Even if NameID is required per spec, ADFS / EntraID might not return one unless explicitly configured (see also implementation) This adds extra effort for customers as they will not have access to their customers SAML IdP.

Other providers simply fallback to custom configurations and ZITADEL could easily do so as well.

Acceptance criteria

• Fallback to Custom Mapping Attribute Name in case NameID is not set
• Error if both are not set or configured