Learn how an unspecified name identifier is processed in a SAML 2.0 federation.
When a SAML 2.0 identity provider receives a single sign-on request, it typically contains a name identifier policy with a Format attribute specified by the service provider. The service provider indicates the name identifier format it wants to receive in the subject of an assertion from the identity provider. If the service provider sets the attribute to the value urn:oasis:names:tc:SAML:1.1:nameidformat:unspecified, it is up to the identity provider to determine which name identifier format to use. The DefaultNameIDFormat configuration parameter of a federation or partner is used for this purpose.
The value of the default name identifier format of the identity provider, if present, is obtained from the DefaultNameIDFormat parameter belonging to its corresponding partner configuration properties. Otherwise, it proceeds to retrieve the same parameter from the federation configuration properties. I
The parameter treats the NameID included in the assertion as a string literal and no alias service lookup is used.
The DefaultNameIDFormat parameter can be configured to use one of the following permitted values:
Each name identifier format works differently in processing single sign-on requests. For example, the persistent name identifier causes the server to use the alias service to look up or create an alias for the user of the federation and partner. The email address name identifier, however, causes the name identifier element to be populated with the user name of the currently authenticated user.