When doing authn against a SAML 2 IdP, what does the Subject Name Identifier supposed to be for? Does it track each user login?
I'm wondering if my SAML 2 service provider application should track these for different users. Since they are transient, they can be different for different logins (so I would need to track using a collection hanging off the user account).
The <NameIdentifier>
element is a SAML 1.1 concept. It has been superseded by the <NameID>
element which identifies the subject. NameID is not necessarily transient - see section 8.3 of the SAML 2.0 core specification