Reputation: 1
Do I have to use an email for SAML authentication
First of all, I’m sorry for this novice question! With all the GDPR concerns, I’m wondering if I need to use an email for the SAML authentication or whether there is a way to develop authentication with a username or some other unique ID? The goal is not to deal with emails at all but still use SAML.
Upvotes: 0
Views: 1732
Answers (1)
Reputation: 3351
I find email a poor choice of an identifier, because people like them to change occasionally (marriage, divorce, etc.).
SAML does not require the use of any specific thing as the subject, they leave it open. In addition, the protocol offers the concept of pseudonym name identifiers - transient and persistent. You can see those in the SAML Spec between lines 3605 to 3654.
Ultimately, SAML is a protocol that wraps structure around how to pass an identifier that you and your partner mutually agree upon. If you authenticate your users against a directory (they can still use their email as their IdP identifier), then send the partner the user's UUID. As long as they can use that identifier (so, your users have been provisioned into the SP with their UUID from your directory as an identifier), then you can send that in the assertion, and you've passed nothing against the rules and spirit of GDPR.
Upvotes: 1
Related Questions
- SAML SSO how does it work?
- How can I pre-fill email for SAML Google IDP?
- sp initiated saml sso authentication
- Enterprise Single Sign On
- SAML2 email address as NameId is discourage to use
- Authentication using SAML
- How to correctly configure SAML 2.0 SP
- SAML user provisioning
- Single Sign On using SAML 2.0
- Get email address from SAML Response using Single Sign On and ADFS