New claim for user ID in SAML SSO
We now support the custom userId
claim for situations where you can’t configure the NameID
claim to contain a persistent identifier like a user ID.
When using SSO with SAML, it’s important to make sure that the NameID
claims contains a persistent identifier such as a user ID or employee ID, and not an email address. This is because the email address may change with time and a NameID
change would make it impossible to match the user in DMARCwise upon login.
If you’re unable to change the configuration of the NameID
claim, you can now create a custom claim with type userId
: if the NameID
format is not declared as persistent and the userId
is present, the userId
will be used in place of the NameID
.
Learn more in the SSO documentation.