Files
identity-canon/research/authentication-federation/saml-nameid-federation.md
tegwick 1c1b5c9bc6 Complete IDENTITY-WP-0003 corpus backfill and model refinement
Backfill all 23 research source notes with terminology extracts, modeling
assumptions, conflicts, canonical mappings, and references. Refresh terminology
artifacts, refine the conceptual model with explicit scenario paths, reconcile
canon surfaces and open questions, and mark the workplan finished.
2026-06-21 20:22:20 +02:00

5.7 KiB

SAML NameID Federation

Source Type

Standard. OASIS SAML 2.0 Core and Profiles for Web Browser SSO; NameID formats and federation metadata conventions.

Domain

Enterprise federation, single sign-on, assertion semantics, and cross-domain identity correlation.

Why This Source Matters

SAML 2.0 remains central to enterprise federation. NameID formats, assertion subject statements, attribute statements, and IdP/SP metadata define how enterprise identities cross organizational boundaries.

Key Concepts

  • Identity Provider (IdP): asserts authentication and attributes about a subject to service providers.
  • Service Provider (SP): consumes assertions and establishes local session.
  • Assertion: XML security token containing subject, conditions, authn statements, and attribute statements.
  • Subject / NameID: identifier for the principal at the IdP; carries Format attribute defining syntax and semantics.
  • NameID formats: transient, persistent, emailAddress, X509SubjectName, kerberos, entity, unspecified, and others.
  • Persistent NameID: stable, opaque identifier for a principal at an IdP.
  • Transient NameID: one-time identifier for a single federation session.
  • AttributeStatement: SAML attributes (mail, eduPersonPrincipalName, group memberships) about the subject.
  • AuthnStatement: authentication instant, session index, and context class.
  • AudienceRestriction: scopes assertion to intended SP entity IDs.
  • Metadata: XML describing IdP/SP endpoints, certificates, NameID formats, and supported attributes.
  • Affiliation / discovery: federations aggregate metadata for trust circles.

Relevant Terminology

Term Source meaning
Principal Authenticated entity; identified by NameID in assertion.
NameID Subject identifier chosen by IdP; format determines semantics.
Persistent NameID Long-lived opaque ID stable for principal at IdP.
Transient NameID Ephemeral ID for one session; privacy-preserving.
Subject SAML assertion subject element holding NameID.
Attribute Named property asserted about subject.
EntityID Unique identifier for IdP or SP in metadata.
Assertion Signed statement about authentication and attributes.
SessionIndex Handle for single logout correlation.
Audience Intended SP for assertion consumption.

Modeling Assumptions

  • NameID is the primary correlation key between IdP and SP for account linking.
  • Format determines persistence and privacy; persistent enables cross- session linking, transient prevents it.
  • Principal means authenticated subject, not a pre-provisioned local user.
  • Attributes are asserted, not authoritative directory records in the SP.
  • Trust is pairwise between IdP and SP via metadata exchange.
  • Groups may appear as attributes, not as first-class relationship tuples.
  • Federation operates across organizational boundaries; each side maintains its own namespace.

Identity-Canon Implications

  • SAML NameID maps to Identifier or Scoped Identifier depending on format (persistent vs. transient).
  • Persistent NameID supports Synonymity Assertion linking SP local Account to IdP identifier.
  • Transient NameID maps to session-scoped Scoped Identifier with no cross-session synonymity.
  • Principal in assertion maps to Authenticated Subject projection.
  • AttributeStatement attributes map to Claim objects.
  • EntityID maps to Scope identifier for IdP/SP.
  • AudienceRestriction maps to Scope boundary for assertion validity.
  • Attribute-based group membership maps to Claim (group attribute) or Membership hint, not canonical Group unless provisioned.
  • Supports S02 (multi-scope accounts), S13 (strong link via persistent NameID).

Terminology Conflicts

  • Principal vs. Subject: SAML uses both; principal is authenticated entity, subject is XML element.
  • Principal vs. Authorization Principal: SAML principal is auth subject, not Cedar principal.
  • Persistent vs. Pairwise: SAML persistent NameID is IdP-wide stable; OIDC pairwise is RP-specific.
  • NameID vs. emailAddress format: email as identifier conflates Identifier with contact attribute.
  • Attribute vs. Claim: SAML attribute is XML element; canon Claim is issuer statement — compatible but different syntax.

Candidate Canonical Mappings

SAML concept Candidate canonical concept
NameID (persistent) Identifier
NameID (transient) Scoped Identifier (session-bound)
NameID (emailAddress) Identifier (with attribute conflation risk)
Principal Authenticated Subject
Subject element Protocol binding for Authenticated Subject
AttributeStatement attribute Claim
EntityID (IdP/SP) Scope identifier
Assertion Credential / signed assertion
Audience Scope boundary
SessionIndex Session correlation reference (projection)
SP local account mapping Synonymity Assertion

Open Questions

  • Should persistent NameID map to strong Synonymity by default, or only after SP verification (S13)?
  • How should eduPerson / SCHAC attribute vocabularies map to Profile vs. Claim?
  • Does transient NameID session scope warrant a distinct Lifecycle State on the Scoped Identifier?
  • Should federation metadata trust map to Trust Relationship with certificate Evidence Source?

References