Spring Security Allow multiple NameIdFormat in RelyingPartyRegistration

Expected Behavior

In other Sp metadata provider (Okta for example), we can generate SP metadata that contains all the following:

<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>

which is a list of NameIdFormat for the RelyingParty SPSSODescriptor

Current Behavior

Current behaviour is that only one of the above can be specified:

val relyingPartyRegistration = RelyingPartyRegistration.withRegistrationId(id) .entityId(spId) .assertionConsumerServiceLocation(ssoLoc) .nameIdFormat("urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress") .........

(default is unspecified if omitted)

Context

As part of our 3rd party to InHouse SAML SP implementation, we are aiming for feature parity, and we believe this feature to be necessary in order to allow a seamless migration. It would also provide a clearer hint to the IDP of what type(s) the SP supports.

Comment From: jzheaux

It would also provide a clearer hint to the IDP of what type(s) the SP supports.

The nameIdFormat property in RelyingPartyRegistration is only used to produce AuthnRequests. There is no feature in Spring Security that uses the nameIdFormat property to interpret IdP payloads. Since AuthnRequests only support a single NameIDPolicy element, I think we should wait on changing this until such time that specifying multiple formats can affect behavior in Spring Security.

Note that if you really need to communicate multiple formats to the IdP, you can configure the OpenSamlMetadataResolver to do so:

OpenSamlMetadataResolver metadata = new OpenSamlMetadataResolver();
metadata.setEntityDescriptorCustomizer((descriptor) -> descriptor
        .getSPSSODescriptor(SAMLConstants.SAML20P_NS).getNameIDFormats().add("desired:format"));

I'm closing this as resolved, but please let me know if it appears I've misunderstood.

Comment From: domnicksharkey

@jzheaux Thank you for the detailed explanation., I will look into using the metadata resolves pattern!