I am currently working on a project that implements Azure ACS. I got the basics working and I notice that Azure ACS sends me SAML information which includes identityProvider and NameIdentifier. Using the 2 I can establish uniqueness for all users.
Currently these 2 data are stored in a central database in plain text format. For identityProvider it's no big deal, but Nameidentifier is different, I think. Should I encrypt NameIdentifier in database / logs for security reasons, or that's overkill? Can I hacker use NameIdentifier information to impersonate a legit user?
No, NameIdentifier alone isn't enough to impersonate a user; the attacker would also need to forge a digital signature using the identity provider's private key.
NameIdentifier does sometimes constitute private personally identifiable information, meaning an attacker may be able to trace the NameIdentifier to identify the specific user. This is why some (but not all) identity providers hash NameIdentifier on a per-RP basis. But I don't think you would need to encrypt it unless you had an extremely rigid privacy policy. That is, if you're going to encrypt other private info such as name and email for privacy reasons, then you would also encrypt NameIdentifier.