Sources SAML: 405 error when Transient NameID length is more than 150. #18177
Description
Describe the bug
While authentik's default username max length is 150 characters, some SAML IdPs issue longer NameIDs, especially when using transient NameID format. When such a NameID is mapped to the username, the subsequent flow fails due to user handling.
How to reproduce
Attached SAML response will cause this error:
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://sp.example.org:9443/source/saml/shibboleth-post/acs/"
ID="_104cda877da1bec647c641c6f71d8300"
InResponseTo="_c3c3e56a205e40bb986b4d9239a30a60"
IssueInstant="2025-11-16T14:10:59.511Z"
Version="2.0"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.example.org/idp/shibboleth</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_104cda877da1bec647c641c6f71d8300">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>0gMrwSiozyPB3dYyYIWApMAdaHJFqE7XHfr8zOTOM78=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>M9i0HpVPsrA4e427bFezd+BmdtBUX5s8BG8aSSH/i9oPrVxYyvK+g38Rh0cfN4skLTSxvo0Sr6GAyv/arqyhv1nh4dDWp7fXUDXiIZgKubFKznTUZ4EoCpwpKGdw0rx7OneTB8BoeTjjzuCFo43Yn6pHF14YtQxirKMJyEXB3jvchUHpmrLWGfV9dRhvaQVB97ue6SgFKWouZrsY7le1q9xcMnBc2+FGFrxePt1dWB7RcyWYFBz/BxDuq9ILQhu+L4wfK2So+ERBn/cII3Ykd2ySynDuI9XPKe/FhX1wiE7CY+vzcafCOT5fWEtJOQNE1DKQNrvS9MakRJ9cbEm4RLVNnlKZlSwr92w0+Pjakgl3Gy1vs/0LmAjOiQ81W41hFzhwSuId9bVv3wwGWmS30Ge/ElFgpDRSDbgNlDuyGfBV6hU01nNOaa6LxumR1MUgn9n0TBecbFxoS35+jegO8sxzhqw+mlxI5qg/60HRE2rXMRGs+XZQ9e/aatgSDsbP</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIEJzCCAo+gAwIBAgIULkt8KW/m8IwdQ23HBongLnbONBUwDQYJKoZIhvcNAQELBQAwGjEYMBYG
A1UEAwwPaWRwLmV4YW1wbGUub3JnMB4XDTI1MTAwODA4MjAzN1oXDTQ1MTAwODA4MjAzN1owGjEY
MBYGA1UEAwwPaWRwLmV4YW1wbGUub3JnMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEA
luZ/lUn5ZZnuUGUMWSDzMNLOLCnS+vys2L7PYx50DqayRKTuV1IneHPHBfSp8+3SHDbSd6Ps1Bp+
P9lhByIBf8daVMT3jlVqHte1lUGhLLrBwnvg8rd/TYHWT9gOxxOksRDzcbwVRvzXPy3YFZGN/QzT
fpgeVG1kbxQ/74MG8oRcuqbuhe/mF9anAu59L8xhMn3CZQB4i02kQl/k45bdfNhVxwVc5roOBUZB
GruoUf0JGUJpS72MtHWrnhgu6zBvUQxuLSdZWhvRD4wmalRGTkOxmU0iynE/4/Jghbjo7GPO5Nhe
KjJFKoQKSbIjLsfmIN29+hds2t5oEhui//FQpUNGt3mDcE1wbVBG6YihPY9ziypt51rcuXOdrTsv
Vht8jv9RVGJHVjqsWrjh49aFLXp43m6ML4DkZW1lFVeYU2XtQfTKxjPZDUF1haIQeCAyTofToUb1
MuAiid6kWhoRHVj8uvyQ3RkgMp1GRAmubLU9P6YprTYb9W+gYj3HISadAgMBAAGjZTBjMB0GA1Ud
DgQWBBTUfueUxuQucNVb9aVi05lSLuWGpTBCBgNVHREEOzA5gg9pZHAuZXhhbXBsZS5vcmeGJmh0
dHBzOi8vaWRwLmV4YW1wbGUub3JnL2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3DQEBCwUAA4IBgQCJ
25bNYpyLkrtPf+kje1pJRZXbRXjOVbQ1CDevOFy9FBkgO4mL02jhpmQesQqKvzaZklA9YuMev6/X
mL8wxa+5oVm9cSPh1eUiuhUq3PWvY+nXEy4vDbaGwGb6BK9IYDEZvCM52+1IyMenYmTM0AcUq3uq
EipcTIMXC/EO818hvG+EEzdZRjb1mHrNAwZIgNuBmZKTkOXkcdFfcfXvYmBi7GxNrW0RfcRUI8xG
F3yMhZriNl8vMaX8EsQuNY2wJNnRQozfHjp58TjatSbN8ltjK/dXq2dMog+y8thcADTCdWPcfYof
Ka9ynWldilndxM03zO52McZbm7QT6Z2kWRyeabc3w44FaP5NbU8UQGVLQkXxqh8YJBVv/AnrMRRh
WuE+eBb3Y0ssWRAc5XqTdNHgeRWtdt6AkntIK7SVlSrUXR2mkJMiVXATORX5/loDuLKKOswfPvtj
37I6oQvrI/oLN8Klkhqp/putEHw8B3RY1Dnz5xrN1uk3Ue6m+FEjenQ=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_666893b8d0b9b5364e1f15766c22c1ca"
IssueInstant="2025-11-16T14:10:59.511Z"
Version="2.0"
>
<saml2:Issuer>https://idp.example.org/idp/shibboleth</saml2:Issuer>
<saml2:Subject>
<saml2:NameID xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
