Skip to content
Snippets Groups Projects
Unverified Commit d4f28726 authored by Tim van Dijen's avatar Tim van Dijen Committed by GitHub
Browse files

Merge pull request #1657 from simplesamlphp/NameIDFormat

Fix NameID generation
parents 9ae22119 b2db2503
Branches
Tags v14.0.1
No related merge requests found
...@@ -154,13 +154,19 @@ In the `saml20-sp-remote.php` file we will configure an entry for Google Workspa ...@@ -154,13 +154,19 @@ In the `saml20-sp-remote.php` file we will configure an entry for Google Workspa
* This example shows an example config that works with Google Workspace (G Suite / Google Apps) for education. * This example shows an example config that works with Google Workspace (G Suite / Google Apps) for education.
* What is important is that you have an attribute in your IdP that maps to the local part of the email address * What is important is that you have an attribute in your IdP that maps to the local part of the email address
* at Google Workspace. E.g. if your google account is foo.com, and you have a user with email john@foo.com, then you * at Google Workspace. E.g. if your google account is foo.com, and you have a user with email john@foo.com, then you
* must set the simplesaml.nameidattribute to be the name of an attribute that for this user has the value of 'john'. * must properly configure the saml:AttributeNameID authproc-filter with the name of an attribute that for this user has the value of 'john'.
*/ */
$metadata['https://www.google.com/a/g.feide.no'] => [ $metadata['https://www.google.com/a/g.feide.no'] => [
'AssertionConsumerService' => 'https://www.google.com/a/g.feide.no/acs', 'AssertionConsumerService' => 'https://www.google.com/a/g.feide.no/acs',
'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress', 'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
'simplesaml.nameidattribute' => 'uid', 'simplesaml.attributes' => false,
'simplesaml.attributes' => false 'authproc' => [
1 => [
'saml:AttributeNameID',
'attribute' => 'uid',
'format' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
],
],
]; ];
You must also map some attributes received from the authentication module into email field sent to Google Workspace. In this example, the `uid` attribute is set. When you later configure the IdP to connect to a LDAP directory or some other authentication source, make sure that the `uid` attribute is set properly, or you can configure another attribute to use here. The `uid` attribute contains the local part of the user name. You must also map some attributes received from the authentication module into email field sent to Google Workspace. In this example, the `uid` attribute is set. When you later configure the IdP to connect to a LDAP directory or some other authentication source, make sure that the `uid` attribute is set properly, or you can configure another attribute to use here. The `uid` attribute contains the local part of the user name.
......
...@@ -238,19 +238,6 @@ The following options can be set: ...@@ -238,19 +238,6 @@ The following options can be set:
: Note that this option also exists in the IdP-hosted metadata. : Note that this option also exists in the IdP-hosted metadata.
The value in the SP-remote metadata overrides the value in the IdP-hosted metadata. The value in the SP-remote metadata overrides the value in the IdP-hosted metadata.
`simplesaml.nameidattribute`
: When the value of the `NameIDFormat`-option is set to either
`email` or `persistent`, this is the name of the attribute which
should be used as the value of the `NameID`. The attribute must
be in the set of attributes exported to the SP (that is, be in
the `attributes` array). For more advanced control over `NameID`,
including the ability to specify any attribute regardless of
the set sent to the SP, see the [NameID processing filters](./saml:nameid).
Note that the value of the attribute is collected **after** authproc-filters have run.
: Typical values can be `mail` for when using the `email` format,
and `eduPersonTargetedID` when using the `persistent` format.
`simplesaml.attributes` `simplesaml.attributes`
: Whether the SP should receive any attributes from the IdP. The : Whether the SP should receive any attributes from the IdP. The
default value is `TRUE`. default value is `TRUE`.
......
...@@ -43,6 +43,7 @@ The date formatting when specifying a custom logging string has been changed fro ...@@ -43,6 +43,7 @@ The date formatting when specifying a custom logging string has been changed fro
deprecated `strftime()` format to PHP's `date()` format. deprecated `strftime()` format to PHP's `date()` format.
Configuration options that have been removed: Configuration options that have been removed:
- simplesaml.nameidattribute. Use the appropriate authproc-filters instead
- languages[priorities] - languages[priorities]
- attributes.extradictionaries. Add an attributes.po to your configured theme instead. - attributes.extradictionaries. Add an attributes.po to your configured theme instead.
