Implement the ability to disable the NameID check

[EgorBratuhin]

The protocol states that the Subject is optional.

<element name="Assertion" type="saml:AssertionType"/>
<complexType name="AssertionType">
  <sequence>
    <element ref="saml:Issuer"/>
    <element ref="ds:Signature" minOccurs="0"/>
    <element ref="saml:Subject" minOccurs="0"/>

But there is always a check for the existence of a NameID !hasName(firstAssertion) and I get the error if there is no Subject.
org.springframework.security.saml2.provider.service.authentication.OpenSamlAuthenticationProvider#process
org.springframework.security.saml2.core.Saml2ErrorCodes#SUBJECT_NOT_FOUND
Is it possible to implement disabling the check for the presence of a NameID?

[jzheaux]

Thanks for the suggestion, @EgorBratuhin. Without a subject, I'm not sure what would be used for the principal.

If Subject weren't required, how would you expect the resulting Saml2AuthenticatedPrincipal to look?

[EgorBratuhin]

We get the username from adfs in the http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn attribute and had to find a workaround to do it.

[jzheaux]

Makes sense. As a temporary workaround, are you able to have adfs map the identity claim to the Subject element?

Would you like to submit a PR that moves the subject check from the process method to the default response authentication converter? I think this change makes sense because the default response authentication converter is what needs the non-null subject.

Then, in your application you can supply a custom response authentication converter.

[jzheaux]

If you do want to do a PR, let's base it off of the 5.8.x branch.