Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What is the purpose of nameidentifier claim?

Tags:

claims-based-identity

adfs2.0

federated-identity

What the claim of type http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier should be used for?

This is the main question, and here are additional ones.

How does it differ from http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name claim?

Is it permanent for particular user as opposed to name claim?

Is it globally-scoped or IdP-scoped?

like image 311
Anthony Serdyukov Avatar asked Apr 28 '11 05:04

Anthony Serdyukov

1 Answers

Name, is just that a name. If we're talking person, think "Eric"; a server "file01".

A NameIdentifier is the ID for an object. Turning back to our person object, Eric's UserID might be 435 in your database. For the server the Identifier could be something like a FQDN or a SID.

According to this post, apparently Name Identifier was a SAML 1.1 property, and is being supplanted by NameID in SAML 2.0.

Unique or Not?

I wanted to address @Jason's comment and @nzpcmad's post. I don't see uniqueness as a clear cut requirement. The question is tagged adfs2.0 but the schema referenced is owned by OASIS. So those are the two parties interpretations we need to balance.

Microsoft's stance for ADFS is clearly that there is a unique requirement. We see that in the "The Role of Claims" article. No doubt ADFS casts a big shadow, but this seems like an implementation detail.

Looking at the SAML 1.1 spec, however, I see no such assertion. The closest we get in section 2.4.2.2 of spec is:

The element specifies a subject by a combination of a name qualifier, a name, and a format. The element has the following attributes:
...
NameQualifier[optional] The security or administrative domain that qualifies the name of the subject. This attribute provides a means to federate names from disparate user stores without collision.

The text of the spec tells me that I need to be able to find a person using a combination of the three attributes, but it makes no assertion as to uniqueness. Couldn't I have two entries that point to the same user? Seems so. Moreover, wouldn't' the spec indicate the NameQualifier attribute was required in cases where NameIdentifier was insufficient to uniquely identify the name?

So what's this all lead to?

  • Be careful, unqiue is likely safer.
  • Dig into your providers stance on the topic.
like image 72
EBarr Avatar answered Oct 10 '22 02:10

EBarr
Sign in to Comment

Related questions

Can I modify claims in ASP.NET Identity with OWIN after calling SignIn?
Adding Claims-based authorization to MVC 3
How to create a ClaimsPrincipal that has Identity.Authenticated set to true?
MVC 5 OWIN login with claims and AntiforgeryToken. Do I miss a ClaimsIdentity provider?
ASP.NET Core - Add role claim to User
Can't get claims from JWT token with ASP.NET Core
How to set TimeOut for OwinContext in MVC 5
Add claims on successful login and retrieve it elsewhere in the application
Difference between Service Principal and Managed Identities in Azure
Server side claims caching with Owin Authentication
How to use Windows Active Directory Authentication and Identity Based Claims?
How do I remove an existing claim from a ClaimsPrinciple?
How do I create a ClaimsIdentity object for Asp.NET MVC 5?
How do I perform WIF/claims impersonation without the claim being mapped to an AD account?
Using Windows Domain accounts AND application-managed accounts
ASP.NET Identity and Claims
Owin claims - Add multiple ClaimTypes.Role
MVC5 (VS2012) Identity CreateIdentityAsync - Value cannot be null
What's the role of the ClaimsPrincipal, why does it have multiple Identities?
Embedded statement cannot be a declaration or labeled statement

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!