Reputation: 2014
SAML2 email address as NameId is discourage to use
I'm starting to work on implementing SAML2 Authentication with a Federation. One of the requirements are the federation is required to send us back persistent value for the NameId this is because it serves as one of the keys I identify when a user is logging in using SAML2 SSO to a web app.
I was about to use the <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>, however one of the support of the federation that we will be consuming to connect to organization discourage me to use the email address nameid. I haven't got the chance to ask why? Is there a reason why an email address is not the best choice to use for the NameIdFormat for SAML2?
Upvotes: 0
Views: 438
Answers (1)
Reputation: 46745
In AD, email can be duplicated across two accounts. There is no constraint for uniqueness.
It depends on the use case. If it's corporate, it will rarely change. If it's public, there's much more churn.
UPN can be a better choice.
Upvotes: 1
Related Questions
- nameid-format:emailAddress is used when using email as nameid format.what is the proper nameid format when using username as namid field
- Do I have to use an email for SAML authentication
- Authentication using SAML
- How can i pass EmployeeID as in NameID in saml assertion
- SAML 2.0 password authentication
- How do I use email as name identifier format in SAML 2.0?
- How to override the NameID value in SAMLAuthenticationProvider?
- WSO2 Identity Server not taking NameIDPolicy format into consideration for authentication request
- Can WSO2 Identify Server send back the email address in the NameID of a SAML response?
- Is it valid to use the format email when the NameID value is a username not in the email format?