What should be specified in the Saml AuthnRequest Issuer element

Question

While generating the SamlRequest xml, what should the Issuer element be specified with?

In the saml docs (https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf), Issuer was not mentioned anywhere under the AuthnRequest section.

But,

If you see the sample AuthnRequest from OneLogin's website - https://developers.onelogin.com/saml/examples/authnrequest, you'll notice the Issuer is being specified http://sp.example.com/demo1/metadata.php.

But, for both OneLogin & ADFS, from my tests, I don't think it matters what you specify for the Issuer in AuthnRequests, they seem to be working fine even with an empty value

For Azure AD, I came to learn that we have to necessarily specify the Issuer with the App ID URI (https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-single-sign-on-protocol-reference)

My Questions:

1. Is it okay to not specify anything for the Issuer in AuthnRequests (except for Azure AD)

2. A question unrelated to the subject, in our Web Application we allow users to configure the Authentication Providers and the details like Issuer, Certificate are stored. We already verify the signatures in SamlResponse with the stored certificate, does it make sense to check the Issuer too? i.e verify the Issuer in SamlResponse and the Issuer we stored in our application are the same. My concern is - if the Issuer in the response is variable(i.e keeps changing frequently) then it might not make sense to verify the Issuer too.

Thank you.

Answer 1

AuthnRequest extends RequestAbstractType and inherits issuer from there defined on page 37 in the core spec. It is defined as optional. So it should generally be ok to leave it out if not otherwise required by the provider.