NameIDFormat : The format(s) of the NameID supported by this IdP, as either an array or a string. If an array is given, the first value is used as the default if the incoming request does not specify a preference. Defaults to the transient format if unspecified.
This parameter can be configured in multiple places, and the actual value used is fetched from metadata with the following priority:
1. SP Remote Metadata : 2. IdP Hosted Metadata
The three most commonly used values are:
1. urn:oasis:names:tc:SAML:2.0:nameid-format:transient : 2. urn:oasis:names:tc:SAML:2.0:nameid-format:persistent : 3. urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
We should re-instate those removed values as a minimum. Testing on one of the staging sites which was affected, removing the emailAddress nameid format caused the SAML auth to break.
As part of a recent change: https://github.com/catalyst/moodle-auth_saml2/commit/39a7a1fb25719b51802d94a89fb99e057b54caaf some nameid formats were removed. However, according to the official SAML2.0 specs, they are still supported (https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf - Section 8.3, page 78). Also in the docs included with the SimpleSAMLPHP library, the documentation (https://github.com/catalyst/moodle-auth_saml2/blob/MOODLE_39_STABLE/.extlib/simplesamlphp/docs/simplesamlphp-reference-idp-hosted.md) mentions the following:
We should re-instate those removed values as a minimum. Testing on one of the staging sites which was affected, removing the emailAddress nameid format caused the SAML auth to break.