SAML NameID

SAML NameID is the element within a SAML assertion that uniquely identifies the authenticated user. The format and value are determined by the Identity Provider and must be understood by the Service Provider to map to a local account.

Common Formats

<!-- Email Address -->
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
  user@example.com
</saml:NameID>

<!-- Persistent (opaque, stable identifier) -->
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">
  G3k5j2Hw9xPq...
</saml:NameID>

<!-- Transient (changes each session) -->
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">
  _abc123session...
</saml:NameID>

<!-- Unspecified -->
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
  jdoe
</saml:NameID>

NameID Vulnerabilities

Comment Injection

<!-- Attacker registers as: admin@example.com -->
<saml:NameID>admin@example.com<!-->.evil.com</saml:NameID>

<!-- Some parsers read: admin@example.com -->
<!-- Full value was: admin@example.com<!-->.evil.com -->

Truncation Attacks

<!-- If SP truncates at first null byte or special char -->
<saml:NameID>admin@example.com%00@evil.com</saml:NameID>

Security Considerations

• Validate NameID format matches expected
• Be aware of XML parsing quirks (comments, encoding)
• Normalize before comparison
• Consider case sensitivity for email formats

PentesterLab Exercises

• SAML Exercises

See Also

• SAML Assertion
• SAML