We have a multi-clients (internally identified as "corporates"), web-based software, in which we have implemented SSO via SAML 2.0. Each client is a Corporate, and each Corporate has its own users.
At the moment, the users are identified by the NameId property of the SAML response (matching the Username field in our application), and the value of the Issuer field allows us to know which Corporate the user is from.
Now, one of our big client has white-labelled the solution, and is using it in-house, with a single Identity Provider for all of its own clients. This mean there is a unique Issuer value for all SAML messages, and we can no longer rely on that to identify the user's Corporate. Fortunately, their SAML message gives all the information we need, formatted this way:
- The NameId value is formatted as "corporate:username"
- There is a specific "companyId" Attribute, with value "corporate"
- There is a specific "operatorId" Attribute, with value "username"
I guess that identifying the Corporate is then straightforward : we need to check the value of the custom "companyId Attribute and compare that with the Corporate name. Easy.
But what about the username? Is it safe, or does it follow best practices, to check the "operatorId" Attribute instead of the NameID property ? Or should we in all cases always rely on NameId, and therefore put a custom parsing logic in place to extract the corporate and username from the NameId ?
How would you do that? I'm not able to find a similar case.
Thanks!
