For the SAML persistent “Name ID Format”, I noticed that Keycloak generates a client-specific value for the user and then stores it as a user attribute named saml.persistent.name.id.for.. As I understand it, SAML SPs use this name id to map IdP users to local user accounts in their system.
I know that certain types of UUIDs are random and thus hard to guess. However, it seems like an invitation for a bad actor to attempt to cycle through their own user-supplied values until they find one that works for a given client.
It would seem better for this value to be read only or generated and stored elsewhere since user attributes can be updated by end-users.
Can somebody explain how my thinking might be wrong about this?