Make NameID emailAddress value assertion optional

[jbreton]

We just updated from v4 to v6 and some authentication failed. After digging around we found that the value of the Subject NameID isn't a valid email address in some cases. This isn't something we can ask the IdP to change.

From what we can see from other SAML2 libraries, it seems to be a common practice to be able to disable some assertions like this one.

saml2/src/XML/saml/NameID.php

Lines 55 to 58 in 85b0530

	Assert::email(
	$value->getValue(),
	"The content %s of the NameID was not in the format specified by the Format attribute",
	);

[tvdijen]

This isn't something we can ask the IdP to change

Why not? You can, and you should!

They should be using format urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified instead.

[jbreton]

They should be using format urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified instead.

That would be ideal but sadly it's not possible.

What bothers me is that v4 didn't have that assertion. While it's an improvement to verify the contents, it would also be a good idea to have a more granular control over some validations.

[tvdijen]

It's what I'm working on in the open pull request, but I doubt it will become that granular..

Can you elaborate a bit on why it's not possible for to IdP to fix the format on their end? It sounds a bit weird to me tbh.

[jbreton]

I'll keep it at "it's complicated" 🤷🏻‍♂️

As of now, I applied a patch disabling the assertion until either there's a way to do it cleanly or we get the IdP to fix it.

It's good to know the library is actively worked on, keep on the good work 👍🏻