diff --git a/docs/simplesamlphp-googleapps.md b/docs/simplesamlphp-googleapps.md
index e0ac5fc4f119f3307a8274280002f97053f9e7c4..b83a3b01773b1298692a028d6d698efad2f2589d 100644
--- a/docs/simplesamlphp-googleapps.md
+++ b/docs/simplesamlphp-googleapps.md
@@ -154,13 +154,19 @@ In the `saml20-sp-remote.php` file we will configure an entry for Google Workspa
* This example shows an example config that works with Google Workspace (G Suite / Google Apps) for education.
* What is important is that you have an attribute in your IdP that maps to the local part of the email address
* at Google Workspace. E.g. if your google account is foo.com, and you have a user with email john@foo.com, then you
- * must set the simplesaml.nameidattribute to be the name of an attribute that for this user has the value of 'john'.
+ * must properly configure the saml:AttributeNameID authproc-filter with the name of an attribute that for this user has the value of 'john'.
*/
$metadata['https://www.google.com/a/g.feide.no'] => [
'AssertionConsumerService' => 'https://www.google.com/a/g.feide.no/acs',
'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
- 'simplesaml.nameidattribute' => 'uid',
- 'simplesaml.attributes' => false
+ 'simplesaml.attributes' => false,
+ 'authproc' => [
+ 1 => [
+ 'saml:AttributeNameID',
+ 'attribute' => 'uid',
+ 'format' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
+ ],
+ ],
];
You must also map some attributes received from the authentication module into email field sent to Google Workspace. In this example, the `uid` attribute is set. When you later configure the IdP to connect to a LDAP directory or some other authentication source, make sure that the `uid` attribute is set properly, or you can configure another attribute to use here. The `uid` attribute contains the local part of the user name.
diff --git a/docs/simplesamlphp-reference-sp-remote.md b/docs/simplesamlphp-reference-sp-remote.md
index 3fd3db80814b0d14e170843f584c081285bb3704..0cdf090d2967de3b57fc5195cd280836753065e8 100644
--- a/docs/simplesamlphp-reference-sp-remote.md
+++ b/docs/simplesamlphp-reference-sp-remote.md
@@ -238,19 +238,6 @@ The following options can be set:
: Note that this option also exists in the IdP-hosted metadata.
The value in the SP-remote metadata overrides the value in the IdP-hosted metadata.
-`simplesaml.nameidattribute`
-: When the value of the `NameIDFormat`-option is set to either
- `email` or `persistent`, this is the name of the attribute which
- should be used as the value of the `NameID`. The attribute must
- be in the set of attributes exported to the SP (that is, be in
- the `attributes` array). For more advanced control over `NameID`,
- including the ability to specify any attribute regardless of
- the set sent to the SP, see the [NameID processing filters](./saml:nameid).
- Note that the value of the attribute is collected **after** authproc-filters have run.
-
-: Typical values can be `mail` for when using the `email` format,
- and `eduPersonTargetedID` when using the `persistent` format.
-
`simplesaml.attributes`
: Whether the SP should receive any attributes from the IdP. The
default value is `TRUE`.
diff --git a/docs/simplesamlphp-upgrade-notes-2.0.md b/docs/simplesamlphp-upgrade-notes-2.0.md
index 80d554f61debfa0fcaa2708f9cb129f5b2ea6fa0..0950aafc4fee5e96fdc36925f199e67e8d7288e1 100644
--- a/docs/simplesamlphp-upgrade-notes-2.0.md
+++ b/docs/simplesamlphp-upgrade-notes-2.0.md
@@ -43,6 +43,7 @@ The date formatting when specifying a custom logging string has been changed fro
deprecated `strftime()` format to PHP's `date()` format.
Configuration options that have been removed:
+ - simplesaml.nameidattribute. Use the appropriate authproc-filters instead
- languages[priorities]
- attributes.extradictionaries. Add an attributes.po to your configured theme instead.
