Hi,
I was not able to find the number of characters generated by Azure AD when using the transient nameID.
Any clues?
Thank you.
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hi team,
Need some advise here. How to configure name identifier format in Azure AD for SAML ?
I'm looking specific to Transient NameID. As per the Reference1 doc it says it's supported but how to configure it ?
As per Reference2: https://learn.microsoft.com/en-us/azure/active-directory/develop/single-sign-on-saml-protocol#nameidpolicy
It still shows urn:oasis:names:tc:SAML:2.0:nameid-format:transient: Azure Active Directory issues the NameID claim as a randomly generated value that is unique to the current SSO operation. This means that the value is temporary and cannot be used to identify the authenticating user.
How to generate this specific NameID ?
Hi,
I was not able to find the number of characters generated by Azure AD when using the transient nameID.
Any clues?
Thank you.
I have not tested but my understanding, based on theory and logic, it should not fail and Azure AD should issue a random value.
As mentioned that there is no configuration possible on AAD side. All you need to do is let you SP request nameid format as transient in SAML request.
What Azure AD is doing expected.
As per OASIS transisnt name identifier - Relying party should generate temporary value
8.3.8 Transient Identifier
URI: urn:oasis:names:tc:SAML:2.0:nameid-format:transient
Indicates that the content of the element is an identifier with transient semantics and SHOULD be treated
as an opaque and temporary value by the relying party. Transient identifier values MUST be generated in
accordance with the rules for SAML identifiers (see Section 1.3.4), and MUST NOT exceed a length of
256 characters.
There may be use cases for using transient name id , specailly where you do not want identity of your user to be expose to application. For example, you federate with library, all you want that a token sign by your IdP and do not mention who from your is trying to access. In such case value of NameID should be different. So what is your case? Why your SAML request is asking for transient nameid format?