All NameIDFormats are added to Service Provider metadata, when setting up SAML Source

[nicolas-semaphor]

Describe the bug When setting up a SAML service provider for user federation, the user is given a choice of nameIDFormat, which will be included in the service provider metadata in the \<md:NameIDFormat> element. Only the chosen format should be added to the metadata, but currently all format are appended. This will cause errors for some SAML IdPs and is not the correct way of handling this element.

How the metadata appears, when choosing the "persistent" nameID format:

[...]
<md:NameIDFormat>
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
</md:NameIDFormat>
<md:NameIDFormat>
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
</md:NameIDFormat>
<md:NameIDFormat>
urn:oasis:names:tc:SAML:2.0:nameid-format:X509SubjectName
</md:NameIDFormat>
<md:NameIDFormat>
urn:oasis:names:tc:SAML:2.0:nameid-format:WindowsDomainQualifiedName
</md:NameIDFormat>
<md:NameIDFormat>
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
</md:NameIDFormat>
[...]

How it should be:

[...]
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
[...]

To Reproduce Steps to reproduce the behavior:

1. Create af SAML Source for user federation.
2. Inspect metadata of said SAML source.

Version and Deployment (please complete the following information):

• authentik version: 2024.8.3
• Deployment: docker compose

Aside from SAML experience, I'm also using the Danish goverments SAML Metadata validator This specific validator checks that metadata is compliant with the Danish OIO-SAML but this specific issue should be relevant for standard SAML2 as well.

[nicolas-semaphor]

I've attempted a fix.