From 412fde9517d3bc961193412b13c11ce86138fdcc Mon Sep 17 00:00:00 2001 From: Jaime Perez Crespo <jaime.perez@uninett.no> Date: Tue, 29 Mar 2016 22:37:48 +0200 Subject: [PATCH] This is related to #346, and closes #347. It enables richer NameIDPolicy configuration, allowing to set not only the format, but also the value for "AllowCreate". --- modules/saml/lib/Message.php | 29 ++++++++++++++++++++--------- 1 file changed, 20 insertions(+), 9 deletions(-) diff --git a/modules/saml/lib/Message.php b/modules/saml/lib/Message.php index 04318e917..685be4f63 100644 --- a/modules/saml/lib/Message.php +++ b/modules/saml/lib/Message.php @@ -403,18 +403,29 @@ class sspmod_saml_Message { $ar = new SAML2_AuthnRequest(); - if ($spMetadata->hasValue('NameIDPolicy')) { - $nameIdPolicy = $spMetadata->getString('NameIDPolicy', NULL); - } else { - $nameIdPolicy = $spMetadata->getString('NameIDFormat', SAML2_Const::NAMEID_TRANSIENT); + // get the NameIDPolicy to apply. IdP metadata has precedence. + $nameIdPolicy = array(); + if ($idpMetadata->hasValue('NameIDPolicy')) { + $nameIdPolicy = $idpMetadata->getValue('NameIDPolicy'); + } elseif ($spMetadata->hasValue('NameIDPolicy')) { + $nameIdPolicy = $spMetadata->getValue('NameIDPolicy'); + } + + if (!is_array($nameIdPolicy)) { + // handle old configurations where 'NameIDPolicy' was used to specify just the format + $nameIdPolicy = array('Format' => $nameIdPolicy); } - if ($nameIdPolicy !== NULL) { - $ar->setNameIdPolicy(array( - 'Format' => $nameIdPolicy, - 'AllowCreate' => TRUE, - )); + $nameIdPolicy_cf = SimpleSAML_Configuration::loadFromArray($nameIdPolicy); + $policy = array( + 'Format' => $nameIdPolicy_cf->getString('Format', SAML2_Const::NAMEID_TRANSIENT), + 'AllowCreate' => $nameIdPolicy_cf->getBoolean('AllowCreate', true), + ); + $spNameQualifier = $nameIdPolicy_cf->getString('SPNameQualifier', false); + if ($spNameQualifier !== false) { + $policy['SPNameQualifier'] = $spNameQualifier; } + $ar->setNameIdPolicy($policy); $ar->setForceAuthn($spMetadata->getBoolean('ForceAuthn', FALSE)); $ar->setIsPassive($spMetadata->getBoolean('IsPassive', FALSE)); -- GitLab