Network Identity Manager relies on plug-ins to provide the majority of its functionality. One of the requirements is that there be at least one plug-in that is registered as an identity provider. The identity provider:
NetIDMgr v2 ships with two identity providers: a Kerberos v5 identity provider and a Keystore Identity Provider.
The Kerberos v5 identity provider uses Kerberos principals as identities. It obtains Kerberos v5 ticket granting tickets as the network credential that represents the identity.
The default identity is the principal that corresponds to the default Kerberos v5 credentials cache. Changing the default Kerberos v5 identity in NetIDMgr has the effect of changing the default credentials cache.
Each KeyStore identity corresponds to a single KeyStore. At the time of this writing, there is only one KeyStore per user. Therefore, on most client installations, there is only one KeyStore identity called "My KeyStore", which, by definition, is the default KeyStore identity.
When you save passwords in the KeyStore, each identity corresponding to the password will become a child of the KeyStore identity. Obtaining new credentials for the KeyStore automatically obtains credentials for these child identities.
See here for more information about the KeyStore provider.