question

Rahul-7230 avatar image
0 Votes"
Rahul-7230 asked ·

Customize Name Identifier format

Hi team,

Need some advise here. How to configure name identifier format in Azure AD for SAML ?

I'm looking specific to Transient NameID. As per the Reference1 doc it says it's supported but how to configure it ?

Reference1: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-saml-claims-customization#nameid-format


As per Reference2: https://docs.microsoft.com/en-us/azure/active-directory/develop/single-sign-on-saml-protocol#nameidpolicy

It still shows urn:oasis:names:tc:SAML:2.0:nameid-format:transient: Azure Active Directory issues the NameID claim as a randomly generated value that is unique to the current SSO operation. This means that the value is temporary and cannot be used to identify the authenticating user.

How to generate this specific NameID ?

azure-active-directory
· 1
10 |1000 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Rahul-7230 avatar image Rahul-7230 ·

Anyone who has previously done or setup Transient Nameid in AzureAD Saml ?

0 Votes 0 · ·

4 Answers

JaiVerma-7010 avatar image
0 Votes"
JaiVerma-7010 answered ·

What Azure AD is doing expected.

As per OASIS transisnt name identifier - Relying party should generate temporary value

8.3.8 Transient Identifier
URI: urn:oasis:names:tc:SAML:2.0:nameid-format:transient
Indicates that the content of the element is an identifier with transient semantics and SHOULD be treated
as an opaque and temporary value by the relying party. Transient identifier values MUST be generated in
accordance with the rules for SAML identifiers (see Section 1.3.4), and MUST NOT exceed a length of
256 characters.

There may be use cases for using transient name id , specailly where you do not want identity of your user to be expose to application. For example, you federate with library, all you want that a token sign by your IdP and do not mention who from your is trying to access. In such case value of NameID should be different. So what is your case? Why your SAML request is asking for transient nameid format?



· 3 · Share
10 |1000 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Rahul-7230 avatar image Rahul-7230 ·

@JaiVerma-7010 : Application require name identifier of TRANSIENT type.

I want to know how to configure or setup the NameId as TRANSIENT as MS docs says it’s supported by Azure AD.

How do we configure it in Azure AD if it’s supported ?

You must have read the doc how to customise the nameid in saml sso from drop down in Azure AD. In drop down it’s not showing TRANSIENT option. How to configure it ?? What should be the nameid if application needs Name Identifier as TRANSIENT

Any guidance to it ?

0 Votes 0 · ·
Rahul-7230 avatar image Rahul-7230 ·

If relying party is sending the temporary value then what should be the setting in AzureAD end ?

What should be the configuration at Azure AD side ?

0 Votes 0 · ·
AlexPereira-5811 avatar image AlexPereira-5811 ·

And what is the number of characters when using transient nameID? Not yet clear.

0 Votes 0 · ·
JaiVerma-7010 avatar image
0 Votes"
JaiVerma-7010 answered ·

As mentioned that there is no configuration possible on AAD side. All you need to do is let you SP request nameid format as transient in SAML request.

· 3 · Share
10 |1000 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Rahul-7230 avatar image Rahul-7230 ·

@JaiVerma-7010 : Ok what needs to be configured in Azure AD SAML SSO configuration for Name ID value.

I can't delete or remove the claim it's a required field (Name ID). If this mismatch it might cause an error.

8598-saml-configuration-2.png


8529-saml-configuration.png



What to configure here in Azure AD this is a mandatory field while configuring SAML SSO ?

0 Votes 0 · ·
saml-configuration-2.png (7.5 KiB)
saml-configuration.png (16.5 KiB)
Rahul-7230 avatar image Rahul-7230 Rahul-7230 ·

If SP is requesting TRANSIENT NameId ? And Azure AD uses Email NameId or Default NameId value doesn't allow it to empty or null field configured on Azure AD side what happen then ?

It will be ignored or other way round mismatch in NameID will cause an error ?

@JaiVerma-7010 : Can you comment here ?


0 Votes 0 · ·
JaiVerma-7010 avatar image JaiVerma-7010 Rahul-7230 ·

You need to ask your SP or ask them for sample request they are going to send. NameID is optional in Authn request and it is absolutely work fine if SP do not send anything in request, it still should not fail

0 Votes 0 · ·
JaiVerma-7010 avatar image
0 Votes"
JaiVerma-7010 answered ·

I have not tested but my understanding, based on theory and logic, it should not fail and Azure AD should issue a random value.

· Share
10 |1000 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AlexPereira-5811 avatar image
0 Votes"
AlexPereira-5811 answered ·

Hi,
I was not able to find the number of characters generated by Azure AD when using the transient nameID.

Any clues?

Thank you.

· Share
10 |1000 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.