Handle string, array and false values in NameIDPolicy in the Message class.

This allows us to both specify the details of the policy, and also to avoid skipping sending one by setting the configuration option to false.

modules/saml/lib/Message.php

@@ -435,28 +435,37 @@ class sspmod_saml_Message
         $ar = new \SAML2\AuthnRequest();
 
         // get the NameIDPolicy to apply. IdP metadata has precedence.
-        $nameIdPolicy = array();
+        $nameIdPolicy = null;
         if ($idpMetadata->hasValue('NameIDPolicy')) {
             $nameIdPolicy = $idpMetadata->getValue('NameIDPolicy');
         } elseif ($spMetadata->hasValue('NameIDPolicy')) {
             $nameIdPolicy = $spMetadata->getValue('NameIDPolicy');
         }
 
-        if (!is_array($nameIdPolicy)) {
+        $policy = null;
+        if (is_string($nameIdPolicy)) {
             // handle old configurations where 'NameIDPolicy' was used to specify just the format
-            $nameIdPolicy = array('Format' => $nameIdPolicy);
+            $policy = array('Format' => $nameIdPolicy);
+        } elseif (is_array($nameIdPolicy)) {
+            // handle current configurations specifying an array in the NameIDPolicy config option
+            $nameIdPolicy_cf = SimpleSAML_Configuration::loadFromArray($nameIdPolicy);
+            $policy = array(
+                'Format'      => $nameIdPolicy_cf->getString('Format', \SAML2\Constants::NAMEID_TRANSIENT),
+                'AllowCreate' => $nameIdPolicy_cf->getBoolean('AllowCreate', true),
+            );
+            $spNameQualifier = $nameIdPolicy_cf->getString('SPNameQualifier', false);
+            if ($spNameQualifier !== false) {
+                $policy['SPNameQualifier'] = $spNameQualifier;
+            }
+        } elseif ($nameIdPolicy === null) {
+            // when NameIDPolicy is unset or set to null, default to transient as before
+            $policy = array('Format' => \SAML2\Constants::NAMEID_TRANSIENT);
         }
 
-        $nameIdPolicy_cf = SimpleSAML_Configuration::loadFromArray($nameIdPolicy);
-        $policy = array(
-            'Format'      => $nameIdPolicy_cf->getString('Format', \SAML2\Constants::NAMEID_TRANSIENT),
-            'AllowCreate' => $nameIdPolicy_cf->getBoolean('AllowCreate', true),
-        );
-        $spNameQualifier = $nameIdPolicy_cf->getString('SPNameQualifier', false);
-        if ($spNameQualifier !== false) {
-            $policy['SPNameQualifier'] = $spNameQualifier;
+        if ($policy !== null) {
+            // either we have a policy set, or we used the transient default
+            $ar->setNameIdPolicy($policy);
         }
-        $ar->setNameIdPolicy($policy);
 
         $ar->setForceAuthn($spMetadata->getBoolean('ForceAuthn', false));
         $ar->setIsPassive($spMetadata->getBoolean('IsPassive', false));