Skip to content

Change default NameID Policy for SAML Authentication requests #40353

New issue
New issue
Closed
Closed
Change default NameID Policy for SAML Authentication requests#40353
Assignees
jkakavas
Labels
:Security/AuthenticationLogging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc)>non-issuev8.0.0-alpha1
@jkakavas

Description

@jkakavas
jkakavas
opened on Mar 22, 2019

We set NameIDPolicy to urn:oasis:names:tc:SAML:2.0:nameid-format:transient by default in our SAML Authentication Requests. Since NameIDPolicy is optional, we probably should not be making this explicit choice on behalf of the users and default to not setting it all. What's more we do tend to use nameid-persistent to map to attributes.principal in our config examples and this is a configuration that should not work by default.

The documentation around NameIDs should be enhances so that the relationship between the requested NameID (nameid_format) and the possibly parsed value in a configuration like attributes.principal: nameid-persistent will be clarified.

Metadata

Metadata

Assignees

Labels

:Security/AuthenticationLogging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc)>non-issuev8.0.0-alpha1

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions