providers/saml: configuration for default NameID Policy

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2025-06-18 11:39:28 +02:00
15 changed files with 200 additions and 27 deletions
--- a/authentik/providers/saml/api/providers.py
+++ b/authentik/providers/saml/api/providers.py
@ -190,6 +190,7 @@ class SAMLProviderSerializer(ProviderSerializer):
            "sign_response",
            "sp_binding",
            "default_relay_state",
+            "default_name_id_policy",
            "url_download_metadata",
            "url_sso_post",
            "url_sso_redirect",
--- a/authentik/providers/saml/migrations/0019_samlprovider_default_name_id_policy.py
+++ b/authentik/providers/saml/migrations/0019_samlprovider_default_name_id_policy.py
@ -0,0 +1,31 @@
+# Generated by Django 5.1.11 on 2025-06-18 09:27
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_providers_saml", "0018_alter_samlprovider_acs_url"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="samlprovider",
+            name="default_name_id_policy",
+            field=models.TextField(
+                choices=[
+                    ("urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", "Email"),
+                    ("urn:oasis:names:tc:SAML:2.0:nameid-format:persistent", "Persistent"),
+                    ("urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName", "X509"),
+                    (
+                        "urn:oasis:names:tc:SAML:2.0:nameid-format:WindowsDomainQualifiedName",
+                        "Windows",
+                    ),
+                    ("urn:oasis:names:tc:SAML:2.0:nameid-format:transient", "Transient"),
+                    ("urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", "Unspecified"),
+                ],
+                default="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
+            ),
+        ),
+    ]
--- a/authentik/providers/saml/models.py
+++ b/authentik/providers/saml/models.py
@ -12,6 +12,7 @@ from authentik.core.models import PropertyMapping, Provider
 from authentik.crypto.models import CertificateKeyPair
 from authentik.lib.models import DomainlessURLValidator
 from authentik.lib.utils.time import timedelta_string_validator
+from authentik.sources.saml.models import SAMLNameIDPolicy
 from authentik.sources.saml.processors.constants import (
    DSA_SHA1,
    ECDSA_SHA1,
@ -179,6 +180,9 @@ class SAMLProvider(Provider):
    default_relay_state = models.TextField(
        default="", blank=True, help_text=_("Default relay_state value for IDP-initiated logins")
    )
+    default_name_id_policy = models.TextField(
+        choices=SAMLNameIDPolicy.choices, default=SAMLNameIDPolicy.UNSPECIFIED
+    )

    sign_assertion = models.BooleanField(default=True)
    sign_response = models.BooleanField(default=False)
--- a/authentik/providers/saml/processors/assertion.py
+++ b/authentik/providers/saml/processors/assertion.py
@ -205,6 +205,13 @@ class AssertionProcessor:
    def get_name_id(self) -> Element:
        """Get NameID Element"""
        name_id = Element(f"{{{NS_SAML_ASSERTION}}}NameID")
+        # For requests that don't specify a NameIDPolicy, check if we
+        # can fall back to the provider default
+        if (
+            self.auth_n_request.name_id_policy == SAML_NAME_ID_FORMAT_UNSPECIFIED
+            and self.provider.default_name_id_policy != SAML_NAME_ID_FORMAT_UNSPECIFIED
+        ):
+            self.auth_n_request.name_id_policy = self.provider.default_name_id_policy
        name_id.attrib["Format"] = self.auth_n_request.name_id_policy
        # persistent is used as a fallback, so always generate it
        persistent = self.http_request.user.uid
--- a/authentik/providers/saml/processors/authn_request_parser.py
+++ b/authentik/providers/saml/processors/authn_request_parser.py
@ -13,6 +13,7 @@ from authentik.lib.xml import lxml_from_string
 from authentik.providers.saml.exceptions import CannotHandleAssertion
 from authentik.providers.saml.models import SAMLProvider
 from authentik.providers.saml.utils.encoding import decode_base64_and_inflate
+from authentik.sources.saml.models import SAMLNameIDPolicy
 from authentik.sources.saml.processors.constants import (
    DSA_SHA1,
    NS_MAP,
@ -175,7 +176,9 @@ class AuthNRequestParser:

