Name ID format value by default showing as Persistent

2023-11-15T16:29:44.0666667+00:00

Hi,
When I'm creating a SAML Application using Graph API by default the Name Id format value showing as persistent in SAML Tracer, but it is showing as email address in Azure Portal.
Because of this Name Id format value as Persistent I'm getting error for SAML IDP while authenticating.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Microsoft Graph
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Sedat SALMAN 14,180 Reputation points MVP
    2023-11-16T07:50:56.8733333+00:00

    When creating a SAML Application using the Azure Graph API, the Name ID format may default to "persistent" if not explicitly specified. Azure Active Directory (Azure AD) honors the Name ID format that is requested in the NameIDPolicy element of the SAML request. If this element is not included in the request, Azure AD will use the format specified in the application configuration on Azure AD. If no format is specified, it defaults to the format associated with the claim source selected.

    To resolve your issue, ensure that your application's SAML request either specifies the desired Name ID format (such as "emailAddress") or does not include the NameIDPolicy element, allowing Azure AD to use the format configured in the application settings.

    In your specific case, since the application is sending the SAML request with the Name ID element as persistent, it overrides what is configured in the Azure AD service principal setting. If you want Azure AD to honor the Name ID format you've configured, modify your application to either specify the "emailAddress" format in the NameIDPolicy or not to send this element as part of the SAML request.

    For more details, you can refer to the following Microsoft documentation:

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.