Set the SAML name ID format to email address

[rpadovani]

cc: @subspacecommunity/subspace-maintainers resolves: #94

Background

The saml library requires, by default a transient (urn:oasis:names:tc:SAML:2.0:nameid-format:transient) name-id.

The transient name id is temporary per session, making impossible to create users using it, since it would be different for every request. While some Identity Providers (e.g., JumpCloud, Google) allow to override such request to return an email address, Azure and Office 365 will honor the request:

If the SAML request contains the element NameIDPolicy with a specific format, then Azure AD will honor the format in the request. If the SAML request doesn't contain an element for NameIDPolicy, then Azure AD will issue the NameID with the format you specify. If no format is specified Azure AD will use the default source format associated with the claim source selected.

Source: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-saml-claims-customization#editing-nameid

Thus, subspace cannot work with Azure and Office 365.

Changes

With this change, subspace will explicitly request an email (urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress) as nameid, to be able to properly manage users also with Azure and Office 365

[jack1902]

@rpadovani firstly, thank you for this pull request. The detail in your description really makes this one alot easier to review!

I'm just spinning this up now to check it and then will approve if it continue to work with the SAML provider i have access too

Also trying https://samltest.id/upload.php

[rpadovani]

Thanks for merging, keep up the good work with subspace :heart: