Hi John,
Yes, we have tried all the possible NameID policies. They are honored by the IdP, but none
of them result in predictable NameID.
Moreover, identifying users by NameID is against Kantara recommendations, and we even have
an issue in JIRA for that, please see my recent reply for the details.
Regards,
Dmitry
On Thu, 2019-04-25 at 09:26 -0400, John Dennis wrote:
On 4/18/19 7:18 PM, Dmitry Telegin wrote:
> Currently, it is hardcoded [1] that FederatedIdentity's userId and
> userName should be taken verbatim from SAML assertion's NameID value
> (via intermediary BrokeredIdentityContext). The problem is that most
> SAML IdPs provide meaningless NameIDs, like hashes or purely random
> strings. In general, SAML NameID is not predictable.
Predictable NameID's are possible with SAML but to get them you must
specify the desired NameIDPolicy in the request and the IdP must be
capable of honoring that request. Have you determined the IdP's being
utilized are incapable of honoring a NameIDPolicy of your choice?