Customize Name Identifier format

Rahul 236 Reputation points
2020-05-22T15:38:02.453+00:00

Hi team,

Need some advise here. How to configure name identifier format in Azure AD for SAML ?

I'm looking specific to Transient NameID. As per the Reference1 doc it says it's supported but how to configure it ?

Reference1: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-saml-claims-customization#nameid-format

As per Reference2: https://learn.microsoft.com/en-us/azure/active-directory/develop/single-sign-on-saml-protocol#nameidpolicy

It still shows urn:oasis:names:tc:SAML:2.0:nameid-format:transient: Azure Active Directory issues the NameID claim as a randomly generated value that is unique to the current SSO operation. This means that the value is temporary and cannot be used to identify the authenticating user.

How to generate this specific NameID ?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,334 questions

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jai Verma 461 Reputation points
    2020-05-22T17:58:05.363+00:00

    What Azure AD is doing expected.

    As per OASIS transisnt name identifier - Relying party should generate temporary value

    8.3.8 Transient Identifier
    URI: urn:oasis:names:tc:SAML:2.0:nameid-format:transient
    Indicates that the content of the element is an identifier with transient semantics and SHOULD be treated
    as an opaque and temporary value by the relying party. Transient identifier values MUST be generated in
    accordance with the rules for SAML identifiers (see Section 1.3.4), and MUST NOT exceed a length of
    256 characters.

    There may be use cases for using transient name id , specailly where you do not want identity of your user to be expose to application. For example, you federate with library, all you want that a token sign by your IdP and do not mention who from your is trying to access. In such case value of NameID should be different. So what is your case? Why your SAML request is asking for transient nameid format?

  2. Jai Verma 461 Reputation points
    2020-05-23T01:36:01.177+00:00

    As mentioned that there is no configuration possible on AAD side. All you need to do is let you SP request nameid format as transient in SAML request.

  3. Jai Verma 461 Reputation points
    2020-05-23T10:34:10.123+00:00

    I have not tested but my understanding, based on theory and logic, it should not fail and Azure AD should issue a random value.

    0 comments
  4. Alex Pereira 1 Reputation point
    2020-06-05T19:52:09.15+00:00

    Hi,
    I was not able to find the number of characters generated by Azure AD when using the transient nameID.

    Any clues?

    Thank you.

    0 comments