SAML2: Fix transient NameId for logout.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@787 44740490-163a-0410-bde0-09ae8108e29a

SAML2: Fix transient NameId for logout.
81b52aff · Olav Morken · f46e8edc · 81b52aff · 81b52aff · 81b52aff
Commit 81b52aff authored 17 years ago by Olav Morken
--- a/lib/SimpleSAML/Session.php
+++ b/lib/SimpleSAML/Session.php
@@ -68,6 +68,14 @@ class SimpleSAML_Session {
 	private $dataStore = null;
+	/**
+	 * Current NameIDs for sessions.
+	 *
+	 * Stored as a two-level associative array: $sessionNameId[<entityType>][<entityId>]
+	 */
+	private $sessionNameId;
 	/**
 	 * private constructor restricts instantiaton to getInstance()
 	 */
@@ -291,6 +299,57 @@ class SimpleSAML_Session {
 	}
+	/**
+	 * Set the NameID of the users session to the specified entity.
+	 *
+	 * @param string $entityType  The type of the entity (saml20-sp-remote, shib13-sp-remote, ...).
+	 * @param string $entityId  The entity id.
+	 * @param array $nameId  The name identifier.
+	 */
+	public function setSessionNameId($entityType, $entityId, $nameId) {
+		assert('is_string($entityType)');
+		assert('is_string($entityId)');
+		assert('is_array($nameId)');
+		if(!is_array($this->sessionNameId)) {
+			$this->sessionNameId = array();
+		}
+		if(!array_key_exists($entityType, $this->sessionNameId)) {
+			$this->sessionNameId[$entityType] = array();
+		}
+		$this->sessionNameId[$entityType][$entityId] = $nameId;
+	}
+	/**
+	 * Get the NameID of the users session to the specified entity.
+	 *
+	 * @param string $entityType  The type of the entity (saml20-sp-remote, shib13-sp-remote, ...).
+	 * @param string $entityId  The entity id.
+	 * @return array  The name identifier, or NULL if no name identifier is associated with this session.
+	 */
+	public function getSessionNameId($entityType, $entityId) {
+		assert('is_string($entityType)');
+		assert('is_string($entityId)');
+		if(!is_array($this->sessionNameId)) {
+			return NULL;
+		}
+		if(!array_key_exists($entityType, $this->sessionNameId)) {
+			return NULL;
+		}
+		if(!array_key_exists($entityId, $this->sessionNameId[$entityType])) {
+			return NULL;
+		}
+		return $this->sessionNameId[$entityType][$entityId];
+	}
 	/**
 	 * Marks the user as logged in with the specified authority.
 	 *

--- a/lib/SimpleSAML/XML/SAML20/AuthnResponse.php
+++ b/lib/SimpleSAML/XML/SAML20/AuthnResponse.php
@@ -647,12 +647,14 @@ class SimpleSAML_XML_SAML20_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
 		/**
 		 * Handling NameID
 		 */
-		$nameid = null;
 		if ($nameidformat == self::EMAIL) {
-			$nameid = $this->generateNameID($nameidformat, $attributes[$spmd['simplesaml.nameidattribute']][0], $spnamequalifier);
+			$nameIdValue = $attributes[$spmd['simplesaml.nameidattribute']][0];
 		} else {
-			$nameid = $this->generateNameID($nameidformat, SimpleSAML_Utilities::generateID(), $spnamequalifier);
+			$nameIdValue = SimpleSAML_Utilities::generateID();
 		}
+		$nameIdData = array('Format' => $nameidformat, 'value' => $nameIdValue);
+		$session->setSessionNameId('saml20-sp-remote', $spentityid, $nameIdData);
+		$nameid = $this->generateNameID($nameidformat, $nameIdValue, $spnamequalifier);
 		$assertion = "";
 		if ($status === 'Success') {

--- a/www/saml2/idp/SingleLogoutService.php
+++ b/www/saml2/idp/SingleLogoutService.php
@@ -248,7 +248,11 @@ if ($spentityid) {
 		$lr = new SimpleSAML_XML_SAML20_LogoutRequest($config, $metadata);
 		// ($issuer, $receiver, $nameid, $nameidformat, $sessionindex, $mode) {
-		$req = $lr->generate($idpentityid, $spentityid, $session->getNameID(), $session->getSessionIndex(), 'IdP');
+		$nameId = $session->getSessionNameId('saml20-sp-remote', $spentityid);
+		if($nameId === NULL) {
+			$nameId = $session->getNameID();
+		}
+		$req = $lr->generate($idpentityid, $spentityid, $nameId, $session->getSessionIndex(), 'IdP');
 		/* Save the $logoutInfo until we return from the SP. */
 		saveLogoutInfo($lr->getGeneratedID());