Why FusionAuth Doesn’t Support the SAML ‘Transient’ NameIDPolicy
-
Our intention is to utilize FusionAuth as a SAML Identity Provider (IdP) for Omni.
Our efforts to accomplish this were unsuccessful due to FusionAuth's lack of support for the "transient" NameIDPolicy (urn:oasis:names:tc:SAML:2.0:nameid-format:transient). This is detailed in the documentation at: https://fusionauth.io/docs/lifecycle/authenticate-users/saml#limitations.
Omni is working on supporting one of the other NameIDPolicies, but it will take them some time. Their pull request was integrated: https://github.com/siderolabs/omni/pull/1292. However, they still need to implement additional modifications concerning their Go library that implements SAML and Omni's infrastructure.
Is there a way to get FusionAuth to support the "transient" NameIDPolicy on your end? This would enable Omni to work with FusionAuth, as well as other Service Provider's (SP) that do not support FusionAuth's list of NameIDPolicy values.
-
The transient policy is not something FusionAuth will support for the SAML NameID policy. From the SAML standards doc, a transient NameID is supposed to be a temporary value which is not a good basis to build a link between two identity systems on. That is the main reason FusionAuth does not support this policy as it would likely lead to issues later down the line with the Identity Provider. Apologies for the inconvenience but having the User ID/UUID shift or change would cause problems as FA relies on a consistent User ID/UUID(NameID) to make a SAML link work.
-