IBM Security Access Manager V9.0 will be configured as Service Provider (SP) in a SAML Federation. The same user that logs in at the Identity Provider (IdP) will be logged in on the SP side after the Single Sign-On, for example UserA on IdP will be UserA on the SP side.
Which name identifier format meets this requirement?
The principalName name identifier format is used when the actual username or principal name is required and should be the same on both the Identity Provider (IdP) and the Service Provider (SP). This meets the requirement of having the same user, such as UserA, be logged in on both sides after the Single Sign-On. Options like transient and persistent are generally used for anonymity or persistence requirements, while emailAddress would require the identifier to be an email, which is not necessarily the case here.
https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.7/com.ibm.isam.doc/config/concept/fed_SAML20_nameIDmgmt.html