diff --git a/identifier-guidance.adoc b/identifier-guidance.adoc
new file mode 100644
index 0000000..73a104c
--- /dev/null
+++ b/identifier-guidance.adoc
@@ -0,0 +1,38 @@
+=== Draft Identifier Guidance
+
+==== I. Unique, persistent, non-reassignable identifiers
+
+In this document, terminology on identifiers follows section 1.2 of _eduPerson 2020-01_, https://wiki.refeds.org/display/STAN/eduPerson+2020-01#eduPerson202001-IdentifierConcepts.
+
+*IAM's own internal id*: generated by IAM system, for internal IAM system use only. Every person known to the IAM system gets one.
+  Example id name: iid, example id structure: UUID. Not name based,
+
+*public IAM id*: generated by IAM system, can be asserted to other systems. Every person known to the IAM system gets one.
+  Example id name: subject-id. It is strongly recommended that adopters follow section 3.3.1 of _SAML V2.0 Subject Identifier Attributes Profile Version 1.0_, https://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/cs01/saml-subject-id-attr-v1.0-cs01.html, and be structured as 'uniqueId' + '@' + 'scope' where uniqueId is 1-127 alphanumeric characters (A-Z,0-9), or "-", or "=". The first character must be alphanumeric. Matches must be _case insensitive_. UniqueId may be name-based or not at the choice of the deployer. Be aware that some applications will display the public IAM id in their UI.
+
+From SAML Attribute Profile, 3.3.1, "It is RECOMMENDED that the _unique ID be exclusively upper- or lower-case_ when expressed or stored to facilitate ease of comparison. Scope is separated from uniqueId by an "@" character, "It is RECOMMENDED that scopes be expressed in _lower case_, since they are...frequently, though not required to be, in the form of DNS domains"
+
+==== II. Other identifiers
+
+*pairwise-id* An identifier that offers some protection against service provider to service provider identity correlation. *pairwise-id* is defined in section 3.4 of _SAML V2.0 Subject Identifier Attributes Profile Version 1.0_. It is defined to be "a unique external key specific to a particular relying party". Its syntax is identical to that of the *subject-id* described above.
+
+*IdP login id*: Identifier entered by a person when prompted to log in with their chosen Identity provider.
+ Example id names: username, netId; Consider adopting the subject-id syntax rules above to prevent commonly-occurring issues with other id forms.
+
+*Source-assigned identifiers* Often assigned by a resource provider (local or federated). ID structure: the digital representation must carry both a registered source system identifier (e.g. HR, SIS) and a unique identifier within that system.
+
+==== III. Identifier Crosswalk Requirement
+
+The IAM system should support on-request mapping of any identifier it carries to a different identifier it knows for the same person.
+
+- - -
+_2021-04-07 11:45 recent posts on identifiers_
+
+Jon Miner:
+Certainly not exhaustive, but I have a doc on identifiers here at Madison and how to choose among them:
+https://kb.wisc.edu/iam/95753, *Choosing Identifiers for Your Application*.
+Higher Education Knowledge Base content management, sharing and collaboration platform.
+
+Albert Wu:
+Did I hear identifiers? *Understanding Federated User Identifiers*.
+https://spaces.at.internet2.edu/display/federation/understanding-federated-user-identifiers