    def idp_initiated(self) -> AuthNRequest:
        """Create IdP Initiated AuthNRequest"""
-        relay_state = None
+        request = AuthNRequest(relay_state=None)
        if self.provider.default_relay_state != "":
-            relay_state = self.provider.default_relay_state
-        return AuthNRequest(relay_state=relay_state)
+            request.relay_state = self.provider.default_relay_state
+        if self.provider.default_name_id_policy != SAMLNameIDPolicy.UNSPECIFIED:
+            request.name_id_policy = self.provider.default_name_id_policy
+        return request
--- a/authentik/providers/saml/processors/metadata_parser.py
+++ b/authentik/providers/saml/processors/metadata_parser.py
@ -13,6 +13,7 @@ from authentik.crypto.models import CertificateKeyPair
 from authentik.flows.models import Flow
 from authentik.providers.saml.models import SAMLBindings, SAMLPropertyMapping, SAMLProvider
 from authentik.providers.saml.utils.encoding import PEM_FOOTER, PEM_HEADER
+from authentik.sources.saml.models import SAMLNameIDPolicy
 from authentik.sources.saml.processors.constants import (
    NS_MAP,
    NS_SAML_METADATA,
@ -46,6 +47,7 @@ class ServiceProviderMetadata:

    auth_n_request_signed: bool
    assertion_signed: bool
+    name_id_policy: SAMLNameIDPolicy

    signing_keypair: CertificateKeyPair | None = None

@ -60,6 +62,7 @@ class ServiceProviderMetadata:
        provider.issuer = self.entity_id
        provider.sp_binding = self.acs_binding
        provider.acs_url = self.acs_location
+        provider.default_name_id_policy = self.name_id_policy
        if self.signing_keypair and self.auth_n_request_signed:
            self.signing_keypair.name = f"Provider {name} - SAML Signing Certificate"
            self.signing_keypair.save()
@ -148,6 +151,11 @@ class ServiceProviderMetadataParser:
        if signing_keypair:
            self.check_signature(root, signing_keypair)

+        name_id_format = descriptor.findall(f"{{{NS_SAML_METADATA}}}NameIDFormat")
+        name_id_policy = SAMLNameIDPolicy.UNSPECIFIED
+        if len(name_id_format) > 0:
+            name_id_policy = SAMLNameIDPolicy(name_id_format[0].text)
+
        return ServiceProviderMetadata(
            entity_id=entity_id,
            acs_binding=acs_binding,
@ -155,4 +163,5 @@ class ServiceProviderMetadataParser:
            auth_n_request_signed=auth_n_request_signed,
            assertion_signed=assertion_signed,
            signing_keypair=signing_keypair,
+            name_id_policy=name_id_policy,
        )
--- a/authentik/providers/saml/tests/fixtures/simple.xml
+++ b/authentik/providers/saml/tests/fixtures/simple.xml
@ -4,7 +4,7 @@
                     cacheDuration="PT604800S"
                     entityID="http://localhost:8080/saml/metadata">
    <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
-        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
+        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                                     Location="http://localhost:8080/saml/acs"
                                     index="1" />
--- a/authentik/providers/saml/tests/test_metadata.py
+++ b/authentik/providers/saml/tests/test_metadata.py
@ -14,6 +14,7 @@ from authentik.lib.xml import lxml_from_string
 from authentik.providers.saml.models import SAMLBindings, SAMLPropertyMapping, SAMLProvider
 from authentik.providers.saml.processors.metadata import MetadataProcessor
 from authentik.providers.saml.processors.metadata_parser import ServiceProviderMetadataParser
+from authentik.sources.saml.models import SAMLNameIDPolicy
 from authentik.sources.saml.processors.constants import ECDSA_SHA256, NS_MAP, NS_SAML_METADATA


@ -86,6 +87,7 @@ class TestServiceProviderMetadataParser(TestCase):
        self.assertEqual(provider.acs_url, "http://localhost:8080/saml/acs")
        self.assertEqual(provider.issuer, "http://localhost:8080/saml/metadata")
        self.assertEqual(provider.sp_binding, SAMLBindings.POST)
+        self.assertEqual(provider.default_name_id_policy, SAMLNameIDPolicy.EMAIL)
        self.assertEqual(
            len(provider.property_mappings.all()),
            len(SAMLPropertyMapping.objects.exclude(managed__isnull=True)),
--- a/authentik/root/settings.py
+++ b/authentik/root/settings.py
