名称标识符声明的目的是什么?

类型 http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier的索赔应该用于什么?

这是主要问题,这里还有其他问题。

它与 http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name索赔有什么不同?

对于特定的用户而言,它是永久的吗?

它是全局范围的还是 IdP 范围的?

43278 次浏览
小开

Per The Role of Claims,

Name The unique name of the user

Name Identifier The SAML name identifier of the user

These two claims are part of the group of claims that AD FS 2.0 configures by default.

This implies that they are IP scoped.

e.g. when you log in to Google using ACS, "nameidentifier" is the unique GUID associated with your account by Google whereas name is your Google login e.g. "tim.smith@gmail.com".

小开

Name, is just that a name. If we're talking person, think "Eric"; a server "file01".

A NameIdentifier is the ID for an object. Turning back to our person object, Eric's UserID might be 435 in your database. For the server the Identifier could be something like a FQDN or a SID.

According to this post, apparently Name Identifier was a SAML 1.1 property, and is being supplanted by NameID in SAML 2.0.

Unique or Not?

I wanted to address @Jason's comment and @nzpcmad's post. I don't see uniqueness as a clear cut requirement. The question is tagged but the schema referenced is owned by OASIS. So those are the two parties interpretations we need to balance.

Microsoft's stance for ADFS is clearly that there is a unique requirement. We see that in the "The Role of Claims" article. No doubt ADFS casts a big shadow, but this seems like an implementation detail.

Looking at the SAML 1.1 spec, however, I see no such assertion. The closest we get in section 2.4.2.2 of spec is:

The element specifies a subject by a combination of a name qualifier, a name, and a format. The element has the following attributes:
...
NameQualifier[optional] The security or administrative domain that qualifies the name of the subject. This attribute provides a means to federate names from disparate user stores without collision.

The text of the spec tells me that I need to be able to find a person using a combination of the three attributes, but it makes no assertion as to uniqueness. Couldn't I have two entries that point to the same user? Seems so. Moreover, wouldn't' the spec indicate the NameQualifier attribute was required in cases where NameIdentifier was insufficient to uniquely identify the name?

So what's this all lead to?

  • Be careful, unqiue is likely safer.
  • Dig into your providers stance on the topic.
小开

The nameidentifier claim should be used for getting a unique user name.

For Windows Authentication:

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier domain\warlock

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name 0#.w|domain\warlock

domain\warlock is a Windows Login name

For Claims Based Authentiacation:

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier warlock@localhost.com

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name 05.t|myidentityprovider|warlock@localhost.com

email was specified as the Identifier Claim

As you can see .../identity/claims/name describes name and identity provider as well.

小开

ClaimTypes.Name is for username and ClaimTypes.NameIdentifier specifies identity of the user as object perspective. If you add them in a kind of ClaimIdentity object that provides you to reach User.Identity methods(for example in the dotnet world) which are GetUserName() and GetUserId().


提交答案