Richard Davies

Feature Request Summary: 

As an identity consumer, Zendesk should be flexible enough to accept whatever type of unique identifier that an identity provider (IdP) chooses to use.

Description/Use Cases: 

As https://support.zendesk.com/hc/en-us/articles/4408887505690?page=1#topic_eqz_shy_1fb points out, Zendesk currently requires the SAML subject's NameID identifier to be an email address. This value is the unique identifier that is used by the IdP to uniquely identify its users.

Zendesk's requirement is bad practice because as an identity consumer, it's not Zendesk's role to determine the type or format of the user identifier. This decision actually belongs to the identity provider and Zendesk should be flexible enough to accept/use whatever type of unique identifier the IdP chooses to use, whether it's an email address, a GUID, or something else.

Business impact of limitation or missing feature:

SAML integration with Zendesk can be frustrating and challenging if the IdP does not use email addresses as its default unique identifier. (See various comments on https://support.zendesk.com/hc/en-us/articles/4408887505690)

An IdP may prefer to use some other type of unique identifier such as a GUID so that a user's account can persist if they ever change email addresses. Under your current requirements a user must unnecessarily create a new account if they ever change email addresses.

Other necessary information or resources:

I better approach would be if Zendesk requires that an email address be provided as one of the user properties/attributes, but it shouldn't expect that the email address will be used as the IdP's unique identifier.