I was looking at some SAML 2.0 service provider metadata examples and came across a metadata file that had multiple NameIDFormat tags. Now most other examples I saw had just one so does this snippet indicate that the SP would accept NameID in SAML 1.1 as well as SAML 2.0 formats and can accept transient as well as persistent nameIDs in case of SAML 2.0 responses?
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat>
The SAML metadata file contains information about the various SAML Authorities that can be used in SAML 2.0 protocol message exchanges. This metadata identifies Identity Provider endpoints and the certificates to secure SAML 2.0 message exchanges.
SAML metadata is configuration data required to automatically negotiate agreements between system entities, comprising identifiers, binding support and endpoints, certificates, keys, cryptographic capabilities and security and privacy policies.
Metadata configuration. SAML metadata is an XML document which contains information necessary for interaction with SAML-enabled identity or service providers. The document contains e.g. URLs of endpoints, information about supported bindings, identifiers and public keys.
Name ID Format Defines the name identifier formats supported by the identity provider. Name identifiers are a way for providers to communicate with each other regarding a user. Single sign-on interactions support the following types of identifiers: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.
Just so that others who are looking for an answer to this question know - I was able to confirm that my understanding is correct. SP can advertise support for multiple NameID formats that it can support using multiple tags in the SP metadata. However, its upto the IdP to honor this and send the NameID in one of the supported formats or completely ignore it and send it in a format not supported by the SP. In that case however the SP will not be able to parse the NameID value and will fail.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With