Choose NameID format of the request on GitLab.com.

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Close this issue

Proposal

Currently our SAML documentation recommends the use of persistent format for NameID. Yet when metadata request GitLab sends has the format as unspecified, see below.

<saml:Issuer>https://gitlab.com/groups/<groupName></saml:Issuer>
<samlp:NameIDPolicy AllowCreate="true"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"

In some cases, as reported in zd-228571(internal), this causes the IDP to set the NameID as transient which is a temporary value that changes and causes issues with linking user accounts.

The proposal is to add a option to select, on SAML groups configuration, https://gitlab.com/groups/<namespace>/-/saml some of the allowed configurations that gitlab.com can use. This in a similar way that on SM instance the name_identifier_format can be specified

Some options are

persistent
emailAddress
encrypted
X.509
WindowsDomainQualifiedName
kerberos
entity
unspecified (default)

Edited Aug 28, 2025 by 🤖 GitLab Bot 🤖