SAML: persistent NameID is empty when using "unspecified" format on SP side
Concerned version
Version: 2.0.11
Summary
- Configure LLNG as SAML IDP
- Configure a SP to use "unspecified" NameID format in SAML requests
- Configure LLNG to send "persistent" NameID format
Logs
Resulting assertion:
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" />
Possible fixes
This issue is caused because we handle missing/unspecified NameID formats in the SAML request too late.
We must set the format in the requests's NameIDPolicy before calling validateRequestMsg
, because the persistent NameID is generated in the validate_request_msg
lasso function.