bugfix: Make sure a persistent NameID is not generated by default when the...

bugfix: Make sure a persistent NameID is not generated by default when the UserID is missing in the state array. This allowed misconfigured IdPs (i.e. those without both a PersistenNameID authproc filter, a “userid.attribute” configuration option and no “eduPersonPrincipalName” attribute available after running all the authentication processing filters) to generate a persistent NameID based on “null”, effectively giving all users the same identifier.

bugfix: Make sure a persistent NameID is not generated by default when the...
bugfix: Make sure a persistent NameID is not generated by default when the UserID is missing in the state array. This allowed misconfigured IdPs (i.e. those without both a PersistenNameID authproc filter, a “userid.attribute” configuration option and no “eduPersonPrincipalName” attribute available after running all the authentication processing filters) to generate a persistent NameID based on “null”, effectively giving all users the same identifier.
a890b604 · Jaime Pérez · baba857a · a890b604
Commit a890b604 authored 8 years ago by Jaime Pérez
--- a/modules/saml/lib/IdP/SAML2.php
+++ b/modules/saml/lib/IdP/SAML2.php
@@ -680,6 +680,7 @@ class sspmod_saml_IdP_SAML2
            if ($attribute === null) {
                if (!isset($state['UserID'])) {
                    SimpleSAML\Logger::error('Unable to generate NameID. Check the userid.attribute option.');
+                    return null;
                }
                $attributeValue = $state['UserID'];
                $idpEntityId = $idpMetadata->getString('entityid');