SAML 2.0 name identifier formats (Federation)
SAML 2.0 name identifier formats control how the users at identity providers are mapped to users at service providers during single sign-on. ISAM supports the following name identifier formats:
- Email address
- A user logs in to the service provider with the same name used to log in at the identity provider. For example, if a user is logged in at the identity provider as user1, then they will also be logged in as user1 at the service provider
- Persistent aliases
- Use if we want a user to log in at the identity provider as one user, but log in at the service provider as a different user. Before using, link the user at the identity provider with the user at the service provider. We can choose to have the user linking done during single sign-on or using the alias service. For example, suppose user1 in the identity provider is linked with user2 in the service provider. If user1 is logged in at the identity provider, then they will be logged in as user2 in service provider after single sign-on.
- Transient aliases
- Use if we want a user to log in as a shared anonymous user, regardless of which user they use to log in at the identity provider. For example, suppose user1 is a shared anonymous user in the service provider. If the user is logged in as user2 in the identity provider, then they will be logged in as user1 in the service provider after single sign-on. Similarly, if the user is logged in as user3 in the identity provider, then they will be logged in also as user1 in the service provider.
See Alias service for information about how to manage aliases.
Parent topic: SAML Federations Overview