...
Supporting a new name identifier within the identity provider is a three step processincludes:
- configure Configuring the IdP to produce the name identifierconfigure
- Configuring the IdP to accept the name identifier
- express support for the name identifier within the IdP's metadata
...
- (optional)
The second step
...
is occasionally important, but not necessarily mandatory, depending on the requirements of the relying parties you need to support. Specifically, the ability to reverse the identifier back into a user's identity is essential for supporting back-channel queries, among other features, but is not strictly needed for a one-way communication path such as is used by default with SAML 2.0 SPs. Most of the time, if you're just doing this to accomodate a vendor with a lousy SAML implementation, you can ignore that step.
Producing the Name Identifier
...