Making the case against email as NameId
cantor.2 at osu.edu
Mon Mar 9 19:48:09 EDT 2020
The use of a NameID element as a whole is best avoided, but assuming you're talking identifiers in general...
If you don't change them and don't reassign them, then they're probably as good or better as any other identifier if you aren't concerned about independent correlation, which is not something people in the US tend to care much about. Most of the time people just want something more stable but provisioning and auditing needs often dictate avoiding pairwise IDs.
If you do change, or far worse, reassign email addresses, I can't really see any argument better than common sense. The problems are really obvious. The Subject Identifier spec might have some supporting material but I don't recall how much it talks about email addresses per se.
More information about the users