saml: Add saml:NameIDAttribute filter.

This filter can create an attribute from the NameID we receive in
the authentication response.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2548 44740490-163a-0410-bde0-09ae8108e29a

docs/simplesamlphp-authproc.txt

@@ -143,6 +143,7 @@ The following filters are included in the simpleSAMLphp distribution:
 - [`core:WarnShortSSOInterval`](./core:authproc_warnshortssointerval): Give a warning if the user logs into the same SP twice within a few seconds.
 - [`preprodwarning:Warning`](./preprodwarning:warning): Warn the user about accessing a test IdP.
 - [`saml:AttributeNameID`](./saml:nameid): Generate custom NameID with the value of an attribute.
+- [`saml:NameIDAttribute`](./saml:nameidattribute): Create an attribute based on the NameID we receive from the IdP.
 - [`saml:PersistentNameID`](./saml:nameid): Generate persistent NameID from an attribute.
 - [`saml:TransientNameID`](./saml:nameid): Generate transient NameID.
 

modules/saml/docs/nameidattribute.txt

+`saml:NameIDAttribute`
+======================
+
+Filter that extracts the NameID we received in the authentication response and adds it as an attribute.
+
+Parameters
+----------
+
+`attribute`
+:   The name of the attribute we should create.
+    The default is `nameid`.
+
+`format`
+:   The format string for the attribute.
+    The default is `%I!%S!%V`.
+
+:   The format string accepts the following replacements:
+
+    * `%I`: The IdP that issued the NameID.
+            This will be the `NameQualifier` element of the NameID if it is present, or the entity ID of the IdP we received the response from if not.
+    * `%S`: The SP the NameID was issued to.
+            This will be the `SPNameQualifier` element of the NameID if it is present, or the entity ID of this SP otherwise.
+    * `%V`: The value of the NameID.
+    * `%F`: The format of the NameID.
+    * `%%`: Will be replaced with a single `%`.
+
+Examples
+--------
+
+Minimal configuration:
+
+    'default-sp' => array(
+        'saml:SP',
+        'authproc' => array(
+            20 => 'saml:NameIDAttribute',
+        ),
+    ),
+
+Custom attribute name:
+
+    'default-sp' => array(
+        'saml:SP',
+        'authproc' => array(
+            20 => array(
+                'class' => 'saml:NameIDAttribute',
+                'attribute' => 'someattributename',
+            ),
+        ),
+    ),
+
+Only extract the value of the NameID.
+
+    'default-sp' => array(
+        'saml:SP',
+        'authproc' => array(
+            20 => array(
+                'class' => 'saml:NameIDAttribute',
+                'format' => '%V',
+            ),
+        ),
+    ),
+
+See also
+--------
+
+ * [The description of the `saml:SP` authentication source.](./saml:sp)
+ * [How to generate various NameIDs on the IdP.](./saml:nameid)

modules/saml/lib/Auth/Process/NameIDAttribute.php

+<?php
+
+/**
+ * Authproc filter to create an attribute from a NameID.
+ *
+ * @package simpleSAMLphp
+ * @version $Id$
+ */
+class sspmod_saml_Auth_Process_NameIDAttribute extends SimpleSAML_Auth_ProcessingFilter {
+
+	/**
+	 * The attribute we should save the NameID in.
+	 *
+	 * @var string
+	 */
+	private $attribute;
+
+
+	/**
+	 * The format of the NameID in the attribute.
+	 *
+	 * @var array
+	 */
+	private $format;
+
+
+	/**
+	 * Initialize this filter, parse configuration.
+	 *
+	 * @param array $config  Configuration information about this filter.
+	 * @param mixed $reserved  For future use.
+	 */
+	public function __construct($config, $reserved) {
+		parent::__construct($config, $reserved);
+		assert('is_array($config)');
+
+		if (isset($config['attribute'])) {
+			$this->attribute = (string)$config['attribute'];
+		} else {
+			$this->attribute = 'nameid';
+		}
+
+		if (isset($config['format'])) {
+			$format = (string)$config['format'];
+		} else {
+			$format = '%I!%S!%V';
+		}
+
+		$this->format = self::parseFormat($format);
+	}
+
+
+	/**
+	 * Parse a NameID format string into an array.
+	 *
+	 * @param string $format  The format string.
+	 * @return array  The format string broken into its individual components.
+	 */
+	private static function parseFormat($format) {
+		assert('is_string($format)');
+
+		$ret = array();
+		$pos = 0;
+		while ( ($next = strpos($format, '%', $pos)) !== FALSE) {
+			$ret[] = substr($format, $pos, $next - $pos);
+
+			$replacement = $format[$next + 1];
+			switch ($replacement) {
+			case 'F':
+				$ret[] = 'Format';
+				break;
+			case 'I':
+				$ret[] = 'NameQualifier';
+				break;
+			case 'S':
+				$ret[] = 'SPNameQualifier';
+				break;
+			case 'V':
+				$ret[] = 'Value';
+				break;
+			case '%':
+				$ret[] = '%';
+				break;
+			default:
+				throw new SimpleSAML_Error_Exception('NameIDAttribute: Invalid replacement: "%' . $replacement . '"');
+			}
+
+			$pos = $next + 2;
+		}
+		$ret[] = substr($format, $pos);
+
+		return $ret;
+	}
+
+
+	/**
+	 * Convert NameID to attribute.
+	 *
+	 * @param array &$state  The request state.
+	 */
+	public function process(&$state) {
+		assert('is_array($state)');
+		assert('isset($state["Source"]["entityid"])');
+		assert('isset($state["Destination"]["entityid"])');
+
+		if (!isset($state['saml:sp:State']['LogoutState']['saml:logout:NameID'])) {
+			return;
+		}
+
+		$rep = $state['saml:sp:State']['LogoutState']['saml:logout:NameID'];
+		assert('isset($rep["Value"])');
+
+		$rep['%'] = '%';
+		if (!isset($rep['Format'])) {
+			$rep['Format'] = SAML2_Const::NAMEID_UNSPECIFIED;
+		}
+		if (!isset($rep['NameQualifier'])) {
+			$rep['NameQualifier'] = $state['Source']['entityid'];
+		}
+		if (!isset($rep['SPNameQualifier'])) {
+			$rep['SPNameQualifier'] = $state['Destination']['entityid'];
+		}
+
+		$value = '';
+		$isString = TRUE;
+		foreach ($this->format as $element) {
+			if ($isString) {
+				$value .= $element;
+			} else {
+				$value .= $rep[$element];
+			}
+			$isString = !$isString;
+		}
+
+		$state['Attributes'][$this->attribute] = array($value);
+	}
+
+}