[satosa-users] NameID format response

Hi all, We’ve started to use SATOSA to handle some… peculiar… vendors (mostly SaaS) and we’re liking it a lot so far! One issue that we found I haven’t been able to figure out so I thought I’d try the list to see if we’re doing something wrong or we actually found a bug. The flow/setup that we’re using is: SaaS SP <-> SATOSA frontend <-> SATOSA backend <-> Shibboleth IDP. In the AuthnRequest the SaaS SP asks to NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified”. The backend then sends an AuthnRequest to our IDP without any NameIDPolicy (which is fine) and by default our IDP chooses to use urn:oasis:names:tc:SAML:2.0:nameid-format:transient via Subject>NameID which is fine. But then the frontend answers the SaaS SP with a urn:oasis:names:tc:SAML:2.0:nameid-format:transient via Subject>NameID which I think is weird and wrong. I mean the SaaS SP requested unspecified, shouldn’t that be what SATOSA answers with? A work around that I have tried is setting config.sp_config.service.sp.name_id_policy_format: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified AND making the Shibboleth IDP to prefer unspecified. This makes the response from frontend to SaaS SP use unspecified like SaaS SP requested. I don’t think this should be necessary. Am I wrong? BR, - Simon