diff --git a/lib/SimpleSAML/Session.php b/lib/SimpleSAML/Session.php
index 73a1beb775114f6a0b88218c18b736c9d668584b..0249884eeffb4834eb9ecfa305a2e0ed85a9d7b1 100644
--- a/lib/SimpleSAML/Session.php
+++ b/lib/SimpleSAML/Session.php
@@ -68,6 +68,14 @@ class SimpleSAML_Session {
private $dataStore = null;
+ /**
+ * Current NameIDs for sessions.
+ *
+ * Stored as a two-level associative array: $sessionNameId[<entityType>][<entityId>]
+ */
+ private $sessionNameId;
+
+
/**
* private constructor restricts instantiaton to getInstance()
*/
@@ -291,6 +299,57 @@ class SimpleSAML_Session {
}
+ /**
+ * Set the NameID of the users session to the specified entity.
+ *
+ * @param string $entityType The type of the entity (saml20-sp-remote, shib13-sp-remote, ...).
+ * @param string $entityId The entity id.
+ * @param array $nameId The name identifier.
+ */
+ public function setSessionNameId($entityType, $entityId, $nameId) {
+ assert('is_string($entityType)');
+ assert('is_string($entityId)');
+ assert('is_array($nameId)');
+
+ if(!is_array($this->sessionNameId)) {
+ $this->sessionNameId = array();
+ }
+
+ if(!array_key_exists($entityType, $this->sessionNameId)) {
+ $this->sessionNameId[$entityType] = array();
+ }
+
+ $this->sessionNameId[$entityType][$entityId] = $nameId;
+ }
+
+
+ /**
+ * Get the NameID of the users session to the specified entity.
+ *
+ * @param string $entityType The type of the entity (saml20-sp-remote, shib13-sp-remote, ...).
+ * @param string $entityId The entity id.
+ * @return array The name identifier, or NULL if no name identifier is associated with this session.
+ */
+ public function getSessionNameId($entityType, $entityId) {
+ assert('is_string($entityType)');
+ assert('is_string($entityId)');
+
+ if(!is_array($this->sessionNameId)) {
+ return NULL;
+ }
+
+ if(!array_key_exists($entityType, $this->sessionNameId)) {
+ return NULL;
+ }
+
+ if(!array_key_exists($entityId, $this->sessionNameId[$entityType])) {
+ return NULL;
+ }
+
+ return $this->sessionNameId[$entityType][$entityId];
+ }
+
+
/**
* Marks the user as logged in with the specified authority.
*
diff --git a/lib/SimpleSAML/XML/SAML20/AuthnResponse.php b/lib/SimpleSAML/XML/SAML20/AuthnResponse.php
index e624160948f1e76ef5e0a18d3aa00680703d93ad..5ec634aebe8e736d7e6ff2b10aafde72dc48b9f7 100644
--- a/lib/SimpleSAML/XML/SAML20/AuthnResponse.php
+++ b/lib/SimpleSAML/XML/SAML20/AuthnResponse.php
@@ -647,12 +647,14 @@ class SimpleSAML_XML_SAML20_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
/**
* Handling NameID
*/
- $nameid = null;
if ($nameidformat == self::EMAIL) {
- $nameid = $this->generateNameID($nameidformat, $attributes[$spmd['simplesaml.nameidattribute']][0], $spnamequalifier);
+ $nameIdValue = $attributes[$spmd['simplesaml.nameidattribute']][0];
} else {
- $nameid = $this->generateNameID($nameidformat, SimpleSAML_Utilities::generateID(), $spnamequalifier);
+ $nameIdValue = SimpleSAML_Utilities::generateID();
}
+ $nameIdData = array('Format' => $nameidformat, 'value' => $nameIdValue);
+ $session->setSessionNameId('saml20-sp-remote', $spentityid, $nameIdData);
+ $nameid = $this->generateNameID($nameidformat, $nameIdValue, $spnamequalifier);
$assertion = "";
if ($status === 'Success') {
diff --git a/www/saml2/idp/SingleLogoutService.php b/www/saml2/idp/SingleLogoutService.php
index 451d5dd11fbef50ad509566738f0741a72c835b8..b60ce02994e590c80ff89c205ca382093f84a07e 100644
--- a/www/saml2/idp/SingleLogoutService.php
+++ b/www/saml2/idp/SingleLogoutService.php
@@ -248,7 +248,11 @@ if ($spentityid) {
$lr = new SimpleSAML_XML_SAML20_LogoutRequest($config, $metadata);
// ($issuer, $receiver, $nameid, $nameidformat, $sessionindex, $mode) {
- $req = $lr->generate($idpentityid, $spentityid, $session->getNameID(), $session->getSessionIndex(), 'IdP');
+ $nameId = $session->getSessionNameId('saml20-sp-remote', $spentityid);
+ if($nameId === NULL) {
+ $nameId = $session->getNameID();
+ }
+ $req = $lr->generate($idpentityid, $spentityid, $nameId, $session->getSessionIndex(), 'IdP');
/* Save the $logoutInfo until we return from the SP. */
saveLogoutInfo($lr->getGeneratedID());