Azure AD SAML2 SSO wrong NameID format

azure-active-directorysaassingle-sign-on

I am trying to integrate a SaaS application with an autonomous (not federated with anything) Azure Active Directory for SSO purposes. The SaaS application (the Service Provider) is SAML2 compliant (SP-initiated), so this should work. However, inside the SAMLRequest, the SP specifies

<samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />

And when AAD answers, the NameID is formatted with urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.

It is weird: the documentation at MSDN, paragraph "NameIDPolicy Element in AuthnRequest" lists 'unspecified' as a possible request format…

As the SaaS application expects 'unspecified' instead of 'persistent', it fails.

Would anyone know of a method to get 'unspecified' format instead with Azure AD?

Best Answer

In this doc they have a warning:

Azure AD currently supports the following NameID Format URI for SAML 2.0:urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.

This is vague but I assume it means that is ALL that they support.

Best Answer

Related Solutions

ADFS SSO – LDAP Attributes as Claims – UPN as NameID – NameID Missing from SAML Response for users whose UPN is changed

Azure – “User with an existing Microsoft account” cannot access app using Azure AD SSO

Related Topic