Custom IdP SSO sends Unspecified for nameID, need it to send something else
search cancel

Custom IdP SSO sends Unspecified for nameID, need it to send something else

book

Article ID: 175506

calendar_today

Updated On:

Products

CASB Security Standard CASB Security Premium CASB Security Advanced CASB Advanced Threat Protection CASB Audit CASB Gateway CASB Gateway Advanced CASB Security Advanced IAAS CASB Security Premium IAAS CASB Securlet IAAS CASB Securlet SAAS

Issue/Introduction

When setting up custom IdP for SSO, 'unspecified' is being sent but IdP is expecting emailAddress (or some other format for nameID)

More specifically, this <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified”/> needs to be <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress”/> in the SAML 

Resolution

For nameID policy format we send 'unspecified' as default by design, it shows that CloudSOC will accept any format that is specified by the IdP. Making the change for emailAddress format nameID will have regression for other configured IdPs... It will restrict other IdPs to define their nameID as emailAddress. Please check the documentation for your IdP on how to take advantage of this.

 

Powered by Wolken Software