Feature: Support case sensitivity of NameID in SAML logout request
Description: We have a customer complaint that their SAML SLO (processed by Auth0’s SAML2 WEB APP Add-On) doesn’t work because they send the content of the NameID field in lowercase letters while the corresponding Auth0 user attribute is in uppercase letters. Would it be possible to support case insensitivity on Auth0 side or is there any other workaround or solution for this problem. I found this post in the community forum: https://community.auth0.com/t/auth0-saml-logout-nameid-changed-to-lowercase-in-saml-logout-request/31590/2 which describes exactly this problem.
I have moved your topic from the Product Feedback page to the Get Help one for the following reasons:
According to the SAML Core Specification, the NameID is an opaque identifier. The Service Provider must store it exactly as received in the SAML Assertion and return that exact same string in the <LogoutRequest> . By lowercasing the identifier, the SP is technically violating the specification.
When Auth0 receives a LogoutRequest , it looks up the active session using the exact NameID string provided. If the user’s Auth0 ID is auth0|User123 but the SP sends auth0|user123 , Auth0 cannot safely assume they are the same user (as identifiers in some systems are case-sensitive) and aborts the logout.
The ideal solution is to inform the customer/Service Provider that their SAML implementation is altering the NameID payload. They need to update their system to store and transmit the NameID preserving its original exact casing.
If the SP cannot or will not fix their implementation, you can intercept the SAML login process on the Auth0 side and force the NameID to be lowercase before it is sent to the SP. If you choose this option, ensure that your underlying user base does not rely on case-sensitivity for uniqueness. For example, if your database treats UserA and usera as two completely separate accounts, lowercasing the NameID could technically cause ID collisions in the SAML assertion, though this is exceedingly rare in modern identity systems (Auth0 standard database connections are case-insensitive for emails, and generated IDs are unique).
If you have more questions on the matter, let me know!
I see Nik has answered and provided a solution but out of curiosity, is this the customer’s service provider/platform/software that is changing it to lower case or is it just stored incorrectly to start with on that system?