Hi @Pa_D ,
We do not recommend use of Transient NameID.
As per the doc: https://learn.microsoft.com/en-us/azure/active-directory/develop/single-sign-on-saml-protocol#nameidpolicy
- urn:oasis:names:tc:SAML:2.0:nameid-format:transient: Azure Active Directory issues the NameID claim as a randomly generated value that is unique to the current SSO operation. This means that the value is temporary and cannot be used to identify the authenticating user.
Hence my suggestion, omit that claim for NameID being sent as Transient, in its place you can send the Name ID as either Unspecified or as email address
- urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress: Azure Active Directory issues the NameID claim in e-mail address format.
- urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified: This value permits Azure Active Directory to select the claim format. Azure Active Directory issues the NameID as a pairwise identifier.
The only supported types for the NameID format are are listed here: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-saml-claims-customization#nameid-format
I hope this helps! Please let me know if you have any further questions.