The NameID Format in the AuthnRequest NameIDPolicy is now respected,
and support has been added for the following NameID Formats:
- urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
- urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
- urn:oasis:names:tc:SAML:2.0:nameid-format:transient
The persistent NameID format was previously used in all responses
and mapped to the principal's username. Now, unspecified is mapped
to the principal's username and used by default if no NameIDPolicy
is specified by the SP.
The persistent format requires generating a pseudo-random identifier
that must be generated by the IdP on first login and stored in the
user's profile. Persistent NameID Format is not yet implemented.
The certificate is now added to the signature to enable support for
integration with Service Providers where only the IdP's certificate
fingerprint is configured (e.g. Zendesk).