NameQualifier="https://idp.example.org/idp/shibboleth"
SPNameQualifier="https://sp.example.org/source/saml/shibboleth-post/metadata"
>AAdzZWNyZXQxyuWpkBTI98U7F1U/a/u70oYJZCPrDwttzRa6VUgGkwBim+dHAHKMR7KYWk2bDmSlhb7rHXn6FDxxr4PzNPs9/+lIjwwa8RRvwvRakF/7lOSPxRvP6JxQ6y2OpoYsERaJ5KfvzRTfGmrqnl4FEG92KFRluj3I27OGVtd+e+MgvFB4</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData Address="172.67.74.168"
InResponseTo="_c3c3e56a205e40bb986b4d9239a30a60"
NotOnOrAfter="2025-11-16T14:15:59.531Z"
Recipient="https://sp.example.org:9443/source/saml/shibboleth-post/acs/"
/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2025-11-16T14:10:59.511Z"
NotOnOrAfter="2025-11-16T14:15:59.511Z"
>
<saml2:AudienceRestriction>
<saml2:Audience>https://sp.example.org/source/saml/shibboleth-post/metadata</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2025-11-16T14:10:59.358Z"
SessionIndex="_13f4b816e2e4204c38ea31f2d93df473"
>
<saml2:SubjectLocality Address="172.67.74.168" />
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute FriendlyName="uid"
Name="urn:oid:0.9.2342.19200300.100.1.1"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>
<saml2:AttributeValue>test001</saml2:AttributeValue>
<saml2:AttributeValue>test001</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="mail"
Name="urn:oid:0.9.2342.19200300.100.1.3"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>
<saml2:AttributeValue>test001@example.org</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="eduPersonPrincipalName"
Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>
<saml2:AttributeValue>test001@example.org</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="schacHomeOrganization"
Name="urn:oid:1.3.6.1.4.1.25178.1.2.9"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>
<saml2:AttributeValue>example.org</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
Expected behavior
authentik should correctly handle SAML NameIDs longer than 150 characters.
The system should not fail when an IdP issues a long transient NameID.
Some safe truncation mechanism should be applied before handling it as a username.
Screenshots
No response
Additional context
No response
Deployment Method
Docker
Version
2025.10.0
Relevant log output
postgresql-1 | 2025-11-17 01:22:13.747 UTC [136] ERROR: value too long for type character varying(150)
postgresql-1 | 2025-11-17 01:22:13.747 UTC [136] STATEMENT: INSERT INTO "authentik_core_user" ("password", "last_login", "username", "first_name", "last_name", "email", "is_active", "date_joined", "attributes", "uuid", "name", "path", "type", "password_change_date", "last_updated") VALUES ('', NULL, 'AAdzZWNyZXQxpJJb/ptHJVtjYwOS7OoqFXq2l8QDSlIUIbYCbjARhio5ReEhYH0hWGpdGq5w7g7U1RUwFeSVMVUQsWeG/qj5UaqkygQweJlvZ92xMvCy4cn3kbItJZObkDi7SHhyYpn6swpqTRZO64S7p7hvoTDk3W0aJRrzJ3vKgQ8QpyUzsdM=', '', '', '', true, '2025-11-17 01:22:13.746917+00:00'::timestamptz, '{"goauthentik.io/user/generated": true, "goauthentik.io/user/sources": ["shibboleth-POST"], "goauthentik.io/user/delete-on-logout": true, "goauthentik.io/user/expires": 1763428933.0}'::jsonb, 'ecc923f260404293b4a10e22a885bd04'::uuid, '', 'goauthentik.io/sources/shibboleth-post', 'internal', '2025-11-17 01:22:13.747345+00:00'::timestamptz, '2025-11-17 01:22:13.747348+00:00'::timestamptz) RETURNING "authentik_core_user"."id"Metadata
Metadata
Assignees
Labels
Type
Projects
Status