- admin.protectindexpage. Replaced by the admin module which always requires login.
diff --git a/metadata-templates/saml20-sp-remote.php b/metadata-templates/saml20-sp-remote.php
index 7ed135bbfe453dff88eb83cdfeef20320f50168f..0343d311facdc6f7d946f6e0b7aef4715b7bb589 100644
--- a/metadata-templates/saml20-sp-remote.php
+++ b/metadata-templates/saml20-sp-remote.php
@@ -18,13 +18,19 @@ $metadata['https://saml2sp.example.org'] = [
* This example shows an example config that works with Google Workspace (G Suite / Google Apps) for education.
* What is important is that you have an attribute in your IdP that maps to the local part of the email address at
* Google Workspace. In example, if your Google account is foo.com, and you have a user that has an email john@foo.com,
- * then you must set the simplesaml.nameidattribute to be the name of an attribute that for this user has the
- * value of 'john'.
+ * then you must properly configure the saml:AttributeNameID authproc-filter with the name of an attribute that for
+ * this user has the value of 'john'.
*/
$metadata['google.com'] = [
'AssertionConsumerService' => 'https://www.google.com/a/g.feide.no/acs',
'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
- 'simplesaml.nameidattribute' => 'uid',
+ 'authproc' => [
+ 1 => [
+ 'saml:AttributeNameID',
+ 'attribute' => 'uid',
+ 'format' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
+ ],
+ ],
'simplesaml.attributes' => false,
];
diff --git a/modules/saml/src/IdP/SAML2.php b/modules/saml/src/IdP/SAML2.php
index 3ed49b320c29dc5a55d67b82ff81fbcab093dc17..25eb69909d720df7fc7a59f4c6dd43ae54022d57 100644
--- a/modules/saml/src/IdP/SAML2.php
+++ b/modules/saml/src/IdP/SAML2.php
@@ -954,40 +954,6 @@ class SAML2
}
- /**
- * Calculate the NameID value that should be used.
- *
- * @param \SimpleSAML\Configuration $idpMetadata The metadata of the IdP.
- * @param \SimpleSAML\Configuration $spMetadata The metadata of the SP.
- * @param array &$state The authentication state of the user.
- *
- * @return string|null The NameID value.
- */
- private static function generateNameIdValue(
- Configuration $idpMetadata,
- Configuration $spMetadata,
- array &$state
- ): ?string {
- $attribute = $spMetadata->getOptionalString('simplesaml.nameidattribute', null);
- if ($attribute === null) {
- $attribute = $idpMetadata->getOptionalString('simplesaml.nameidattribute', null);
- if ($attribute === null) {
- Logger::error('Unable to generate NameID. Check the simplesaml.nameidattribute option.');
- return null;
- }
- }
-
- $attributes = $state['Attributes'];
- if (!array_key_exists($attribute, $attributes)) {
- Logger::error('Unable to add NameID: Missing ' . var_export($attribute, true) .
- ' in the attributes of the user.');
- return null;
- }
-
- return $attributes[$attribute][0];
- }
-
-
/**
* Helper function for encoding attributes.
*
@@ -1267,25 +1233,15 @@ class SAML2
if (isset($state['saml:NameID'][$nameIdFormat])) {
$nameId = $state['saml:NameID'][$nameIdFormat];
- $nameId->setFormat($nameIdFormat);
} else {
- $spNameQualifier = $spMetadata->getOptionalString('SPNameQualifier', null);
- if ($spNameQualifier === null) {
- $spNameQualifier = $spMetadata->getString('entityid');
- }
-
if ($nameIdFormat === Constants::NAMEID_TRANSIENT) {
// generate a random id
$nameIdValue = $randomUtils->generateID();
- } else {
- /* this code will end up generating either a fixed assigned id (via nameid.attribute)
- or random id if not assigned/configured */
- $nameIdValue = self::generateNameIdValue($idpMetadata, $spMetadata, $state);
- if ($nameIdValue === null) {
- Logger::warning('Falling back to transient NameID.');
- $nameIdFormat = Constants::NAMEID_TRANSIENT;
- $nameIdValue = $randomUtils->generateID();
- }
+ }
+
+ $spNameQualifier = $spMetadata->getOptionalString('SPNameQualifier', null);
+ if ($spNameQualifier === null) {
+ $spNameQualifier = $spMetadata->getString('entityid');
}
$nameId = new NameID();