From 68fba6031f909e25d5bc70f99ac5e0893531f644 Mon Sep 17 00:00:00 2001
From: Tim van Dijen <tim.dijen@minbzk.nl>
Date: Mon, 28 Jun 2021 17:05:26 +0200
Subject: [PATCH] SAML2INT:  default attrname-format to uri (#1455)

SAML2INT:  default attrname-format to uri
---
 docs/simplesamlphp-changelog.md            | 4 ++++
 docs/simplesamlphp-reference-idp-hosted.md | 6 ++----
 docs/simplesamlphp-reference-sp-remote.md  | 6 ++----
 lib/SimpleSAML/Metadata/SAMLBuilder.php    | 4 ++--
 modules/saml/lib/IdP/SAML2.php             | 2 +-
 5 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/docs/simplesamlphp-changelog.md b/docs/simplesamlphp-changelog.md
index 3e1f8ec3a..e5e74f655 100644
--- a/docs/simplesamlphp-changelog.md
+++ b/docs/simplesamlphp-changelog.md
@@ -12,6 +12,10 @@ See the upgrade notes for specific information about upgrading.
   * Support for SAML 1.1 was removed
   * Old-style PHP templates were removed
   * Old-style dictionaries were removed
+  * The default value for attrname-format was changed to 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri'
+    to comply with SAML2INT
+  * core:PairwiseID and core:SubjectID authprocs no longer support the 'scope' config-setting.
+    Use 'scopeAttribute' instead to identify the attribute holding the scope.
 
 ## Version 1.19.1
 
diff --git a/docs/simplesamlphp-reference-idp-hosted.md b/docs/simplesamlphp-reference-idp-hosted.md
index e23eb75dc..a2ab44be0 100644
--- a/docs/simplesamlphp-reference-idp-hosted.md
+++ b/docs/simplesamlphp-reference-idp-hosted.md
@@ -180,7 +180,7 @@ The following SAML 2.0 options are available:
     2.  IdP Hosted Metadata
 
 :   The default value is:
-    `urn:oasis:names:tc:SAML:2.0:attrname-format:basic`
+    `urn:oasis:names:tc:SAML:2.0:attrname-format:uri`
 
 :   Some examples of values specified in the SAML 2.0 Core
     Specification:
@@ -188,7 +188,7 @@ The following SAML 2.0 options are available:
 :   -   `urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified`
 
     -   `urn:oasis:names:tc:SAML:2.0:attrname-format:uri` (The default
-        in Shibboleth 2.0)
+        in Shibboleth 2.0, mandatory as per SAML2INT)
 
     -   `urn:oasis:names:tc:SAML:2.0:attrname-format:basic` (The
         default in Sun Access Manager)
@@ -199,8 +199,6 @@ The following SAML 2.0 options are available:
     any value in the SP-remote metadata overrides the one configured
     in the IdP metadata.
 
-:   (This option was previously named `AttributeNameFormat`.)
-
 `encryption.blacklisted-algorithms`
 :   Blacklisted encryption algorithms. This is an array containing the algorithm identifiers.
 
diff --git a/docs/simplesamlphp-reference-sp-remote.md b/docs/simplesamlphp-reference-sp-remote.md
index 5d1f5ecf8..8ef4d52ab 100644
--- a/docs/simplesamlphp-reference-sp-remote.md
+++ b/docs/simplesamlphp-reference-sp-remote.md
@@ -131,7 +131,7 @@ The following options can be set:
     2.  IdP Hosted Metadata
 
 :   The default value is:
-    `urn:oasis:names:tc:SAML:2.0:attrname-format:basic`
+    `urn:oasis:names:tc:SAML:2.0:attrname-format:uri`
 
 :   Some examples of values specified in the SAML 2.0 Core
     Specification:
@@ -139,7 +139,7 @@ The following options can be set:
 :   -   `urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified`
 
     -   `urn:oasis:names:tc:SAML:2.0:attrname-format:uri` (The default
-        in Shibboleth 2.0)
+        in Shibboleth 2.0, mandatory as per SAML2INT)
 
     -   `urn:oasis:names:tc:SAML:2.0:attrname-format:basic` (The
         default in Sun Access Manager)
@@ -150,8 +150,6 @@ The following options can be set:
     entry in the SP-remote metadata overrides the option in the
     IdP-hosted metadata.
 
-:   (This option was previously named `AttributeNameFormat`.)
-
 `audience`
 :   An array of additional entities to be added to the AudienceRestriction. By default the only audience is the SP's entityID. 
 
diff --git a/lib/SimpleSAML/Metadata/SAMLBuilder.php b/lib/SimpleSAML/Metadata/SAMLBuilder.php
index 805215f37..47d873405 100644
--- a/lib/SimpleSAML/Metadata/SAMLBuilder.php
+++ b/lib/SimpleSAML/Metadata/SAMLBuilder.php
@@ -205,7 +205,7 @@ class SAMLBuilder
             foreach ($metadata->getArray('EntityAttributes') as $attributeName => $attributeValues) {
                 $a = new Attribute();
                 $a->setName($attributeName);
-                $a->setNameFormat('urn:oasis:names:tc:SAML:2.0:attrname-format:uri');
+                $a->setNameFormat(Constants::NAMEFORMAT_UNSPECIFIED);
 
                 // Attribute names that is not URI is prefixed as this: '{nameformat}name'
                 if (preg_match('/^\{(.*?)\}(.*)$/', $attributeName, $matches)) {
@@ -443,7 +443,7 @@ class SAMLBuilder
         $attributeconsumer->setServiceName($name);
         $attributeconsumer->setServiceDescription($metadata->getLocalizedString('description', []));
 
-        $nameFormat = $metadata->getString('attributes.NameFormat', Constants::NAMEFORMAT_UNSPECIFIED);
+        $nameFormat = $metadata->getString('attributes.NameFormat', Constants::NAMEFORMAT_URI);
         foreach ($attributes as $friendlyName => $attribute) {
             $t = new RequestedAttribute();
             $t->setName($attribute);
diff --git a/modules/saml/lib/IdP/SAML2.php b/modules/saml/lib/IdP/SAML2.php
index 578bce573..ea75cfc42 100644
--- a/modules/saml/lib/IdP/SAML2.php
+++ b/modules/saml/lib/IdP/SAML2.php
@@ -1068,7 +1068,7 @@ class SAML2
         }
 
         // default
-        return Constants::NAMEFORMAT_BASIC;
+        return Constants::NAMEFORMAT_URI;
     }
 
 
-- 
GitLab