CODEWITHSUNDEEP
saml-2.0
drox
drox

Reputation: 8243

Is it valid to use the format email when the NameID value is a username not in the email format?

Is it valid to use the format urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress when the NameID value is a username that is not in the email format? E.g. "foo", NOT "[email protected]"

Else, in such a scenario should we use urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

Upvotes: 1

Views: 1549

Answers (1)

Anders Abel
Anders Abel

Reputation: 69260

From the SAML2 Core spec, section 8.3.2:

urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

Indicates that the content of the element is in the form of an email address, specifically "addr-spec" as defined in IETF RFC 2822 [RFC 2822] Section 3.4.1. An addr-spec has the form local-part@domain. Note that an addr-spec has no phrase (such as a common name) before it, has no comment (text surrounded in parentheses) after it, and is not surrounded by "<" and ">".

So no, you cannot use the emailAddress format unless the NameId conforms exactly to the requirements in RFC2822.

In plain English it means that if you use emailAddress, then the NameId must be a on the form of local-part@domain.

I think that unspecified is the right option to use. Then you make no promises of the format, which means that you place no restrictions on what you will be allowed to use as NameId.

Upvotes: 1

Related Questions