0

We have the following name id formats to choose from.

  • unspecified
  • emailAddress
  • X509SubjectName
  • WindowsDomainQualifiedName
  • kerberos
  • entity
  • persistent
  • transient

If I need the UPN value of an user to be returned by my IDP (say Azure or ADFS, etc) which nameid format should I choose? Should I configure my IDP to send the UPN value with 'unspecified' as the nameid format or should I go choose persistent? Or is there any other recommended nameid format for sending/requesting UPN?

Jebin Matthew
  • 35
  • 2
  • 9
  • You must not use `transient` as it would violate the SAML spec when you populate it with a non-opaque value. However most SP implementations do not perform data validation for the value of the NameId (potentially because it's not specified in the processing rules) – Bernhard Thalmayr Jan 05 '21 at 09:35

1 Answers1

2

Understand that as the SP, you generally define the contract that is required to utilize your service. There's rarely a reason to not use unspecified, unless your federation tool supports some automated validation of the attribute against the format definition.

Even if your tool does support that validation, that doesn't absolve of doing your own validation of the data.

As such, I would choose unspecified. It offers the most flexibility.

Andrew K.
  • 3,240
  • 12
  • 23