We set NameIDPolicy to urn:oasis:names:tc:SAML:2.0:nameid-format:transient by default in our SAML Authentication Requests. Since NameIDPolicy is optional, we probably should not be making this explicit choice on behalf of the users and default to not setting it all. What's more we do tend to use nameid-persistent to map to attributes.principal in our config examples and this is a configuration that should not work by default.
The documentation around NameIDs should be enhances so that the relationship between the requested NameID (nameid_format) and the possibly parsed value in a configuration like attributes.principal: nameid-persistent will be clarified.
We set
NameIDPolicytourn:oasis:names:tc:SAML:2.0:nameid-format:transientby default in our SAML Authentication Requests. SinceNameIDPolicyis optional, we probably should not be making this explicit choice on behalf of the users and default to not setting it all. What's more we do tend to usenameid-persistentto map toattributes.principalin our config examples and this is a configuration that should not work by default.The documentation around NameIDs should be enhances so that the relationship between the requested NameID (
nameid_format) and the possibly parsed value in a configuration likeattributes.principal: nameid-persistentwill be clarified.