[Question] Can I verify the user input email and SAML response email in ACS?

[oakmegaeddie]

Hi, I am looking to implement SSO login using djangosaml2.

The login process is as follows:

1. The user first inputs their email on our website, and then calls the SP server API.
2. The SP server API then instructs the browser to redirect to the IdP.
3. The user logs in on the IdP.
4. The IdP POSTs ACS with email attributes in the SAML response.
5. In the ACS, I have implemented a class called ModifiedSaml2Backend which inherits from Saml2Backend.
6. Login is successful.

I need to verify whether the email that the user inputted (in step 1) is the same as the email in the SAML response (in step 4). Is it possible to include the email in the SAML request (in step 2) and retrieve it in the ACS (in step 5)?

[peppelinux]

you can just have the email attribute in your SP metadata as isRequired=True, then your ACS will receive this

otherwise the subject name id instead of transient or persistent could be set to email, but I suggest to you the first solution because is more flexible with different idp configurations, since not all the idp supports the email as subject id