fix(saml): use transient mapping attribute when nameID is missing in saml response (#10353)

mirror of https://github.com/zitadel/zitadel.git synced 2025-08-12 08:47:32 +00:00

# Which Problems Are Solved

In the SAML responses from some IDPs (e.g. ADFS and Shibboleth), the
`<NameID>` part could be missing in `<Subject>`, and in some cases, the
`<Subject>` part might be missing as well. This causes Zitadel to fail
the SAML login with the following error message:

```
ID=SAML-EFG32 Message=Errors.Intent.ResponseInvalid
```

# How the Problems Are Solved

This is solved by adding a workaround to accept a transient mapping
attribute when the `NameID` or the `Subject` is missing in the SAML
response. This requires setting the custom transient mapping attribute
in the SAML IDP config in Zitadel, and it should be present in the SAML
response as well.

<img width="639" height="173" alt="image"
src="https://github.com/user-attachments/assets/cbb792f1-aa6c-4b16-ad31-bd126d164eae"
/>


# Additional Changes
N/A

# Additional Context
- Closes #10251

This commit is contained in:

Gayathri Vijayan

2025-07-31 17:12:26 +02:00

committed by

GitHub

parent 4046dd31b4

commit 00b0af4368

2 changed files with 96 additions and 9 deletions

80

internal/idp/providers/saml/session_test.go

View File

File diff suppressed because one or more lines are too long

fix(saml): use transient mapping attribute when nameID is missing in saml response (#10353)

80 internal/idp/providers/saml/session_test.go View File

80

internal/idp/providers/saml/session_test.go

View File