Reputation: 35
Recommended NameIdFormat for using User Principle Name (UPN) as NameId in SAML
We have the following name id formats to choose from.
- unspecified
- emailAddress
- X509SubjectName
- WindowsDomainQualifiedName
- kerberos
- entity
- persistent
- transient
If I need the UPN value of an user to be returned by my IDP (say Azure or ADFS, etc) which nameid format should I choose? Should I configure my IDP to send the UPN value with 'unspecified' as the nameid format or should I go choose persistent? Or is there any other recommended nameid format for sending/requesting UPN?
Upvotes: 0
Views: 912
Answers (1)
Reputation: 3351
Understand that as the SP, you generally define the contract that is required to utilize your service. There's rarely a reason to not use unspecified, unless your federation tool supports some automated validation of the attribute against the format definition.
Even if your tool does support that validation, that doesn't absolve of doing your own validation of the data.
As such, I would choose unspecified. It offers the most flexibility.
Upvotes: 2
Related Questions
- nameid-format:emailAddress is used when using email as nameid format.what is the proper nameid format when using username as namid field
- How do I read the NameID element as a claim in a B2C TechnicalProfile for a SAML2 identity provider?
- What are the different NameID format used for?
- What is the NameID in SAML used for?
- How to override the NameID value in SAMLAuthenticationProvider?
- Is urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress a valid NameID format?
- In SAML, is there a difference between usernames and a principal's NameID?
- Authenticating with samAccountName in UPN format
- SAML 2.0 Multiple md:NameIDFormat tag in service provider metadata
- SAML NameId Policy