search cancel

Custom IdP SSO sends Unspecified for nameID, need it to send something else


Article ID: 175506


Updated On:


CASB Security Standard CASB Security Premium CASB Security Advanced


When setting up custom IdP for SSO, 'unspecified' is being sent but IdP is expecting emailAddress (or some other format for nameID)

More specifically, this <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified”/> needs to be <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress”/> in the SAML 


For nameID policy format we send 'unspecified' as default by design, it shows that CloudSOC will accept any format that is specified by the IdP. Making the change for emailAddress format nameID will have regression for other configured IdPs... It will restrict other IdPs to define their nameID as emailAddress. Please check the documentation for your IdP on how to take advantage of this.