5.1.6 Identifiers

Claim (section 3.1.1.4) specifies the use of UPN and EmailAddress identifiers for users. The relying party will depend on the identifier being unique so collisions have to be avoided. Collisions can be avoided by configuring a relying party to only accept a specific set of suffix domain naming service names used in the UPN or EmailAddress claim of the security token issued by a security realm's IP/STS. This prevents a malicious IP/STS from enabling its users to impersonate users from another IP/STS.<92>