When doing authn against a SAML 2 IdP, what does the Subject Name Identifier supposed to be for? Does it track each user login?

I'm wondering if my SAML 2 service provider application should track these for different users. Since they are transient, they can be different for different logins (so I would need to track using a collection hanging off the user account).

Name Identifier contains several attributes.

The first attribute is NameQualifier, which specifies the security domain of the user at the IDP. Security domain is useful to disambiguate different users that use the same name identifier.

The second attribute is SPNameQualifier, which specifies the security domain of the user at the SP.

The third attribute is Format, which specifies how the name identifier should be interpreted.

For example, Email Address name identifier format is used when the user wants to use the same name identifier in IDP and SP. This means that if the user is login as [email protected] in IDP, the user is also login as [email protected] in SP.

Another example, Persistent Identifier is used when the user does not want to use the same name identifier in IDP and SP. This means that a user can login as [email protected] in IDP, but login as [email protected] in SP. This is achieved by using an identifier, such as 12345, agreed by IDP and SP, which is mapped to [email protected] in IDP and mapped to [email protected] in SP. Persistent Identifier is useful when you do not want the SP to know the name identifier of the user in IDP.

The <NameIdentifier> element is a SAML 1.1 concept. It has been superseded by the <NameID> element which identifies the subject. NameID is not necessarily transient - see section 8.3 of the SAML 2.0 core specification