@ -166,6 +166,7 @@ SPECTACULAR_SETTINGS = {
        "UserVerificationEnum": "authentik.stages.authenticator_webauthn.models.UserVerification",
        "UserTypeEnum": "authentik.core.models.UserTypes",
        "OutgoingSyncDeleteAction": "authentik.lib.sync.outgoing.models.OutgoingSyncDeleteAction",
+        "SAMLNameIDPolicyEnum": "authentik.sources.saml.models.SAMLNameIDPolicy",
    },
    "ENUM_ADD_EXPLICIT_BLANK_NULL_CHOICE": False,
    "ENUM_GENERATE_CHOICE_DESCRIPTION": False,
--- a/authentik/sources/saml/migrations/0020_alter_samlsource_name_id_policy.py
+++ b/authentik/sources/saml/migrations/0020_alter_samlsource_name_id_policy.py
@ -0,0 +1,32 @@
+# Generated by Django 5.1.11 on 2025-06-18 09:27
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_sources_saml", "0019_migrate_usersamlsourceconnection_identifier"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="samlsource",
+            name="name_id_policy",
+            field=models.TextField(
+                choices=[
+                    ("urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", "Email"),
+                    ("urn:oasis:names:tc:SAML:2.0:nameid-format:persistent", "Persistent"),
+                    ("urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName", "X509"),
+                    (
+                        "urn:oasis:names:tc:SAML:2.0:nameid-format:WindowsDomainQualifiedName",
+                        "Windows",
+                    ),
+                    ("urn:oasis:names:tc:SAML:2.0:nameid-format:transient", "Transient"),
+                    ("urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", "Unspecified"),
+                ],
+                default="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
+                help_text="NameID Policy sent to the IdP. Can be unset, in which case no Policy is sent.",
+            ),
+        ),
+    ]
--- a/authentik/sources/saml/models.py
+++ b/authentik/sources/saml/models.py
@ -39,6 +39,7 @@ from authentik.sources.saml.processors.constants import (
    SAML_NAME_ID_FORMAT_EMAIL,
    SAML_NAME_ID_FORMAT_PERSISTENT,
    SAML_NAME_ID_FORMAT_TRANSIENT,
+    SAML_NAME_ID_FORMAT_UNSPECIFIED,
    SAML_NAME_ID_FORMAT_WINDOWS,
    SAML_NAME_ID_FORMAT_X509,
    SHA1,
@ -73,6 +74,7 @@ class SAMLNameIDPolicy(models.TextChoices):
    X509 = SAML_NAME_ID_FORMAT_X509
    WINDOWS = SAML_NAME_ID_FORMAT_WINDOWS
    TRANSIENT = SAML_NAME_ID_FORMAT_TRANSIENT
+    UNSPECIFIED = SAML_NAME_ID_FORMAT_UNSPECIFIED


 class SAMLSource(Source):
--- a/blueprints/schema.json
+++ b/blueprints/schema.json
@ -9233,6 +9233,18 @@
                    "type": "string",
                    "title": "Default relay state",
                    "description": "Default relay_state value for IDP-initiated logins"
+                },
+                "default_name_id_policy": {
+                    "type": "string",
+                    "enum": [
+                        "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
+                        "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
+                        "urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName",
+                        "urn:oasis:names:tc:SAML:2.0:nameid-format:WindowsDomainQualifiedName",
+                        "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
+                        "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
+                    ],
+                    "title": "Default name id policy"
                }
            },
            "required": []
@ -11655,7 +11667,8 @@
                        "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
                        "urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName",
                        "urn:oasis:names:tc:SAML:2.0:nameid-format:WindowsDomainQualifiedName",
-                        "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
+                        "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
+                        "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
                    ],
                    "title": "Name id policy",
                    "description": "NameID Policy sent to the IdP. Can be unset, in which case no Policy is sent."
