From 06160d35e9c7a2a1e47f48b2442e728abf8790d8 Mon Sep 17 00:00:00 2001
From: Dante Catalfamo <43040593+dantecatalfamo@users.noreply.github.com>
Date: Wed, 16 Jul 2025 13:48:38 -0400
Subject: [PATCH] Explicitly request email NameID from MDM SSO providers
 (#30886)

#30785
---
 ee/server/service/mdm.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/ee/server/service/mdm.go b/ee/server/service/mdm.go
index df90777ec9..5fa06297af 100644
--- a/ee/server/service/mdm.go
+++ b/ee/server/service/mdm.go
@@ -15,6 +15,7 @@ import (
 	"sort"
 	"strings"
 
+	"github.com/crewjam/saml"
 	"github.com/fleetdm/fleet/v4/pkg/file"
 	"github.com/fleetdm/fleet/v4/pkg/optjson"
 	"github.com/fleetdm/fleet/v4/server/authz"
@@ -720,6 +721,8 @@ func (svc *Service) InitiateMDMAppleSSO(ctx context.Context, initiator string) (
 	if err != nil {
 		return "", 0, "", ctxerr.Wrap(ctx, err, "failed to create provider from metadata")
 	}
+	// Request the NameID as an email address instead of an unknown type
+	samlProvider.AuthnNameIDFormat = saml.EmailAddressNameIDFormat
 
 	// originalURL is unused in the Setup Experience initiated MDM flow
 	// however because we need slightly different behavior for account driven