diff --git a/lib/SimpleSAML/Utilities.php b/lib/SimpleSAML/Utilities.php index d5a5affd8c99f94b4a8e6bc6ec8f8f9f2df7c5c0..3a8018aef05f10436bae5cb3e62d52f9e06b0f4b 100644 --- a/lib/SimpleSAML/Utilities.php +++ b/lib/SimpleSAML/Utilities.php @@ -1106,38 +1106,41 @@ class SimpleSAML_Utilities { * @param $sppset Allows to select another metadata set. (to support both saml2 or shib13) * @return A non-reversible unique identifier for the user. */ - public static function generateUserIdentifier($idpEntityId, $spEntityId, $attributes, $idpset = 'saml20-idp-hosted', $spset = 'saml20-sp-remote') { + public static function generateUserIdentifier($idpEntityId, $spEntityId, array &$state, $idpset = 'saml20-idp-hosted', $spset = 'saml20-sp-remote') { $metadataHandler = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler(); $idpMetadata = $metadataHandler->getMetaData($idpEntityId, $idpset); $spMetadata = $metadataHandler->getMetaData($spEntityId, $spset); - if(array_key_exists('userid.attribute', $spMetadata)) { - $attributeName = $spMetadata['userid.attribute']; - } elseif(array_key_exists('userid.attribute', $idpMetadata)) { - $attributeName = $idpMetadata['userid.attribute']; + if (isset($state['UserID'])) { + $attributeValue = $state['UserID']; } else { - $attributeName = 'eduPersonPrincipalName'; - } + if(array_key_exists('userid.attribute', $spMetadata)) { + $attributeName = $spMetadata['userid.attribute']; + } elseif(array_key_exists('userid.attribute', $idpMetadata)) { + $attributeName = $idpMetadata['userid.attribute']; + } else { + $attributeName = 'eduPersonPrincipalName'; + } - if(!array_key_exists($attributeName, $attributes)) { - throw new Exception('Missing attribute "' . $attributeName . '" for user. Cannot' . - ' generate user id.'); - } + if(!array_key_exists($attributeName, $attributes)) { + throw new Exception('Missing attribute "' . $attributeName . '" for user. Cannot' . + ' generate user id.'); + } - $attributeValue = $attributes[$attributeName]; - if(count($attributeValue) !== 1) { - throw new Exception('Attribute "' . $attributeName . '" for user did not contain exactly' . - ' one value. Cannot generate user id.'); - } + $attributeValue = $attributes[$attributeName]; + if(count($attributeValue) !== 1) { + throw new Exception('Attribute "' . $attributeName . '" for user did not contain exactly' . + ' one value. Cannot generate user id.'); + } - $attributeValue = $attributeValue[0]; - if(empty($attributeValue)) { - throw new Exception('Attribute "' . $attributeName . '" for user was empty. Cannot' . - ' generate user id.'); + $attributeValue = $attributeValue[0]; + if(empty($attributeValue)) { + throw new Exception('Attribute "' . $attributeName . '" for user was empty. Cannot' . + ' generate user id.'); + } } - $secretSalt = self::getSecretSalt(); $uidData = 'uidhashbase' . $secretSalt; diff --git a/modules/saml2/lib/Message.php b/modules/saml2/lib/Message.php index b30859947c58c42b82d865b5d94de3f4e74010b5..5b46fcdf51b2606ef60386d2195767e56a11740c 100644 --- a/modules/saml2/lib/Message.php +++ b/modules/saml2/lib/Message.php @@ -462,7 +462,7 @@ class sspmod_saml2_Message { * @return string The NameID value. */ private static function generateNameIdValue(SimpleSAML_Configuration $srcMetadata, - SimpleSAML_Configuration $dstMetadata, array $attributes) { + SimpleSAML_Configuration $dstMetadata, array &$state) { $attribute = $dstMetadata->getString('simplesaml.nameidattribute', NULL); if ($attribute === NULL) { @@ -472,7 +472,7 @@ class sspmod_saml2_Message { try { return SimpleSAML_Utilities::generateUserIdentifier($srcMetadata->getString( 'entityid' ), $dstMetadata->getString( 'entityid' ), - $attributes ); + $state); } catch (Exception $e) { SimpleSAML_Logger::error('Unable to generate NameID: ' . $e->getMessage()); return NULL; @@ -480,6 +480,7 @@ class sspmod_saml2_Message { } } + $attributes = $state['Attributes']; if (!array_key_exists($attribute, $attributes)) { SimpleSAML_Logger::error('Unable to add NameID: Missing ' . var_export($attribute, TRUE) . ' in the attributes of the user.'); @@ -648,7 +649,7 @@ class sspmod_saml2_Message { } else { /* this code will end up generating either a fixed assigned id (via nameid.attribute) or random id if not assigned/configured */ - $nameIdValue = self::generateNameIdValue($srcMetadata, $dstMetadata, $state['Attributes']); + $nameIdValue = self::generateNameIdValue($srcMetadata, $dstMetadata, $state); if ($nameIdValue === NULL) { SimpleSAML_Logger::warning('Falling back to transient NameID.'); $nameIdFormat = SAML2_Const::NAMEID_TRANSIENT;