Azure AD SAML2 SSO wrong NameID format

Question

I am trying to integrate a SaaS application with an autonomous (not federated with anything) Azure Active Directory for SSO purposes. The SaaS application (the Service Provider) is SAML2 compliant (SP-initiated), so this should work. However, inside the SAMLRequest, the SP specifies

<samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />

And when AAD answers, the NameID is formatted with urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.

It is weird: the documentation at MSDN, paragraph "NameIDPolicy Element in AuthnRequest" lists 'unspecified' as a possible request format...

As the SaaS application expects 'unspecified' instead of 'persistent', it fails.

Would anyone know of a method to get 'unspecified' format instead with Azure AD?

score 4 · Accepted Answer · answered Sep 09 '15 at 15:13

4

In this doc they have a warning:

Azure AD currently supports the following NameID Format URI for SAML 2.0:urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.

This is vague but I assume it means that is ALL that they support.

answered Sep 09 '15 at 15:13

HTTP500

4,827
4
22
31

1

Marking this as the answer, even if not a definitive answer. We were eventually able to change this at the SP level. – Marcanpilami Sep 13 '15 at 08:23

score 0 · Answer 2 · answered Jun 21 '18 at 09:28

0

We just did some investigations and learned that if you do some string manipulation on the NameID then AAD changes the format to 'unspecified'.

answered Jun 21 '18 at 09:28

Peter Persson

1

Azure AD SAML2 SSO wrong NameID format

2 Answers2