diff --git a/lib/SimpleSAML/XML/SAML20/AuthnResponse.php b/lib/SimpleSAML/XML/SAML20/AuthnResponse.php
index d0e8ccaecc80849427c7e4ea4500aed481cde480..8da4453c59c1f69d0de04da27af625882f1f40bf 100644
--- a/lib/SimpleSAML/XML/SAML20/AuthnResponse.php
+++ b/lib/SimpleSAML/XML/SAML20/AuthnResponse.php
@@ -492,6 +492,7 @@ class SimpleSAML_XML_SAML20_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
*/
$base64 = isset($spmd['base64attributes']) ? $spmd['base64attributes'] : false;
$nameidformat = isset($spmd['NameIDFormat']) ? $spmd['NameIDFormat'] : 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient';
+ $spnamequalifier = isset($spmd['SPNameQualifier']) ? $spmd['SPNameQualifier'] : $spmd['entityid'];
$encodedattributes = '';
foreach ($attributes AS $name => $values) {
@@ -510,9 +511,9 @@ class SimpleSAML_XML_SAML20_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
*/
$nameid = null;
if ($nameidformat == self::EMAIL) {
- $nameid = $this->generateNameID($nameidformat, $attributes[$spmd['simplesaml.nameidattribute']][0]);
+ $nameid = $this->generateNameID($nameidformat, $attributes[$spmd['simplesaml.nameidattribute']][0], $spnamequalifier);
} else {
- $nameid = $this->generateNameID($nameidformat, self::generateID());
+ $nameid = $this->generateNameID($nameidformat, self::generateID(), $spnamequalifier);
}
/**
@@ -562,13 +563,20 @@ class SimpleSAML_XML_SAML20_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
private function generateNameID($type = 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
- $value = 'anonymous') {
-
+ $value = 'anonymous', $spnamequalifier = null) {
+
+ $spnamequalifiertext = '';
+ if (!empty($spnamequalifier)) {
+ $spnamequalifiertext = ' SPNameQualifier="' . htmlspecialchars($spnamequalifier) . '"';
+ }
+
if ($type == self::EMAIL) {
- return '<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">' . htmlspecialchars($value) . '</saml:NameID>';
+ return '<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"' .
+ $spnamequalifiertext . '>' . htmlspecialchars($value) . '</saml:NameID>';
} else {
- return '<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">' . htmlspecialchars($value). '</saml:NameID>';
+ return '<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"' .
+ $spnamequalifiertext. '>' . htmlspecialchars($value). '</saml:NameID>';
}
}
diff --git a/lib/SimpleSAML/XML/SAML20/LogoutRequest.php b/lib/SimpleSAML/XML/SAML20/LogoutRequest.php
index 974ce533ba5621d6cddd3bbe78583b6a26a8c5c1..9b38ac286bbebf8b16fcac52b3939bef3de098d0 100644
--- a/lib/SimpleSAML/XML/SAML20/LogoutRequest.php
+++ b/lib/SimpleSAML/XML/SAML20/LogoutRequest.php
@@ -121,6 +121,12 @@ class SimpleSAML_XML_SAML20_LogoutRequest {
$issuermd = $this->metadata->getMetaData($issuer, $issuerset);
$receivermd = $this->metadata->getMetaData($receiver, $receiverset);
+ if ($mode == 'IdP') {
+ $spnamequalifier = isset($receivermd['SPNameQualifier']) ? $receivermd['SPNameQualifier'] : $receivermd['entityid'];
+ } else {
+ $spnamequalifier = isset($issuermd['SPNameQualifier']) ? $issuermd['SPNameQualifier'] : $issuermd['entityid'];
+ }
+
$id = self::generateID();
$issueInstant = self::generateIssueInstant();
@@ -133,7 +139,7 @@ class SimpleSAML_XML_SAML20_LogoutRequest {
Destination="' . htmlspecialchars($destination) . '"
IssueInstant="' . $issueInstant . '">
<saml:Issuer >' . htmlspecialchars($issuer) . '</saml:Issuer>
- <saml:NameID Format="' . htmlspecialchars($nameid['Format']) . '">' . htmlspecialchars($nameid['value']) . '</saml:NameID>
+ <saml:NameID Format="' . htmlspecialchars($nameid['Format']) . '" SPNameQualifier="' . htmlspecialchars($spnamequalifier) . '">' . htmlspecialchars($nameid['value']) . '</saml:NameID>
<samlp:SessionIndex>' . htmlspecialchars($sessionindex) . '</samlp:SessionIndex>
</samlp:LogoutRequest>
';