An Introduction to Identifiers

The term "identifier" comes up frequently in an identity and access management context. But what exactly is an identifier, and what are the characteristics of a "good" identifier?

In short, an identifier is just that — something that identifies a user to an application or service. This is useful because it enables a user to be "remembered" when he or she uses an application or service more than once, and for that application or service to connect the identifier with locally-stored information about a user's "state" in order to personalize user experience when he or she returns to the site. Consider, as an example, a library website. This site might let each user establish a "collection" of books and papers — so in this example, the collection of items is the user's state. The collection would be available to the user each time the user goes to the site.

In terms of IAM, the key concept is that the identity provider (IdP) is the party establishing an identifier for a user. The IdP then can send it via secure channels to the service provider (SP) — in the example above, the library website — so that the SP can use it to help provide a tailored service for the user.

(Note that in IAM, we are mostly interested in cases involving distinct identity providers and service providers within a federated-login context. As a contrast, consider your email provider. It's likely that you've established a username and password directly with the email provider rather than using an external set of credentials to log in, so it's acting as both an IdP and SP.)

What Makes a Good Identifier?

What's needed to establish an account and manage ongoing access? The properties of a "good" identifier provided by an Identity Provider are:

  • The identifier is unique — no two users will have the same identifier
  • The identifier is never reassigned to another user
  • The identifier is persistent — meaning that the same identifier will be delivered by the IdP to the SP each time a given person visits the SP's site.

Finally, is it important to make an identifier "human-friendly"? Actually,  not really. While it's important for the user to have a human-friendly username to give to the IdP when authenticating, the actual underlying identifier that an IdP sends to an SP doesn't need to be human-friendly. In fact, it's easier to get the other "good" properties – particularly the uniqueness of the identifier – using identifiers that are for software and not for humans.

Source: Marlena Erdos, drawing from materials from Scott Cantor and identifier properties from the eduPerson Object Class Specification.