Allow AuthnRequest with no NameID Format

[alexstuart]

saml2/authn_request.py generates an AuthnRequest which always contains a Format attribute, although saml2int does not require this attribute. saml2int says:

The saml2p:AuthnRequest message SHOULD contain a saml2p:NameIDPolicy element with an AllowCreate attribute of "true". Its Format attribute, if present, SHOULD be set to one of the following values:
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
urn:oasis:names:tc:SAML:2.0:nameid-format:transient

Is it possible for the library to be flexible enough that it doesn't have to request a particular Format? This would be useful where one can't be sure that the IdPs can produce persistent NameIDs

[pitbulk]

Why not use urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified ?

[pitbulk]

@alexstuart as default we set nameIDFormat as unspecified if not provided. We try to follow saml2int.

Let us know if you have an IdP that is not able to process an AuthnRequest with nameIDFormat set as unspecified, but I think it should.

[alexstuart]

We had a couple of calls about this on the UK federation helpdesk. I didn't get a complete understanding of the problem, but in both cases it was with Shibboleth IdPs (not sure of the version) which had CAS configured. When the SP operator changed the configuration to request a SAML 2 transient NameID, access was regained. Since I'm not familiar with CAS, I can't recreate the system to test it myself, and I didn't follow this any further.

saml2int does not say that the unspecified format is a default, and it says that you SHOULD include a Format, not MUST. So it would be good if your library doesn't generate the Format attribute unless the SP operator explicitly sets one for an application-specific reason.

[pitbulk]

Ok I will make NameIDPolicy Optional, so if you don't define it in the settings, it will be consider None, so not generating it, instead of be using the "unspecified" value as default.