From 6574d083fe504f43d150a74358270da844bf08c6 Mon Sep 17 00:00:00 2001
From: Chad Scharf <3904944+cscharf@users.noreply.github.com>
Date: Tue, 8 Sep 2020 10:43:07 -0400
Subject: [PATCH] SAML NameID Policy AllowCreate should be null (#918)

* SAML NameID Policy AllowCreate should be null

* Determine if transient, then null, otherwise true
---
 .../Sso/Utilities/DynamicAuthenticationSchemeProvider.cs   | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/bitwarden_license/src/Sso/Utilities/DynamicAuthenticationSchemeProvider.cs b/bitwarden_license/src/Sso/Utilities/DynamicAuthenticationSchemeProvider.cs
index 58b3990fa4..219057f2d9 100644
--- a/bitwarden_license/src/Sso/Utilities/DynamicAuthenticationSchemeProvider.cs
+++ b/bitwarden_license/src/Sso/Utilities/DynamicAuthenticationSchemeProvider.cs
@@ -331,11 +331,16 @@ namespace Bit.Core.Business.Sso
 
             var spEntityId = new Sustainsys.Saml2.Metadata.EntityId(
                 config.BuildSaml2ModulePath(_globalSettings.BaseServiceUri.Sso));
+            bool? allowCreate = null;
+            if (config.SpNameIdFormat != Saml2NameIdFormat.Transient)
+            {
+                allowCreate = true;
+            }
             var spOptions = new SPOptions
             {
                 EntityId = spEntityId,
                 ModulePath = config.BuildSaml2ModulePath(),
-                NameIdPolicy = new Saml2NameIdPolicy(true, GetNameIdFormat(config.SpNameIdFormat)),
+                NameIdPolicy = new Saml2NameIdPolicy(allowCreate, GetNameIdFormat(config.SpNameIdFormat)),
                 WantAssertionsSigned = config.SpWantAssertionsSigned,
                 AuthenticateRequestSigningBehavior = GetSigningBehavior(config.SpSigningBehavior),
                 ValidateCertificates = config.SpValidateCertificates,