Selecting a SAML Name ID type - PingFederate

Page created: 12 Sep 2019 |

Page updated: 19 Mar 2020

| 2 min read

PingFederate 10.0 Product Configuration User task Single Sign-on (SSO) Capability Software Deployment Method Product documentation Content Type Administrator Audience SAML Standards, specifications, and protocols

The choice you make on the Identity Mapping screen affects how your SP partner makes use of account mapping or account linking.

If your SP is using account linking, establishing an attribute contract is not required. However, depending on your agreement, you may choose to supplement the account link with an attribute contract. In this configuration the account link is used to determine the user's identity, while the additional attributes might be used for authorization decisions, customized web pages, and so on, at the SP site (see User attributes).

Important:

If you have previously set up a configuration to use an attribute contract and want to change the configuration to use account linking without additional attributes, then the existing attribute contract will be discarded.

Select the type of name identifier that you and your SP have agreed to use.

Option	Description
Standard	Select the Standard option if you want to send a known attribute to identify a user (for example, a username or an email address). In this scenario, the SP often uses account mapping to identify the user locally.
Pseudonym	Select the Pseudonym option if you and the SP have agreed to use a unique, opaque persistent name identifier, which cannot be traced back to the user's identity at the IdP. The identifier may also be used by the SP to make a persistent association between the user and a specific local account (account linking). Select the Include attributes ... check box if you want to set up an attribute contract to use in conjunction with an opaque identifier.
Transient	Select Transient to enhance the privacy of a user's identity. Unlike a pseudonym, a transient identifier is different each time a user initiates SSO. A typical application for this selection might be, for example, when an SP provides generalized group accounts based on organizational rather than individual identity. Select the Include attributes ... check box if you want to set up an attribute contract to use in conjunction with an opaque identifier.

Option

Description

Standard

Select the Standard option if you want to send a known attribute to identify a user (for example, a username or an email address).

In this scenario, the SP often uses account mapping to identify the user locally.

Pseudonym

Select the Pseudonym option if you and the SP have agreed to use a unique, opaque persistent name identifier, which cannot be traced back to the user's identity at the IdP.

The identifier may also be used by the SP to make a persistent association between the user and a specific local account (account linking).

Select the Include attributes ... check box if you want to set up an attribute contract to use in conjunction with an opaque identifier.

Transient

Select Transient to enhance the privacy of a user's identity. Unlike a pseudonym, a transient identifier is different each time a user initiates SSO.

A typical application for this selection might be, for example, when an SP provides generalized group accounts based on organizational rather than individual identity.

Select the Include attributes ... check box if you want to set up an attribute contract to use in conjunction with an opaque identifier.

Selecting a SAML Name ID type - PingFederate - 10.0

PingFederate Server