From a890b60438d4c8bcdcfd770361aedbbe64ad4c74 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jaime=20Pe=CC=81rez?= <jaime.perez@uninett.no>
Date: Mon, 12 Dec 2016 12:21:31 +0100
Subject: [PATCH] bugfix: Make sure a persistent NameID is not generated by
 default when the UserID is missing in the state array.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This allowed misconfigured IdPs (i.e. those without both a PersistenNameID authproc filter, a “userid.attribute” configuration option and no “eduPersonPrincipalName” attribute available after running all the authentication processing filters) to generate a persistent NameID based on “null”, effectively giving all users the same identifier.
---
 modules/saml/lib/IdP/SAML2.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/saml/lib/IdP/SAML2.php b/modules/saml/lib/IdP/SAML2.php
index 92e5363a0..e8521efd6 100644
--- a/modules/saml/lib/IdP/SAML2.php
+++ b/modules/saml/lib/IdP/SAML2.php
@@ -680,6 +680,7 @@ class sspmod_saml_IdP_SAML2
             if ($attribute === null) {
                 if (!isset($state['UserID'])) {
                     SimpleSAML\Logger::error('Unable to generate NameID. Check the userid.attribute option.');
+                    return null;
                 }
                 $attributeValue = $state['UserID'];
                 $idpEntityId = $idpMetadata->getString('entityid');
-- 
GitLab