Removed references to SPNameIdentifier, and added support for at SP to define...

Removed references to SPNameIdentifier, and added support for at SP to define ForceAuthn = true in metadata. git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@216 44740490-163a-0410-bde0-09ae8108e29a

Removed references to SPNameIdentifier, and added support for at SP to define...
b8285828 · Andreas Åkre Solberg · 503ff3fa · b8285828 · b8285828 · b8285828
Commit b8285828 authored 17 years ago by Andreas Åkre Solberg
--- a/lib/SimpleSAML/XML/SAML20/AuthnRequest.php
+++ b/lib/SimpleSAML/XML/SAML20/AuthnRequest.php
@@ -115,10 +115,10 @@ class SimpleSAML_XML_SAML20_AuthnRequest {
 		//$assertionConsumerServiceURL = $md['AssertionConsumerService'];
 		$assertionConsumerServiceURL = $this->metadata->getGenerated('AssertionConsumerService', 'saml20-sp-hosted');
-		$spNameQualifier = $md['spNameQualifier'];
 		$nameidformat = isset($md['NameIDFormat']) ? $md['NameIDFormat'] : 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient';
+		$forceauthn = isset($md['ForceAuthn']) ? $md['ForceAuthn'] : 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient';
 		// TODO: Make an option in the metadata to allow adding a RequestedAuthnContext
 		$requestauthncontext = '<samlp:RequestedAuthnContext Comparison="exact">
        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
@@ -127,7 +127,7 @@ class SimpleSAML_XML_SAML20_AuthnRequest {
 		$authnRequest = '<samlp:AuthnRequest 
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    ID="' . $id . '" Version="2.0"
-    IssueInstant="' . $issueInstant . '" 
+    IssueInstant="' . $issueInstant . '" ForceAuthn="' . $forceauthn . '"
    Destination="' . htmlspecialchars($destination) . '"
    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    AssertionConsumerServiceURL="' . htmlspecialchars($assertionConsumerServiceURL) . '">

--- a/lib/SimpleSAML/XML/SAML20/AuthnResponse.php
+++ b/lib/SimpleSAML/XML/SAML20/AuthnResponse.php
@@ -308,8 +308,8 @@ class SimpleSAML_XML_SAML20_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
 			if ($node = $nodelist->item(0)) {
 				$nameID["NameID"] = $node->nodeValue;
-				$nameID["NameQualifier"] = $node->getAttribute('NameQualifier');
+				//$nameID["NameQualifier"] = $node->getAttribute('NameQualifier');
-				$nameID["SPNameQualifier"] = $node->getAttribute('SPNameQualifier');
+				//$nameID["SPNameQualifier"] = $node->getAttribute('SPNameQualifier');
 				$nameID["Format"] = $node->getAttribute('Format');
 			}
 		}
@@ -367,7 +367,6 @@ class SimpleSAML_XML_SAML20_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
 		$issuer = $idpentityid;
 		$assertionConsumerServiceURL = $spmd['AssertionConsumerService'];
-		$spNameQualifier = $spmd['spNameQualifier'];
 		$destination = $spmd['AssertionConsumerService'];
@@ -386,7 +385,7 @@ class SimpleSAML_XML_SAML20_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
 		if ($spmd['NameIDFormat'] == self::EMAIL) {
 			$nameid = $this->generateNameID($spmd['NameIDFormat'], $attributes[$spmd['simplesaml.nameidattribute']][0]);
 		} else {
-			$nameid = $this->generateNameID($spmd['NameIDFormat'], self::generateID(), $issuer, $spNameQualifier);
+			$nameid = $this->generateNameID($spmd['NameIDFormat'], self::generateID());
 		}
 		$authnResponse = '<samlp:Response 
@@ -438,15 +437,13 @@ class SimpleSAML_XML_SAML20_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
 	private function generateNameID($type = 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient', 
-			$value = 'anonymous', $namequalifier = null, $spnamequalifier = null) {
+			$value = 'anonymous') {
 		if ($type == self::EMAIL) {
 			return '<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">' . htmlspecialchars($value) . '</saml:NameID>';
 		} else {
-			return '<saml:NameID NameQualifier="' . htmlspecialchars($namequalifier) . '" SPNameQualifier="'. htmlspecialchars($spnamequalifier). '"
+			return '<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">' . htmlspecialchars($value). '</saml:NameID>';
-                Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
-                >' . htmlspecialchars($value). '</saml:NameID>';
 		}
 	}

