Hi @elster
I have moved your topic from the Product Feedback page to the Get Help one for the following reasons:
- According to the SAML Core Specification, the
NameIDis an opaque identifier. The Service Provider must store it exactly as received in the SAML Assertion and return that exact same string in the<LogoutRequest>. By lowercasing the identifier, the SP is technically violating the specification. - When Auth0 receives a
LogoutRequest, it looks up the active session using the exactNameIDstring provided. If the user’s Auth0 ID isauth0|User123but the SP sendsauth0|user123, Auth0 cannot safely assume they are the same user (as identifiers in some systems are case-sensitive) and aborts the logout. - The ideal solution is to inform the customer/Service Provider that their SAML implementation is altering the
NameIDpayload. They need to update their system to store and transmit theNameIDpreserving its original exact casing. - If the SP cannot or will not fix their implementation, you can intercept the SAML login process on the Auth0 side and force the
NameIDto be lowercase before it is sent to the SP. If you choose this option, ensure that your underlying user base does not rely on case-sensitivity for uniqueness. For example, if your database treatsUserAanduseraas two completely separate accounts, lowercasing theNameIDcould technically cause ID collisions in the SAML assertion, though this is exceedingly rare in modern identity systems (Auth0 standard database connections are case-insensitive for emails, and generated IDs are unique).
If you have more questions on the matter, let me know!
Kind Regards,
Nik