I'm in a process of implementing SAML 2.0 based SSO capability for a web application. So far, I've managed to successfully use/test Okta and Ping (which are at the moment the main target IdPs however, the goal is of course to be compatible with any SAML 2.0 compliant IdP) to authenticate users. The next step would be to enable account linking/binding between my application and the IdP. Since accounts on my web app are based on email addresses, I'm leaning towards a solution where email would be used for account linking/binding.
First of all, I'm interested in whether this is considered good practice (using email to link accounts), e.g. is there a possibility that there could be an IdP where it's not possible to get user's email or where it would be considered insecure (in case users can change their email addresses).
Next, I would appreciate any pointers on what would be the most preferred and most widely supported mechanism for achieving account linking. Based on what I've read so far I see these options:
- Instruct my users to configure their IdP to send user's email as an attribute. For example, when configuring Okta, there's a "Attribute Statements (optional)" section where one can define an attribute with name "email" and value "user:email".
- Include saml2p:NameIDPolicy in my SAML requests and set its Format to "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
- Instruct my users to configure their IdP to send email in the assertion's subject statement. For example, when configuring Okta, there's an options to specify "Name ID format" where EmailAddress is one of the choices, and there's "Application username" where Email is again one of the choices.
Based on initial tests so far, these are my conclusions. Option 1 works both with Okta and Ping, however this feels a bit custom, i.e. less standard. Could there be IdPs that don't support sending attributes or providing emails in the attribute section. Option 2 feels standard, but Okta seems to ignore the NameIDPolicy element, so it basically won't work with Okta. Ping on the other hand honors NameIDPolicy but only supports emailAddress and unspecified formats. Could there be IdPs that don't support emailAddress format? Option 3 seems like the least reliable solution. In Okta, subject's value is the same no matter what I specify as the "Name ID format" and "Application username", while Ping doesn't event provide a way to configure this. On the other hand, by default (next, next, finish style of configuring an IdP) both Okta and Ping are sending email addresses in the assertion's subject.
Finally, in case that use of an email address is discouraged for this purpose, I guess any kind of a persistent identifier could be used instead of an email. However, users would then have to go through some kind of binding/linking process (for example by generating linking tokens, and sending links containing these tokens to user's via email).
Which of the 3 options I mentioned would be most likely to work in the real world, i.e. which is the best supported/enabled by different IdP providers. Am I perhaps completely off base and this should be handled differently? Any pointers and best practices on this subject would be appreciated.
