La mia è più una curiosità ma dato che SAML2 vieta l’uso di AllowCreate con Format transient in NameIDPolicy, c’è un motivo per cui SPID lo permette? Alcune librerie SAML implementano un check per evitare di avere AllowCreate con Format transient per NameIDPolicy.
Di seguito riporto l’estratto dell’errata per la version 2.0 di SAML, l’ultimo paragrafo è la parte di interesse, disponibile qui: http://docs.oasis-open.org/security/saml/v2.0/sstc-saml-approved-errata-2.0.html
New at [SAMLCore] Section 126.96.36.199, line 2130 (just after the above changes):
The AllowCreate attribute may be used by some deployments to influence the creation of state maintained by the identity provider pertaining to the use of a name identifier (or any other persistent, uniquely identifying attributes) by a particular relying party, for purposes such as dynamic identifier or attribute creation, tracking of consent, subsequent use of the Name Identifier Management protocol (see Section 3.6), or other related purposes.
When “false”, the requester tries to constrain the identity provider to issue an assertion only if such state has already been established or is not deemed applicable by the identity provider to the use of an identifier. Thus, this does not prevent the identity provider from assuming such information exists outside the context of this specific request (for example, establishing it in advance for a large number of principals).
A value of “true” permits the identity provider to take any related actions it wishes to fulfill the request, subject to any other constraints imposed by the request and policy (the IsPassive attribute, for example).
Generally, requesters cannot assume specific behavior from identity providers regarding the initial creation or association of identifiers on their behalf, as these are details left to implementations or deployments. Absent specific profiles governing the use of this attribute, it might be used as a hint to identity providers about the requester’s intention to store the identifier or link it to a local value.
A value of “false” might be used to indicate that the requester is not prepared or able to do so and save the identity provider wasted effort.
Requesters that do not make specific use of this attribute SHOULD generally set it to “true” to maximize interoperability.
The use of the AllowCreate attribute MUST NOT be used and SHOULD be ignored in conjunction with requests for or assertions issued with name identifiers with a Format of urn:oasis:names:tc:SAML:2.0:nameid-format:transient (they preclude any such state in and of themselves).