From 68fba6031f909e25d5bc70f99ac5e0893531f644 Mon Sep 17 00:00:00 2001 From: Tim van Dijen <tim.dijen@minbzk.nl> Date: Mon, 28 Jun 2021 17:05:26 +0200 Subject: [PATCH] SAML2INT: default attrname-format to uri (#1455) SAML2INT: default attrname-format to uri --- docs/simplesamlphp-changelog.md | 4 ++++ docs/simplesamlphp-reference-idp-hosted.md | 6 ++---- docs/simplesamlphp-reference-sp-remote.md | 6 ++---- lib/SimpleSAML/Metadata/SAMLBuilder.php | 4 ++-- modules/saml/lib/IdP/SAML2.php | 2 +- 5 files changed, 11 insertions(+), 11 deletions(-) diff --git a/docs/simplesamlphp-changelog.md b/docs/simplesamlphp-changelog.md index 3e1f8ec3a..e5e74f655 100644 --- a/docs/simplesamlphp-changelog.md +++ b/docs/simplesamlphp-changelog.md @@ -12,6 +12,10 @@ See the upgrade notes for specific information about upgrading. * Support for SAML 1.1 was removed * Old-style PHP templates were removed * Old-style dictionaries were removed + * The default value for attrname-format was changed to 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri' + to comply with SAML2INT + * core:PairwiseID and core:SubjectID authprocs no longer support the 'scope' config-setting. + Use 'scopeAttribute' instead to identify the attribute holding the scope. ## Version 1.19.1 diff --git a/docs/simplesamlphp-reference-idp-hosted.md b/docs/simplesamlphp-reference-idp-hosted.md index e23eb75dc..a2ab44be0 100644 --- a/docs/simplesamlphp-reference-idp-hosted.md +++ b/docs/simplesamlphp-reference-idp-hosted.md @@ -180,7 +180,7 @@ The following SAML 2.0 options are available: 2. IdP Hosted Metadata : The default value is: - `urn:oasis:names:tc:SAML:2.0:attrname-format:basic` + `urn:oasis:names:tc:SAML:2.0:attrname-format:uri` : Some examples of values specified in the SAML 2.0 Core Specification: @@ -188,7 +188,7 @@ The following SAML 2.0 options are available: : - `urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified` - `urn:oasis:names:tc:SAML:2.0:attrname-format:uri` (The default - in Shibboleth 2.0) + in Shibboleth 2.0, mandatory as per SAML2INT) - `urn:oasis:names:tc:SAML:2.0:attrname-format:basic` (The default in Sun Access Manager) @@ -199,8 +199,6 @@ The following SAML 2.0 options are available: any value in the SP-remote metadata overrides the one configured in the IdP metadata. -: (This option was previously named `AttributeNameFormat`.) - `encryption.blacklisted-algorithms` : Blacklisted encryption algorithms. This is an array containing the algorithm identifiers. diff --git a/docs/simplesamlphp-reference-sp-remote.md b/docs/simplesamlphp-reference-sp-remote.md index 5d1f5ecf8..8ef4d52ab 100644 --- a/docs/simplesamlphp-reference-sp-remote.md +++ b/docs/simplesamlphp-reference-sp-remote.md @@ -131,7 +131,7 @@ The following options can be set: 2. IdP Hosted Metadata : The default value is: - `urn:oasis:names:tc:SAML:2.0:attrname-format:basic` + `urn:oasis:names:tc:SAML:2.0:attrname-format:uri` : Some examples of values specified in the SAML 2.0 Core Specification: @@ -139,7 +139,7 @@ The following options can be set: : - `urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified` - `urn:oasis:names:tc:SAML:2.0:attrname-format:uri` (The default - in Shibboleth 2.0) + in Shibboleth 2.0, mandatory as per SAML2INT) - `urn:oasis:names:tc:SAML:2.0:attrname-format:basic` (The default in Sun Access Manager) @@ -150,8 +150,6 @@ The following options can be set: entry in the SP-remote metadata overrides the option in the IdP-hosted metadata. -: (This option was previously named `AttributeNameFormat`.) - `audience` : An array of additional entities to be added to the AudienceRestriction. By default the only audience is the SP's entityID. diff --git a/lib/SimpleSAML/Metadata/SAMLBuilder.php b/lib/SimpleSAML/Metadata/SAMLBuilder.php index 805215f37..47d873405 100644 --- a/lib/SimpleSAML/Metadata/SAMLBuilder.php +++ b/lib/SimpleSAML/Metadata/SAMLBuilder.php @@ -205,7 +205,7 @@ class SAMLBuilder foreach ($metadata->getArray('EntityAttributes') as $attributeName => $attributeValues) { $a = new Attribute(); $a->setName($attributeName); - $a->setNameFormat('urn:oasis:names:tc:SAML:2.0:attrname-format:uri'); + $a->setNameFormat(Constants::NAMEFORMAT_UNSPECIFIED); // Attribute names that is not URI is prefixed as this: '{nameformat}name' if (preg_match('/^\{(.*?)\}(.*)$/', $attributeName, $matches)) { @@ -443,7 +443,7 @@ class SAMLBuilder $attributeconsumer->setServiceName($name); $attributeconsumer->setServiceDescription($metadata->getLocalizedString('description', [])); - $nameFormat = $metadata->getString('attributes.NameFormat', Constants::NAMEFORMAT_UNSPECIFIED); + $nameFormat = $metadata->getString('attributes.NameFormat', Constants::NAMEFORMAT_URI); foreach ($attributes as $friendlyName => $attribute) { $t = new RequestedAttribute(); $t->setName($attribute); diff --git a/modules/saml/lib/IdP/SAML2.php b/modules/saml/lib/IdP/SAML2.php index 578bce573..ea75cfc42 100644 --- a/modules/saml/lib/IdP/SAML2.php +++ b/modules/saml/lib/IdP/SAML2.php @@ -1068,7 +1068,7 @@ class SAML2 } // default - return Constants::NAMEFORMAT_BASIC; + return Constants::NAMEFORMAT_URI; } -- GitLab