mirror of
https://github.com/zitadel/zitadel.git
synced 2025-08-11 20:07:32 +00:00
00b0af4368
# Which Problems Are Solved In the SAML responses from some IDPs (e.g. ADFS and Shibboleth), the `<NameID>` part could be missing in `<Subject>`, and in some cases, the `<Subject>` part might be missing as well. This causes Zitadel to fail the SAML login with the following error message: ``` ID=SAML-EFG32 Message=Errors.Intent.ResponseInvalid ``` # How the Problems Are Solved This is solved by adding a workaround to accept a transient mapping attribute when the `NameID` or the `Subject` is missing in the SAML response. This requires setting the custom transient mapping attribute in the SAML IDP config in Zitadel, and it should be present in the SAML response as well. <img width="639" height="173" alt="image" src="https://github.com/user-attachments/assets/cbb792f1-aa6c-4b16-ad31-bd126d164eae" /> # Additional Changes N/A # Additional Context - Closes #10251