Custom IdP SSO sends 'unspecified' for nameID, need it to send something else

search cancel

Custom IdP SSO sends 'unspecified' for nameID, need it to send something else

book

Article ID: 175506

calendar_today

Updated On: 11-27-2024

Products

CASB Security Standard CASB Security Premium CASB Security Advanced CASB Advanced Threat Protection CASB Audit CASB Gateway CASB Gateway Advanced CASB Security Advanced IAAS CASB Security Premium IAAS CASB Securlet IAAS CASB Securlet SAAS

Issue/Introduction

When setting up custom IdP for SSO, 'unspecified' is being sent but IdP is expecting emailAddress (or some other format for nameID)

More specifically, this <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified”/> needs to be <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress”/> in the SAML

Resolution

For nameID policy format we send 'unspecified' as default by design, it shows that CloudSOC will accept any format that is specified by the IdP.

Making the change for emailAddress format nameID will have regression for other configured IdPs.

It will restrict other IdPs to define their nameID as emailAddress. Please check the documentation for your IdP on how to take advantage of this.

Feedback

Was this article helpful?

thumb_up Yes

thumb_down No