The NameIdentifier attribute is the attribute that is passed back to the service provider in the identity assertion, that the service provider (SP) uses to uniquely identify the user. This is typically referred to as a 'user name' in the service provider's system. In most instances this is either the user's email address or their short name in the enterprise user registry (such as sAMAccountName in Active Directory). It is important to identify this attribute upfront as this influences how the user accounts are being setup on the service provider site and also how this attribute can be queried for by GridGuard.
Once the user is authenticated, GridGuard will include this NameIdentifier in the identity assertion it sends back to the service provider. GridGuard can select any attribute associated with the user's record in the user store (the enterprise user registry, typically Active Directory) like sAMAccountName, mail, or extension attributes. If multiple realms are selected for the SAML SP, the NameIdentifier attribute must be common among all of the realms.
Based on how the service provider system is setup, it may not be possible to change the user names in the service provider's system once accounts are created. As such, it is important to carefully select the NameIdentifier attribute upfront.