SAML2/IdP: Fix persistent NameID generation.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2349 44740490-163a-0410-bde0-09ae8108e29a

SAML2/IdP: Fix persistent NameID generation.
5b2e7f16 · Olav Morken · cb5b174d · 5b2e7f16 · 5b2e7f16
Commit 5b2e7f16 authored 15 years ago by Olav Morken
--- a/lib/SimpleSAML/Utilities.php
+++ b/lib/SimpleSAML/Utilities.php
@@ -1106,38 +1106,41 @@ class SimpleSAML_Utilities {
 	 * @param $sppset       Allows to select another metadata set. (to support both saml2 or shib13)
 	 * @return A non-reversible unique identifier for the user.
 	 */
-	public static function generateUserIdentifier($idpEntityId, $spEntityId, $attributes, $idpset = 'saml20-idp-hosted', $spset = 'saml20-sp-remote') {
+	public static function generateUserIdentifier($idpEntityId, $spEntityId, array &$state, $idpset = 'saml20-idp-hosted', $spset = 'saml20-sp-remote') {
 	
 		$metadataHandler = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
 		$idpMetadata = $metadataHandler->getMetaData($idpEntityId, $idpset);
 		$spMetadata = $metadataHandler->getMetaData($spEntityId, $spset);

-		if(array_key_exists('userid.attribute', $spMetadata)) {
-			$attributeName = $spMetadata['userid.attribute'];
-		} elseif(array_key_exists('userid.attribute', $idpMetadata)) {
-			$attributeName = $idpMetadata['userid.attribute'];
+		if (isset($state['UserID'])) {
+			$attributeValue = $state['UserID'];
 		} else {
-			$attributeName = 'eduPersonPrincipalName';
-		}
+			if(array_key_exists('userid.attribute', $spMetadata)) {
+				$attributeName = $spMetadata['userid.attribute'];
+			} elseif(array_key_exists('userid.attribute', $idpMetadata)) {
+				$attributeName = $idpMetadata['userid.attribute'];
+			} else {
+				$attributeName = 'eduPersonPrincipalName';
+			}

-		if(!array_key_exists($attributeName, $attributes)) {
-			throw new Exception('Missing attribute "' . $attributeName . '" for user. Cannot' .
-			                    ' generate user id.');
-		}
+			if(!array_key_exists($attributeName, $attributes)) {
+				throw new Exception('Missing attribute "' . $attributeName . '" for user. Cannot' .
+					' generate user id.');
+			}

-		$attributeValue = $attributes[$attributeName];
-		if(count($attributeValue) !== 1) {
-			throw new Exception('Attribute "' . $attributeName . '" for user did not contain exactly' .
-			                    ' one value. Cannot generate user id.');
-		}
+			$attributeValue = $attributes[$attributeName];
+			if(count($attributeValue) !== 1) {
+				throw new Exception('Attribute "' . $attributeName . '" for user did not contain exactly' .
+					' one value. Cannot generate user id.');
+			}

-		$attributeValue = $attributeValue[0];
-		if(empty($attributeValue)) {
-			throw new Exception('Attribute "' . $attributeName . '" for user was empty. Cannot' .
-			                    ' generate user id.');
+			$attributeValue = $attributeValue[0];
+			if(empty($attributeValue)) {
+				throw new Exception('Attribute "' . $attributeName . '" for user was empty. Cannot' .
+					' generate user id.');
+			}
 		}

-
 		$secretSalt = self::getSecretSalt();

 		$uidData = 'uidhashbase' . $secretSalt;

--- a/modules/saml2/lib/Message.php
+++ b/modules/saml2/lib/Message.php
@@ -462,7 +462,7 @@ class sspmod_saml2_Message {
 	 * @return string  The NameID value.
 	 */
 	private static function generateNameIdValue(SimpleSAML_Configuration $srcMetadata,
-		SimpleSAML_Configuration $dstMetadata, array $attributes) {
+		SimpleSAML_Configuration $dstMetadata, array &$state) {

 		$attribute = $dstMetadata->getString('simplesaml.nameidattribute', NULL);
 		if ($attribute === NULL) {
@@ -472,7 +472,7 @@ class sspmod_saml2_Message {
 				try {
 					return SimpleSAML_Utilities::generateUserIdentifier($srcMetadata->getString( 'entityid' ),
 						$dstMetadata->getString( 'entityid' ),
-						$attributes );
+						$state);
 				} catch (Exception $e) {
 					SimpleSAML_Logger::error('Unable to generate NameID: ' . $e->getMessage());
 					return NULL;
@@ -480,6 +480,7 @@ class sspmod_saml2_Message {
 			}
 		}

+		$attributes = $state['Attributes'];
 		if (!array_key_exists($attribute, $attributes)) {
 			SimpleSAML_Logger::error('Unable to add NameID: Missing ' . var_export($attribute, TRUE) .
 				' in the attributes of the user.');
@@ -648,7 +649,7 @@ class sspmod_saml2_Message {
 			} else {
 				/* this code will end up generating either a fixed assigned id (via nameid.attribute)
 				   or random id if not assigned/configured */
-				$nameIdValue = self::generateNameIdValue($srcMetadata, $dstMetadata, $state['Attributes']);
+				$nameIdValue = self::generateNameIdValue($srcMetadata, $dstMetadata, $state);
 				if ($nameIdValue === NULL) {
 					SimpleSAML_Logger::warning('Falling back to transient NameID.');
 					$nameIdFormat = SAML2_Const::NAMEID_TRANSIENT;