Can NameIdentifier and IdentityProvider (WIF) claims be used to uniquely identify any user?

Question

Thinking of using Access Control Service (ACS) and Windows Identity Foundation (WIF) to secure my WCF Data Services Web API application.

How can I use claims to uniquely identify a user?

My idea is to use the combination of the standard claim NameIdentifier and the WIF claim IdentityProvider combined to create a unique ID for any user.

Is this combo truly stable and unique? Could an IP suddenly change it's IdentityProvider string?

The idea here is to store the concatenated string of the two halves as a unique ID for any user.

Does the NameIdentifier claim have any security implications?

Cheers,

M.

Answer 1

This seems reasonable. Note that nameidentifier is IdP specific, meaning it is supplied by the identity provider you authenticated with (e.g. LiveID, Google, etc). ACS is simply copying this value into a claim. Check with each one of those providers to see what guarantees they make. My assumption is that they should not change for a "returning user" -> someone who posseses the same username/Password.

People often use e-mail addresses as well. When available, you might want to correlate it too as an extra measure.

Answer 2

Justin Smith mentioned this in his MIX11 talk (see slide 22, 28 minutes into the talk) - it was my understanding that ACS gives you the nameidentifier and the IdP name. You take the tuple together and it should be good for unique id.