--- a/lib/SimpleSAML/XML/Shib13/AuthnResponse.php
+++ b/lib/SimpleSAML/XML/Shib13/AuthnResponse.php
@@ -299,7 +299,6 @@ class SimpleSAML_XML_Shib13_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
 		$shire = $spmd['shire'];
 		$audience = $spmd['audience'];
-		$spnamequalifier = $spmd['spnamequalifier'];
 		$base64 = $idpmd['base64'];
 		$encodedattributes = '';
@@ -308,8 +307,7 @@ class SimpleSAML_XML_Shib13_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
 			$encodedattributes .= '<AttributeStatement>
 				<Subject>
-					<NameIdentifier Format="urn:mace:shibboleth:1.0:nameIdentifier" NameQualifier="' . htmlspecialchars($spnamequalifier) . '"
+					<NameIdentifier Format="urn:mace:shibboleth:1.0:nameIdentifier">' . htmlspecialchars($nameid) . '</NameIdentifier>
-						>' . htmlspecialchars($nameid) . '</NameIdentifier>
 				</Subject>';
 			foreach ($attributes AS $name => $value) {
@@ -348,8 +346,7 @@ class SimpleSAML_XML_Shib13_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
        <AuthenticationStatement AuthenticationInstant="' . $issueInstant. '"
            AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified">
            <Subject>
-                <NameIdentifier Format="urn:mace:shibboleth:1.0:nameIdentifier" NameQualifier="' . htmlspecialchars($spnamequalifier) . '"
+                <NameIdentifier Format="urn:mace:shibboleth:1.0:nameIdentifier">' . htmlspecialchars($nameid) . '</NameIdentifier>
-                    >' . htmlspecialchars($nameid) . '</NameIdentifier>
                <SubjectConfirmation>
                    <ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</ConfirmationMethod>
                </SubjectConfirmation>

--- a/metadata-templates/saml20-sp-remote.php
+++ b/metadata-templates/saml20-sp-remote.php
@@ -25,7 +25,6 @@ $metadata = array(
 	'saml2sp.example.org' => array(
 		'AssertionConsumerService'		=>	'https://saml2sp.example.org/simplesaml/saml2/sp/AssertionConsumerService.php', 
 		'SingleLogoutService'			=>	'https://saml2sp.example.org/simplesaml/saml2/sp/SingleLogoutService.php',
-		'spNameQualifier' 				=>	'dev.andreas.feide.no',
 		'ForceAuthn'					=>	'false',
 		'NameIDFormat'					=>	'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
@@ -52,7 +51,6 @@ $metadata = array(
 	'google.com' => array(
 		'AssertionConsumerService'		=>	'https://www.google.com/a/g.feide.no/acs', 
 		'SingleLogoutService'			=> 	'',
-		'spNameQualifier' 				=>	'google.com',
 		'ForceAuthn'					=>	'false',
 		'NameIDFormat'					=>	'urn:oasis:names:tc:SAML:2.0:nameid-format:email',

--- a/metadata-templates/shib13-sp-remote.php
+++ b/metadata-templates/shib13-sp-remote.php
@@ -12,22 +12,18 @@ $metadata = array(
 	'https://sp.shiblab.feide.no'	=> array(
 		'AssertionConsumerService'				=>	'http://sp.shiblab.feide.no/Shibboleth.sso/SAML/POST',
-		'spnamequalifier'	=>	'urn:feide.no',
 		'audience'			=>	'urn:mace:feide:shiblab'
 	),
 	'urn:geant:edugain:component:be:switchaai-test:central' => array(
 		'AssertionConsumerService'				=>	'https://edugain-login.switch.ch/ShiBE-R/WebSSOResponseListener',
-		'spnamequalifier'	=>	'urn:geant:edugain:component:be:rediris:rediris.es',
 		'audience'			=>	'urn:geant:edugain:component:be:switchaai-test:central'
 	),
 	'urn:geant:edugain:component:be:rediris:rediris.es' => array(
 		'AssertionConsumerService'				=>	'http://serrano.rediris.es:8080/PAPIWebSSOResponseListener/request',
-		'spnamequalifier'	=>	'urn:geant:edugain:component:be:rediris:rediris.es',
 		'audience'			=>	'urn:geant:edugain:component:be:rediris:rediris.es'
 	),
 	'https://skjak.uninett.no/shibboleth/target' => array(
 		'AssertionConsumerService'				=>	'https://skjak.uninett.no/Shibboleth.shire',
-		'spnamequalifier'	=>	'https://skjak.uninett.no/shibboleth/target',
 		'audience'			=>	'https://skjak.uninett.no/shibboleth/target'
 	)

--- a/www/admin/metadata.php
+++ b/www/admin/metadata.php
@@ -66,7 +66,7 @@ try {
 		$metalist = $metadata->getList('saml20-sp-remote');
 		foreach ($metalist AS $entityid => $mentry) {
 			$results[$entityid] = SimpleSAML_Utilities::checkAssocArrayRules($mentry,
-				array('entityid', 'spNameQualifier', 'AssertionConsumerService', 'SingleLogoutService', 'NameIDFormat'),
+				array('entityid', 'AssertionConsumerService', 'SingleLogoutService', 'NameIDFormat'),
 				array('base64attributes', 'attributemap', 'simplesaml.attributes', 'attributes', 'name', 'description','request.signing','certificate')
 			);
 		}
@@ -116,7 +116,7 @@ try {
 		$metalist = $metadata->getList('shib13-sp-remote');
 		foreach ($metalist AS $entityid => $mentry) {
 			$results[$entityid] = SimpleSAML_Utilities::checkAssocArrayRules($mentry,
-				array('entityid', 'spNameQualifier', 'AssertionConsumerService', 'audience', 'NameIDFormat'),
+				array('entityid', 'AssertionConsumerService', 'audience', 'NameIDFormat'),
 				array('base64attributes', 'attributemap', 'simplesaml.attributes', 'attributes', 'name', 'description')
 			);
 		}