kerberos, entity, unspecified, and others.
- Persistent NameID: stable, opaque identifier for a principal at an IdP.
- Transient NameID: one-time identifier for a single federation session.
- AttributeStatement: SAML attributes (mail, eduPersonPrincipalName, group memberships) about the subject.
- AuthnStatement: authentication instant, session index, and context class.
- AudienceRestriction: scopes assertion to intended SP entity IDs.
- Metadata: XML describing IdP/SP endpoints, certificates, NameID formats, and supported attributes.
- Affiliation / discovery: federations aggregate metadata for trust circles.
Relevant Terminology
| Term | Source meaning |
|---|---|
| Principal | Authenticated entity; identified by NameID in assertion. |
| NameID | Subject identifier chosen by IdP; format determines semantics. |
| Persistent NameID | Long-lived opaque ID stable for principal at IdP. |
| Transient NameID | Ephemeral ID for one session; privacy-preserving. |
| Subject | SAML assertion subject element holding NameID. |
| Attribute | Named property asserted about subject. |
| EntityID | Unique identifier for IdP or SP in metadata. |
| Assertion | Signed statement about authentication and attributes. |
| SessionIndex | Handle for single logout correlation. |
| Audience | Intended SP for assertion consumption. |
Modeling Assumptions
- NameID is the primary correlation key between IdP and SP for account linking.
- Format determines persistence and privacy; persistent enables cross- session linking, transient prevents it.
- Principal means authenticated subject, not a pre-provisioned local user.
- Attributes are asserted, not authoritative directory records in the SP.
- Trust is pairwise between IdP and SP via metadata exchange.
- Groups may appear as attributes, not as first-class relationship tuples.
- Federation operates across organizational boundaries; each side maintains its own namespace.
Identity-Canon Implications
- SAML NameID maps to Identifier or Scoped Identifier depending on format (persistent vs. transient).
- Persistent NameID supports Synonymity Assertion linking SP local Account to IdP identifier.
- Transient NameID maps to session-scoped Scoped Identifier with no cross-session synonymity.
- Principal in assertion maps to Authenticated Subject projection.
- AttributeStatement attributes map to Claim objects.
- EntityID maps to Scope identifier for IdP/SP.
- AudienceRestriction maps to Scope boundary for assertion validity.
- Attribute-based group membership maps to Claim (group attribute) or Membership hint, not canonical Group unless provisioned.
- Supports S02 (multi-scope accounts), S13 (strong link via persistent NameID).
Terminology Conflicts
- Principal vs. Subject: SAML uses both; principal is authenticated entity, subject is XML element.
- Principal vs. Authorization Principal: SAML principal is auth subject, not Cedar principal.
- Persistent vs. Pairwise: SAML persistent NameID is IdP-wide stable; OIDC pairwise is RP-specific.
- NameID vs. emailAddress format: email as identifier conflates Identifier with contact attribute.
- Attribute vs. Claim: SAML attribute is XML element; canon Claim is issuer statement — compatible but different syntax.
Candidate Canonical Mappings
| SAML concept | Candidate canonical concept |
|---|---|
| NameID (persistent) | Identifier |
| NameID (transient) | Scoped Identifier (session-bound) |
| NameID (emailAddress) | Identifier (with attribute conflation risk) |
| Principal | Authenticated Subject |
| Subject element | Protocol binding for Authenticated Subject |
| AttributeStatement attribute | Claim |
| EntityID (IdP/SP) | Scope identifier |
| Assertion | Credential / signed assertion |
| Audience | Scope boundary |
| SessionIndex | Session correlation reference (projection) |
| SP local account mapping | Synonymity Assertion |
Open Questions
- Should persistent NameID map to strong Synonymity by default, or only after SP verification (S13)?
- How should eduPerson / SCHAC attribute vocabularies map to Profile vs. Claim?
- Does transient NameID session scope warrant a distinct Lifecycle State on the Scoped Identifier?
- Should federation metadata trust map to Trust Relationship with certificate Evidence Source?
References
- SAML 2.0 Core — http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
- SAML 2.0 Profiles — http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf
- SAML NameID Format URIs — http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf (§8.3)
- REFEDS entity categories — https://refeds.org/category