diff --git a/modules/core/docs/authproc_php.md b/modules/core/docs/authproc_php.md
index 66968eda1a7b9853c2a3b9eafacb784cd7e0d79b..b913d8fe6d242d613b82afe2d1728ac409c5b174 100644
--- a/modules/core/docs/authproc_php.md
+++ b/modules/core/docs/authproc_php.md
@@ -1,7 +1,7 @@
`core:PHP`
==========
-This is a filter which makes it possible to run arbitrary PHP code to modify the attributes of an user.
+This is a filter which makes it possible to run arbitrary PHP code to modify the attributes or state of an user.
Parameters
----------
@@ -11,8 +11,14 @@ Parameters
It must be `'core:PHP'`.
`code`
-: The PHP code that should be run. This code will have only one variable available: `$attributes`.
+: The PHP code that should be run. This code will have two variables available:
+
+* `$attributes`.
This is an associative array of attributes, and can be modified to add or remove attributes.
+
+* `$state`.
+ This is an associative array of request state. It can be modified to adjust data related to the authentication
+ such as desired NameId, requested Attributes, authnContextRef and many more.
Examples
--------
@@ -43,3 +49,10 @@ Create a random number variable:
);
',
),
+
+Force a specific NameIdFormat. Useful if an SP misbehaves and requests (or publishes) an incorrect NameId
+
+ 90 => array(
+ 'class' => 'core:PHP',
+ 'code' => '$state["saml:NameIDFormat"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient";'
+ ),
\ No newline at end of file
diff --git a/modules/core/lib/Auth/Process/PHP.php b/modules/core/lib/Auth/Process/PHP.php
index f3c9a293eefecbdca16227ea71724cbfcf827f92..064f86bc45977e6273d80b9cdf9d2853e1ec5a22 100644
--- a/modules/core/lib/Auth/Process/PHP.php
+++ b/modules/core/lib/Auth/Process/PHP.php
@@ -49,9 +49,9 @@ class PHP extends \SimpleSAML\Auth\ProcessingFilter
assert(is_array($request));
assert(array_key_exists('Attributes', $request));
- $function = function (/** @scrutinizer ignore-unused */ &$attributes) {
+ $function = function (/** @scrutinizer ignore-unused */ &$attributes, &$state) {
eval($this->code);
};
- $function($request['Attributes']);
+ $function($request['Attributes'], $request);
}
}
diff --git a/tests/modules/core/lib/Auth/Process/PHPTest.php b/tests/modules/core/lib/Auth/Process/PHPTest.php
index c7331397389ddb73748e6a2b78bab8e243ad6f03..e4af7e57c399e376a5c7f24366f7d32985c47945 100644
--- a/tests/modules/core/lib/Auth/Process/PHPTest.php
+++ b/tests/modules/core/lib/Auth/Process/PHPTest.php
@@ -111,4 +111,42 @@ class Test_Core_Auth_Process_PHP extends TestCase
);
$this->processFilter($config, $request);
}
+
+ /**
+ * Check that the entire state can be adjusted.
+ */
+ public function testStateCanBeModified()
+ {
+
+ $config = array(
+ 'code' => '
+ $attributes["orig2"] = array("value0");
+ $state["newKey"] = ["newValue"];
+ $state["Destination"]["attributes"][] = "givenName";
+ ',
+ );
+ $request = array(
+ 'Attributes' => array(
+ 'orig1' => array('value1', 'value2'),
+ 'orig2' => array('value3'),
+ 'orig3' => array('value4')
+ ),
+ 'Destination' => [
+ 'attributes' => ['eduPersonPrincipalName']
+ ],
+ );
+ $expected = array(
+ 'Attributes' => array(
+ 'orig1' => array('value1', 'value2'),
+ 'orig2' => array('value0'),
+ 'orig3' => array('value4')
+ ),
+ 'Destination' => [
+ 'attributes' => ['eduPersonPrincipalName', 'givenName']
+ ],
+ 'newKey' => ['newValue']
+ );
+
+ $this->assertEquals($expected, $this->processFilter($config, $request));
+ }
}