diff --git a/object/application.go b/object/application.go
index 11caf725..a75fc987 100644
--- a/object/application.go
+++ b/object/application.go
@@ -78,6 +78,7 @@ type Application struct {
EnableSamlCompress bool `json:"enableSamlCompress"`
EnableSamlC14n10 bool `json:"enableSamlC14n10"`
EnableSamlPostBinding bool `json:"enableSamlPostBinding"`
+ UseEmailAsSamlNameId bool `json:"useEmailAsSamlNameId"`
EnableWebAuthn bool `json:"enableWebAuthn"`
EnableLinkWithEmail bool `json:"enableLinkWithEmail"`
OrgChoiceMode string `json:"orgChoiceMode"`
diff --git a/object/saml_idp.go b/object/saml_idp.go
index 3856e816..53252407 100644
--- a/object/saml_idp.go
+++ b/object/saml_idp.go
@@ -65,7 +65,11 @@ func NewSamlResponse(application *Application, user *User, host string, certific
assertion.CreateAttr("IssueInstant", now)
assertion.CreateElement("saml:Issuer").SetText(host)
subject := assertion.CreateElement("saml:Subject")
- subject.CreateElement("saml:NameID").SetText(user.Name)
+ nameIDValue := user.Name
+ if application.UseEmailAsSamlNameId {
+ nameIDValue = user.Email
+ }
+ subject.CreateElement("saml:NameID").SetText(nameIDValue)
subjectConfirmation := subject.CreateElement("saml:SubjectConfirmation")
subjectConfirmation.CreateAttr("Method", "urn:oasis:names:tc:SAML:2.0:cm:bearer")
subjectConfirmationData := subjectConfirmation.CreateElement("saml:SubjectConfirmationData")
@@ -386,7 +390,7 @@ func GetSamlResponse(application *Application, user *User, samlRequest string, h
}
// NewSamlResponse11 return a saml1.1 response(not 2.0)
-func NewSamlResponse11(user *User, requestID string, host string) (*etree.Element, error) {
+func NewSamlResponse11(application *Application, user *User, requestID string, host string) (*etree.Element, error) {
samlResponse := &etree.Element{
Space: "samlp",
Tag: "Response",
@@ -430,7 +434,11 @@ func NewSamlResponse11(user *User, requestID string, host string) (*etree.Elemen
// nameIdentifier inside subject
nameIdentifier := subject.CreateElement("saml:NameIdentifier")
// nameIdentifier.CreateAttr("Format", "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress")
- nameIdentifier.SetText(user.Name)
+ if application.UseEmailAsSamlNameId {
+ nameIdentifier.SetText(user.Email)
+ } else {
+ nameIdentifier.SetText(user.Name)
+ }
// subjectConfirmation inside subject
subjectConfirmation := subject.CreateElement("saml:SubjectConfirmation")
@@ -439,7 +447,11 @@ func NewSamlResponse11(user *User, requestID string, host string) (*etree.Elemen
attributeStatement := assertion.CreateElement("saml:AttributeStatement")
subjectInAttribute := attributeStatement.CreateElement("saml:Subject")
nameIdentifierInAttribute := subjectInAttribute.CreateElement("saml:NameIdentifier")
- nameIdentifierInAttribute.SetText(user.Name)
+ if application.UseEmailAsSamlNameId {
+ nameIdentifierInAttribute.SetText(user.Email)
+ } else {
+ nameIdentifierInAttribute.SetText(user.Name)
+ }
subjectConfirmationInAttribute := subjectInAttribute.CreateElement("saml:SubjectConfirmation")
subjectConfirmationInAttribute.CreateElement("saml:ConfirmationMethod").SetText("urn:oasis:names:tc:SAML:1.0:cm:artifact")
diff --git a/object/token_cas.go b/object/token_cas.go
index 3cd4de5c..2334e371 100644
--- a/object/token_cas.go
+++ b/object/token_cas.go
@@ -281,7 +281,7 @@ func GetValidationBySaml(samlRequest string, host string) (string, string, error
return "", "", fmt.Errorf("the application for user %s is not found", userId)
}
- samlResponse, err := NewSamlResponse11(user, request.RequestID, host)
+ samlResponse, err := NewSamlResponse11(application, user, request.RequestID, host)
if err != nil {
return "", "", err
}
diff --git a/web/src/ApplicationEditPage.js b/web/src/ApplicationEditPage.js
index 8bba3d37..4a510338 100644
--- a/web/src/ApplicationEditPage.js
+++ b/web/src/ApplicationEditPage.js
@@ -703,6 +703,16 @@ class ApplicationEditPage extends React.Component {
}} />
+
+
+ {Setting.getLabel(i18next.t("application:Use Email as NameID"), i18next.t("application:Use Email as NameID - Tooltip"))} :
+
+
+ {
+ this.updateApplicationField("useEmailAsSamlNameId", checked);
+ }} />
+
+
{Setting.getLabel(i18next.t("application:Enable SAML POST binding"), i18next.t("application:Enable SAML POST binding - Tooltip"))} :