...
R2. It must have the ability to Assign/Assert ePPNs.
R3. It must have the ability to Assign/Assert ePTIDs or provide a SAML2 persistent NameID if ePPNs are re-assignable.
...
Service providers need a single consistent primary identifier to key off all information about a person. If this key changes, or the same key is subsequently assigned to a different user, then the original person’s settings, history, and related data are lost to them. Requirements R2 and R3, taken together, guarantee that
...
a suitable identifier will be available to the SP.
R4. It must accept SP requests for authentication contexts via the standard SAML2 Authentication Request Protocol.
...