- admin.protectindexpage. Replaced by the admin module which always requires login. - admin.protectindexpage. Replaced by the admin module which always requires login.
......
...@@ -18,13 +18,19 @@ $metadata['https://saml2sp.example.org'] = [ ...@@ -18,13 +18,19 @@ $metadata['https://saml2sp.example.org'] = [
* This example shows an example config that works with Google Workspace (G Suite / Google Apps) for education. * This example shows an example config that works with Google Workspace (G Suite / Google Apps) for education.
* What is important is that you have an attribute in your IdP that maps to the local part of the email address at * What is important is that you have an attribute in your IdP that maps to the local part of the email address at
* Google Workspace. In example, if your Google account is foo.com, and you have a user that has an email john@foo.com, * Google Workspace. In example, if your Google account is foo.com, and you have a user that has an email john@foo.com,
* then you must set the simplesaml.nameidattribute to be the name of an attribute that for this user has the * then you must properly configure the saml:AttributeNameID authproc-filter with the name of an attribute that for
* value of 'john'. * this user has the value of 'john'.
*/ */
$metadata['google.com'] = [ $metadata['google.com'] = [
'AssertionConsumerService' => 'https://www.google.com/a/g.feide.no/acs', 'AssertionConsumerService' => 'https://www.google.com/a/g.feide.no/acs',
'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress', 'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
'simplesaml.nameidattribute' => 'uid', 'authproc' => [
1 => [
'saml:AttributeNameID',
'attribute' => 'uid',
'format' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
],
],
'simplesaml.attributes' => false, 'simplesaml.attributes' => false,
]; ];
......
...@@ -954,40 +954,6 @@ class SAML2 ...@@ -954,40 +954,6 @@ class SAML2
} }
/**
* Calculate the NameID value that should be used.
*
* @param \SimpleSAML\Configuration $idpMetadata The metadata of the IdP.
* @param \SimpleSAML\Configuration $spMetadata The metadata of the SP.
* @param array &$state The authentication state of the user.
*
* @return string|null The NameID value.
*/
private static function generateNameIdValue(
Configuration $idpMetadata,
Configuration $spMetadata,
array &$state
): ?string {
$attribute = $spMetadata->getOptionalString('simplesaml.nameidattribute', null);
if ($attribute === null) {
$attribute = $idpMetadata->getOptionalString('simplesaml.nameidattribute', null);
if ($attribute === null) {
Logger::error('Unable to generate NameID. Check the simplesaml.nameidattribute option.');
return null;
}
}
$attributes = $state['Attributes'];
if (!array_key_exists($attribute, $attributes)) {
Logger::error('Unable to add NameID: Missing ' . var_export($attribute, true) .
' in the attributes of the user.');
return null;
}
return $attributes[$attribute][0];
}
/** /**
* Helper function for encoding attributes. * Helper function for encoding attributes.
* *
...@@ -1267,25 +1233,15 @@ class SAML2 ...@@ -1267,25 +1233,15 @@ class SAML2
if (isset($state['saml:NameID'][$nameIdFormat])) { if (isset($state['saml:NameID'][$nameIdFormat])) {
$nameId = $state['saml:NameID'][$nameIdFormat]; $nameId = $state['saml:NameID'][$nameIdFormat];
$nameId->setFormat($nameIdFormat);
} else { } else {
$spNameQualifier = $spMetadata->getOptionalString('SPNameQualifier', null);
if ($spNameQualifier === null) {
$spNameQualifier = $spMetadata->getString('entityid');
}
if ($nameIdFormat === Constants::NAMEID_TRANSIENT) { if ($nameIdFormat === Constants::NAMEID_TRANSIENT) {
// generate a random id // generate a random id
$nameIdValue = $randomUtils->generateID(); $nameIdValue = $randomUtils->generateID();
} else { }
/* this code will end up generating either a fixed assigned id (via nameid.attribute)
or random id if not assigned/configured */ $spNameQualifier = $spMetadata->getOptionalString('SPNameQualifier', null);
$nameIdValue = self::generateNameIdValue($idpMetadata, $spMetadata, $state); if ($spNameQualifier === null) {
if ($nameIdValue === null) { $spNameQualifier = $spMetadata->getString('entityid');
Logger::warning('Falling back to transient NameID.');
$nameIdFormat = Constants::NAMEID_TRANSIENT;
$nameIdValue = $randomUtils->generateID();
}
} }
$nameId = new NameID(); $nameId = new NameID();
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment