From 6136812dd85c152eebced4caad61b840a8d4331a Mon Sep 17 00:00:00 2001
From: Livio Spring <livio.a@gmail.com>
Date: Wed, 10 Apr 2024 12:05:07 +0200
Subject: [PATCH] fix(idp): use persistent nameid-format in saml request
 (#7745)

(cherry picked from commit 3711130d422bb716cbad8328f77b2e9bf058d74a)
---
 internal/idp/providers/saml/saml.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/internal/idp/providers/saml/saml.go b/internal/idp/providers/saml/saml.go
index b37eb0ac1d..fc08f6e808 100644
--- a/internal/idp/providers/saml/saml.go
+++ b/internal/idp/providers/saml/saml.go
@@ -156,6 +156,10 @@ func (p *Provider) GetSP() (*samlsp.Middleware, error) {
 	if err != nil {
 		return nil, zerrors.ThrowInternal(err, "SAML-qee09ffuq5", "Errors.Intent.IDPInvalid")
 	}
+	// the library uses transient as default, which we currently can't handle (https://github.com/zitadel/zitadel/discussions/7421)
+	// for the moment we'll use persistent (for those who actually use it from the saml request) and add an option
+	// later on to specify on the provider: https://github.com/zitadel/zitadel/issues/7743
+	sp.ServiceProvider.AuthnNameIDFormat = saml.PersistentNameIDFormat
 	if p.requestTracker != nil {
 		sp.RequestTracker = p.requestTracker
 	}