Merge pull request #1657 from simplesamlphp/NameIDFormat

Fix NameID generation

docs/simplesamlphp-googleapps.md

@@ -154,13 +154,19 @@ In the `saml20-sp-remote.php` file we will configure an entry for Google Workspa
        * This example shows an example config that works with Google Workspace (G Suite / Google Apps) for education.
        * What is important is that you have an attribute in your IdP that maps to the local part of the email address
        * at Google Workspace. E.g. if your google account is foo.com, and you have a user with email john@foo.com, then you
-       * must set the simplesaml.nameidattribute to be the name of an attribute that for this user has the value of 'john'.
+       * must properly configure the saml:AttributeNameID authproc-filter with the name of an attribute that for this user has the value of 'john'.
        */
       $metadata['https://www.google.com/a/g.feide.no'] => [
         'AssertionConsumerService'   => 'https://www.google.com/a/g.feide.no/acs', 
         'NameIDFormat'               => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
-        'simplesaml.nameidattribute' => 'uid',
-        'simplesaml.attributes'      => false
+        'simplesaml.attributes'      => false,
+        'authproc'                   => [
+          1 => [
+            'saml:AttributeNameID',
+            'attribute' => 'uid',
+            'format' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
+          ],
+        ],
       ];
 
 You must also map some attributes received from the authentication module into email field sent to Google Workspace. In this example, the  `uid` attribute is set.  When you later configure the IdP to connect to a LDAP directory or some other authentication source, make sure that the `uid` attribute is set properly, or you can configure another attribute to use here. The `uid` attribute contains the local part of the user name.

docs/simplesamlphp-reference-sp-remote.md

@@ -238,19 +238,6 @@ The following options can be set:
 :   Note that this option also exists in the IdP-hosted metadata.
     The value in the SP-remote metadata overrides the value in the IdP-hosted metadata.
 
-`simplesaml.nameidattribute`
-:   When the value of the `NameIDFormat`-option is set to either
-    `email` or `persistent`, this is the name of the attribute which
-    should be used as the value of the `NameID`. The attribute must
-    be in the set of attributes exported to the SP (that is, be in
-    the `attributes` array). For more advanced control over `NameID`,
-    including the ability to specify any attribute regardless of
-    the set sent to the SP, see the [NameID processing filters](./saml:nameid).
-    Note that the value of the attribute is collected **after** authproc-filters have run.
-
-:   Typical values can be `mail` for when using the `email` format,
-    and `eduPersonTargetedID` when using the `persistent` format.
-
 `simplesaml.attributes`
 :   Whether the SP should receive any attributes from the IdP. The
     default value is `TRUE`.

docs/simplesamlphp-upgrade-notes-2.0.md

@@ -43,6 +43,7 @@ The date formatting when specifying a custom logging string has been changed fro
 deprecated `strftime()` format to PHP's `date()` format.
 
 Configuration options that have been removed:
+ - simplesaml.nameidattribute. Use the appropriate authproc-filters instead
  - languages[priorities]
  - attributes.extradictionaries. Add an attributes.po to your configured theme instead.
  - admin.protectindexpage. Replaced by the admin module which always requires login.

metadata-templates/saml20-sp-remote.php

@@ -18,13 +18,19 @@ $metadata['https://saml2sp.example.org'] = [
  * This example shows an example config that works with Google Workspace (G Suite / Google Apps) for education.
  * What is important is that you have an attribute in your IdP that maps to the local part of the email address at
  * Google Workspace. In example, if your Google account is foo.com, and you have a user that has an email john@foo.com,
- * then you must set the simplesaml.nameidattribute to be the name of an attribute that for this user has the
- * value of 'john'.
+ * then you must properly configure the saml:AttributeNameID authproc-filter with the name of an attribute that for
+ * this user has the value of 'john'.
  */
 $metadata['google.com'] = [
     'AssertionConsumerService' => 'https://www.google.com/a/g.feide.no/acs',
     'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
-    'simplesaml.nameidattribute' => 'uid',
+    'authproc' => [
+      1 => [
+        'saml:AttributeNameID',
+        'attribute' => 'uid',
+        'format' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
+      ],
+    ],
     'simplesaml.attributes' => false,
 ];
 

modules/saml/src/IdP/SAML2.php

@@ -954,40 +954,6 @@ class SAML2
     }
 
 
-    /**
-     * Calculate the NameID value that should be used.
-     *
-     * @param \SimpleSAML\Configuration $idpMetadata The metadata of the IdP.
-     * @param \SimpleSAML\Configuration $spMetadata The metadata of the SP.
-     * @param array                     &$state The authentication state of the user.
-     *
-     * @return string|null The NameID value.
-     */
-    private static function generateNameIdValue(
-        Configuration $idpMetadata,
-        Configuration $spMetadata,
-        array &$state
-    ): ?string {
-        $attribute = $spMetadata->getOptionalString('simplesaml.nameidattribute', null);
-        if ($attribute === null) {
-            $attribute = $idpMetadata->getOptionalString('simplesaml.nameidattribute', null);
-            if ($attribute === null) {
-                Logger::error('Unable to generate NameID. Check the simplesaml.nameidattribute option.');
-                return null;
-            }
-        }
-
-        $attributes = $state['Attributes'];
-        if (!array_key_exists($attribute, $attributes)) {
-            Logger::error('Unable to add NameID: Missing ' . var_export($attribute, true) .
-                ' in the attributes of the user.');
-            return null;
-        }
-
-        return $attributes[$attribute][0];
-    }
-
-
     /**
      * Helper function for encoding attributes.
      *
@@ -1267,25 +1233,15 @@ class SAML2
 
         if (isset($state['saml:NameID'][$nameIdFormat])) {
             $nameId = $state['saml:NameID'][$nameIdFormat];
-            $nameId->setFormat($nameIdFormat);
         } else {
-            $spNameQualifier = $spMetadata->getOptionalString('SPNameQualifier', null);
-            if ($spNameQualifier === null) {
-                $spNameQualifier = $spMetadata->getString('entityid');
-            }
-
             if ($nameIdFormat === Constants::NAMEID_TRANSIENT) {
                 // generate a random id
                 $nameIdValue = $randomUtils->generateID();
-            } else {
-                /* this code will end up generating either a fixed assigned id (via nameid.attribute)
-                   or random id if not assigned/configured */
-                $nameIdValue = self::generateNameIdValue($idpMetadata, $spMetadata, $state);
-                if ($nameIdValue === null) {
-                    Logger::warning('Falling back to transient NameID.');
-                    $nameIdFormat = Constants::NAMEID_TRANSIENT;
-                    $nameIdValue = $randomUtils->generateID();
-                }
+            }
+
+            $spNameQualifier = $spMetadata->getOptionalString('SPNameQualifier', null);
+            if ($spNameQualifier === null) {
+                $spNameQualifier = $spMetadata->getString('entityid');
             }
 
             $nameId = new NameID();