SAML 2.0 name identifier formats

SAML 2.0 name identifier formats control how the users at identity providers are mapped to users at service providers during single sign-on.

Security Access Manager supports the following name identifier formats:

Email address

Use the email address name identifier format if you want a user to log in at the service provider as the same user that they use to log in at the identity provider.

For example, if a user is logged in at the identity provider as user1, then they will also be logged in as user1 at the service provider after single sign-on.

Persistent aliases

Use the persistent name identifier format if you want a user to log in at the identity provider as one user, but log in at the service provider as a different user.

Before you can use this name identifier format, you must link the user at the identity provider with the user at the service provider. You can choose to have the user linking done during single sign-on or by using the alias service.

For example, suppose user1 in the identity provider is linked with user2 in the service provider. If user1 is logged in at the identity provider, then they will be logged in as user2 in service provider after single sign-on.

Transient aliases

Use the transient name identifier format if you want a user to log in as a shared anonymous user, regardless of which user that they use to log in at the identity provider.

For example, suppose user1 is a shared anonymous user in the service provider. If the user is logged in as user2 in the identity provider, then they will be logged in as user1 in the service provider after single sign-on. Similarly, if the user is logged in as user3 in the identity provider, then they will be logged in also as user1 in the service provider.

See Alias service for information about how to manage aliases.