--- a/schema.yml
+++ b/schema.yml
@ -22454,6 +22454,17 @@ paths:
        schema:
          type: string
          format: uuid
+      - in: query
+        name: default_name_id_policy
+        schema:
+          type: string
+          enum:
+          - urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
+          - urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
+          - urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
+          - urn:oasis:names:tc:SAML:2.0:nameid-format:WindowsDomainQualifiedName
+          - urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
+          - urn:oasis:names:tc:SAML:2.0:nameid-format:transient
      - in: query
        name: default_relay_state
        schema:
@ -29670,6 +29681,7 @@ paths:
          enum:
          - urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
          - urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
+          - urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
          - urn:oasis:names:tc:SAML:2.0:nameid-format:WindowsDomainQualifiedName
          - urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
          - urn:oasis:names:tc:SAML:2.0:nameid-format:transient
@ -48745,14 +48757,6 @@ components:
      - mode
      - name
      - user_attribute
-    NameIdPolicyEnum:
-      enum:
-      - urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
-      - urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
-      - urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
-      - urn:oasis:names:tc:SAML:2.0:nameid-format:WindowsDomainQualifiedName
-      - urn:oasis:names:tc:SAML:2.0:nameid-format:transient
-      type: string
    NetworkBindingEnum:
      enum:
      - no_binding
@ -54501,6 +54505,8 @@ components:
        default_relay_state:
          type: string
          description: Default relay_state value for IDP-initiated logins
+        default_name_id_policy:
+          $ref: '#/components/schemas/SAMLNameIDPolicyEnum'
    PatchedSAMLSourcePropertyMappingRequest:
      type: object
      description: SAMLSourcePropertyMapping Serializer
@ -54594,7 +54600,7 @@ components:
            be a security risk, as no validation of the request ID is done.
        name_id_policy:
          allOf:
-          - $ref: '#/components/schemas/NameIdPolicyEnum'
+          - $ref: '#/components/schemas/SAMLNameIDPolicyEnum'
          description: NameID Policy sent to the IdP. Can be unset, in which case
            no Policy is sent.
        binding_type:
@ -57305,6 +57311,15 @@ components:
      required:
      - download_url
      - metadata
+    SAMLNameIDPolicyEnum:
+      enum:
+      - urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
+      - urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
+      - urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
+      - urn:oasis:names:tc:SAML:2.0:nameid-format:WindowsDomainQualifiedName
+      - urn:oasis:names:tc:SAML:2.0:nameid-format:transient
+      - urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
+      type: string
    SAMLPropertyMapping:
      type: object
      description: SAMLPropertyMapping Serializer
@ -57522,6 +57537,8 @@ components:
        default_relay_state:
          type: string
          description: Default relay_state value for IDP-initiated logins
+        default_name_id_policy:
+          $ref: '#/components/schemas/SAMLNameIDPolicyEnum'
        url_download_metadata:
          type: string
          description: Get metadata download URL
@ -57694,6 +57711,8 @@ components:
        default_relay_state:
          type: string
          description: Default relay_state value for IDP-initiated logins
+        default_name_id_policy:
+          $ref: '#/components/schemas/SAMLNameIDPolicyEnum'
      required:
      - acs_url
      - authorization_flow
@ -57802,7 +57821,7 @@ components:
            be a security risk, as no validation of the request ID is done.
