https://github.com/spring-projects/spring-security/blob/515e8216b18a6b7757f69a949014ede74c9676aa/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProvider.java#L649
As per the implementation Subject and NameId in subject are considered mandatory and library do not provide any means to override it
But according to SAML2 spec subject and NameId are optional, can we update the validation to have as optional
Comment From: jzheaux
Thanks for bringing this up, @AkashB23. I believe we are already underway in https://github.com/spring-projects/spring-security/issues/12136, so I'll mark this as a duplicate. Please feel free to contribute to the conversation over there.