Skip to content

Commit 76cee4a

Browse files
tvdijenmonkeyiq
tvdijen
and
monkeyiq
authored
Bugfix/nameid policy (#2603)
* Bugfix: don't set illegal combination of AllowCreate/Format * Force allowCreate to false if format is TRANSIENT I also kept a reference to the errata 05 page/line here in a comment * allowCreate is true by default and contained for TRANSIENT As the default was true for this before it is now that way again. If the format is NAMEID_TRANSIENT it will be set to respect the Errata 05. * The persistent default is back to having allowCreate=true --------- Co-authored-by: Ben Martin <monkeyiq@users.sourceforge.net>
1 parent 0e45381 commit 76cee4a

4 files changed

Lines changed: 16 additions & 5 deletions

File tree

modules/saml/src/Auth/Source/SP.php

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -593,8 +593,11 @@ private function startSSO2(Configuration $idpMetadata, array $state): void
593593

594594
if (!empty($state['saml:NameIDPolicy'])) {
595595
$ar->setNameIdPolicy($state['saml:NameIDPolicy']);
596+
} else {
597+
$ar->setNameIdPolicy($this->metadata->getOptionalArray('NameIDPolicy', []));
596598
}
597599

600+
598601
$requesterID = [];
599602

600603
/* Only check for real info for Scoping element if we are going to send Scoping element */

src/SimpleSAML/Utils/Config/Metadata.php

Lines changed: 11 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -248,7 +248,7 @@ public static function parseNameIdPolicy(?array $nameIdPolicy = null): array
248248
{
249249
if ($nameIdPolicy === null) {
250250
// when NameIDPolicy is unset or set to null, default to transient
251-
return ['Format' => Constants::NAMEID_TRANSIENT, 'AllowCreate' => true];
251+
return ['Format' => Constants::NAMEID_TRANSIENT, 'AllowCreate' => false];
252252
}
253253

254254
if ($nameIdPolicy === []) {
@@ -258,9 +258,17 @@ public static function parseNameIdPolicy(?array $nameIdPolicy = null): array
258258

259259
// handle configurations specifying an array in the NameIDPolicy config option
260260
$nameIdPolicy_cf = Configuration::loadFromArray($nameIdPolicy);
261+
$format = $nameIdPolicy_cf->getOptionalString('Format', Constants::NAMEID_TRANSIENT);
262+
$allowCreate = $nameIdPolicy_cf->getOptionalBoolean('AllowCreate', true);
263+
// SAML Version 2.0 Errata 05 lines 252-255 (pg 12)
264+
if ($format === Constants::NAMEID_TRANSIENT) {
265+
if ($allowCreate) {
266+
$allowCreate = false;
267+
}
268+
}
261269
$policy = [
262-
'Format' => $nameIdPolicy_cf->getOptionalString('Format', Constants::NAMEID_TRANSIENT),
263-
'AllowCreate' => $nameIdPolicy_cf->getOptionalBoolean('AllowCreate', true),
270+
'Format' => $format,
271+
'AllowCreate' => $allowCreate,
264272
];
265273
$spNameQualifier = $nameIdPolicy_cf->getOptionalString('SPNameQualifier', null);
266274
if ($spNameQualifier !== null) {

tests/modules/saml/src/Auth/Source/SPTest.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -164,7 +164,7 @@ private function createLogoutRequest(array $state = []): LogoutRequest
164164
*/
165165
public function testAuthnRequest(): void
166166
{
167-
$ar = $this->createAuthnRequest();
167+
$ar = $this->createAuthnRequest(['NameIDPolicy' => ['AllowCreate' => false]]);
168168

169169
$xml = $ar->toSignedXML();
170170

tests/src/SimpleSAML/Utils/Config/MetadataTest.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -257,7 +257,7 @@ public function testParseNameIdPolicyDefaults(): void
257257
$nameIdPolicy = null;
258258
$this->assertEquals([
259259
'Format' => Constants::NAMEID_TRANSIENT,
260-
'AllowCreate' => true,
260+
'AllowCreate' => false,
261261
], Metadata::parseNameIdPolicy($nameIdPolicy));
262262

263263
$nameIdPolicy = [

0 commit comments

Comments
 (0)