        name_id_policy:
          allOf:
-          - $ref: '#/components/schemas/NameIdPolicyEnum'
+          - $ref: '#/components/schemas/SAMLNameIDPolicyEnum'
          description: NameID Policy sent to the IdP. Can be unset, in which case
            no Policy is sent.
        binding_type:
@ -57992,7 +58011,7 @@ components:
            be a security risk, as no validation of the request ID is done.
        name_id_policy:
          allOf:
-          - $ref: '#/components/schemas/NameIdPolicyEnum'
+          - $ref: '#/components/schemas/SAMLNameIDPolicyEnum'
          description: NameID Policy sent to the IdP. Can be unset, in which case
            no Policy is sent.
        binding_type:
--- a/web/src/admin/providers/saml/SAMLProviderFormForm.ts
+++ b/web/src/admin/providers/saml/SAMLProviderFormForm.ts
@ -16,6 +16,7 @@ import {
    FlowsInstancesListDesignationEnum,
    PropertymappingsApi,
    PropertymappingsProviderSamlListRequest,
+    SAMLNameIDPolicyEnum,
    SAMLPropertyMapping,
    SAMLProvider,
    SpBindingEnum,
@ -316,6 +317,54 @@ export function renderForm(
                        "When using IDP-initiated logins, the relay state will be set to this value.",
                    )}
                ></ak-text-input>
+                <ak-form-element-horizontal
+                    label=${msg("Default NameID Policy")}
+                    required
+                    name="defaultNameIdPolicy"
+                >
+                    <select class="pf-c-form-control">
+                        <option
+                            value=${SAMLNameIDPolicyEnum.UrnOasisNamesTcSaml20NameidFormatPersistent}
+                            ?selected=${provider?.defaultNameIdPolicy ===
+                            SAMLNameIDPolicyEnum.UrnOasisNamesTcSaml20NameidFormatPersistent}
+                        >
+                            ${msg("Persistent")}
+                        </option>
+                        <option
+                            value=${SAMLNameIDPolicyEnum.UrnOasisNamesTcSaml11NameidFormatEmailAddress}
+                            ?selected=${provider?.defaultNameIdPolicy ===
+                            SAMLNameIDPolicyEnum.UrnOasisNamesTcSaml11NameidFormatEmailAddress}
+                        >
+                            ${msg("Email address")}
+                        </option>
+                        <option
+                            value=${SAMLNameIDPolicyEnum.UrnOasisNamesTcSaml20NameidFormatWindowsDomainQualifiedName}
+                            ?selected=${provider?.defaultNameIdPolicy ===
+                            SAMLNameIDPolicyEnum.UrnOasisNamesTcSaml20NameidFormatWindowsDomainQualifiedName}
+                        >
+                            ${msg("Windows")}
+                        </option>
+                        <option
+                            value=${SAMLNameIDPolicyEnum.UrnOasisNamesTcSaml11NameidFormatX509SubjectName}
+                            ?selected=${provider?.defaultNameIdPolicy ===
+                            SAMLNameIDPolicyEnum.UrnOasisNamesTcSaml11NameidFormatX509SubjectName}
+                        >
+                            ${msg("X509 Subject")}
+                        </option>
+                        <option
+                            value=${SAMLNameIDPolicyEnum.UrnOasisNamesTcSaml20NameidFormatTransient}
+                            ?selected=${provider?.defaultNameIdPolicy ===
+                            SAMLNameIDPolicyEnum.UrnOasisNamesTcSaml20NameidFormatTransient}
+                        >
+                            ${msg("Transient")}
+                        </option>
+                    </select>
+                    <p class="pf-c-form__helper-text">
+                        ${msg(
+                            "Configure the default NameID Policy used by IDP-initiated logins and when an incoming assertion doesn't specify a NameID Policy (also applies when using a custom NameID Mapping).",
