The default NameID format causes problems

[biofractal]

The nameid-format currently defaults to:

urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

This can causes problems for those IdPs that do not support this specific format e.g. TestShib.

I believe that the SAML specs indicate default should be:

urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

I understand that the default can be overidden easily using the identifierFormat however I think it would be better if the default was set to the least restrictive option.

Thanks for maintaining a great bit of kit.

[ploer]

Hmm... I don't think the SAML specs really have any bearing on what the default behavior of the library is. They do specifiy that all IDPs have to support unspecified, and that if the request omits the nameid it defaults to unspecified, but that's all I'm aware of.

I could see unspecified being an appropriate default, but changing it would be a breaking change for users that currently rely on emailAddress as the default, and it's easy enough to set the identifierFormat option if you want something specific. So I'm inclined to leave it as-is for now, and maybe reconsider if there's a breaking change happening here for other reasons in the future.

If you'd like to submit a PR to update the documentation to cover this as a gotcha, that would be welcome!