In SAML, is there a difference between usernames and a principal's NameID?

0
votes

The NameID is the identifier used by both the service provider and the identity provider to identify a principal (system user).

So let's say I require users on one service provider to input their username and password for logging in, their SSN and password for logging in on another, and their username and password for logging in on a third. Can several service providers have different usernames, yet use the same NameID for identifying the SAML session?

Also, is it possible to have service providers using different NameID formats between them, or do they have to be the same value for it to refer to the same principal?

1
samlsaml-2.0

1 Answers

1
votes

Name identifiers can be anything; an email address or a Kerberos principal name are common, every-day examples of such information. They do not always equal the username.

Straight from Shib documentation . Thus you could have a NameID coming back from your IdP as something completely unrelated to the username.

To answer your same question, it all depends on what identity providers you hook the service providers up to. More than likely, it sounds like what you want is multiple identity providers that give back the same NameID format.

In SAML 2.0, you can specify what formats the NameID can come back as so you can have a common pattern across identity providers and prevent having crazy logic to parse out each of the NameIDs that could come back.