+                        )}
+                    </p>
+                </ak-form-element-horizontal>

                <ak-radio-input
                    name="digestAlgorithm"
--- a/web/src/admin/sources/saml/SAMLSourceForm.ts
+++ b/web/src/admin/sources/saml/SAMLSourceForm.ts
@ -26,7 +26,7 @@ import {
    DigestAlgorithmEnum,
    FlowsInstancesListDesignationEnum,
    GroupMatchingModeEnum,
-    NameIdPolicyEnum,
+    SAMLNameIDPolicyEnum,
    SAMLSource,
    SignatureAlgorithmEnum,
    SourcesApi,
@ -353,37 +353,37 @@ export class SAMLSourceForm extends WithCapabilitiesConfig(BaseSourceForm<SAMLSo
                    >
                        <select class="pf-c-form-control">
                            <option
-                                value=${NameIdPolicyEnum.UrnOasisNamesTcSaml20NameidFormatPersistent}
+                                value=${SAMLNameIDPolicyEnum.UrnOasisNamesTcSaml20NameidFormatPersistent}
                                ?selected=${this.instance?.nameIdPolicy ===
-                                NameIdPolicyEnum.UrnOasisNamesTcSaml20NameidFormatPersistent}
+                                SAMLNameIDPolicyEnum.UrnOasisNamesTcSaml20NameidFormatPersistent}
                            >
                                ${msg("Persistent")}
                            </option>
                            <option
-                                value=${NameIdPolicyEnum.UrnOasisNamesTcSaml11NameidFormatEmailAddress}
+                                value=${SAMLNameIDPolicyEnum.UrnOasisNamesTcSaml11NameidFormatEmailAddress}
                                ?selected=${this.instance?.nameIdPolicy ===
-                                NameIdPolicyEnum.UrnOasisNamesTcSaml11NameidFormatEmailAddress}
+                                SAMLNameIDPolicyEnum.UrnOasisNamesTcSaml11NameidFormatEmailAddress}
                            >
                                ${msg("Email address")}
                            </option>
                            <option
-                                value=${NameIdPolicyEnum.UrnOasisNamesTcSaml20NameidFormatWindowsDomainQualifiedName}
+                                value=${SAMLNameIDPolicyEnum.UrnOasisNamesTcSaml20NameidFormatWindowsDomainQualifiedName}
                                ?selected=${this.instance?.nameIdPolicy ===
-                                NameIdPolicyEnum.UrnOasisNamesTcSaml20NameidFormatWindowsDomainQualifiedName}
+                                SAMLNameIDPolicyEnum.UrnOasisNamesTcSaml20NameidFormatWindowsDomainQualifiedName}
                            >
                                ${msg("Windows")}
                            </option>
                            <option
-                                value=${NameIdPolicyEnum.UrnOasisNamesTcSaml11NameidFormatX509SubjectName}
+                                value=${SAMLNameIDPolicyEnum.UrnOasisNamesTcSaml11NameidFormatX509SubjectName}
                                ?selected=${this.instance?.nameIdPolicy ===
-                                NameIdPolicyEnum.UrnOasisNamesTcSaml11NameidFormatX509SubjectName}
+                                SAMLNameIDPolicyEnum.UrnOasisNamesTcSaml11NameidFormatX509SubjectName}
                            >
                                ${msg("X509 Subject")}
                            </option>
                            <option
-                                value=${NameIdPolicyEnum.UrnOasisNamesTcSaml20NameidFormatTransient}
+                                value=${SAMLNameIDPolicyEnum.UrnOasisNamesTcSaml20NameidFormatTransient}
                                ?selected=${this.instance?.nameIdPolicy ===
-                                NameIdPolicyEnum.UrnOasisNamesTcSaml20NameidFormatTransient}
+                                SAMLNameIDPolicyEnum.UrnOasisNamesTcSaml20NameidFormatTransient}
                            >
                                ${msg("Transient")}
                            </option>