From d66c342dd4ea92d5d03ee256c77630cfe4eef838 Mon Sep 17 00:00:00 2001
From: Olav Morken <olav.morken@uninett.no>
Date: Tue, 1 Jun 2010 12:34:25 +0000
Subject: [PATCH] saml: Obey the NameIDFormat from the AuthnRequest.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2338 44740490-163a-0410-bde0-09ae8108e29a
---
 modules/saml/lib/IdP/SAML2.php | 14 ++++++++++++++
 modules/saml2/lib/Message.php  | 11 ++++++++++-
 2 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/modules/saml/lib/IdP/SAML2.php b/modules/saml/lib/IdP/SAML2.php
index 23696bf28..d3ae2037a 100644
--- a/modules/saml/lib/IdP/SAML2.php
+++ b/modules/saml/lib/IdP/SAML2.php
@@ -180,6 +180,13 @@ class sspmod_saml_IdP_SAML2 {
 			} else {
 				$protocolBinding = NULL;
 			}
+
+			if (isset($_REQUEST['NameIDFormat'])) {
+				$nameIDFormat = (string)$_REQUEST['NameIDFormat'];
+			} else {
+				$nameIDFormat = NULL;
+			}
+
 			$requestId = NULL;
 			$IDPList = array();
 			$forceAuthn = FALSE;
@@ -253,6 +260,12 @@ class sspmod_saml_IdP_SAML2 {
 			$consumerURL = $request->getAssertionConsumerServiceURL();
 			$protocolBinding = $request->getProtocolBinding();
 
+			$nameIdPolicy = $request->getNameIdPolicy();
+			if (isset($nameIdPolicy['Format'])) {
+				$nameIDFormat = $nameIdPolicy['Format'];
+			} else {
+				$nameIDFormat = NULL;
+			}
 			SimpleSAML_Logger::info('SAML2.0 - IdP.SSOService: Incomming Authentication request: '. var_export($spEntityId, TRUE));
 		}
 
@@ -324,6 +337,7 @@ class sspmod_saml_IdP_SAML2 {
 			'isPassive' => $isPassive,
 			'saml:ConsumerURL' => $consumerURL,
 			'saml:Binding' => $protocolBinding,
+			'saml:NameIDFormat' => $nameIDFormat,
 		);
 
 		$idp->handleAuthenticationRequest($state);
diff --git a/modules/saml2/lib/Message.php b/modules/saml2/lib/Message.php
index ea29b2316..a5b1b349a 100644
--- a/modules/saml2/lib/Message.php
+++ b/modules/saml2/lib/Message.php
@@ -617,7 +617,16 @@ class sspmod_saml2_Message {
 
 		/* Generate the NameID for the assertion. */
 
-		$nameIdFormat = $dstMetadata->getString('NameIDFormat', 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient');
+		if (isset($state['saml:NameIDFormat'])) {
+			$nameIdFormat = $state['saml:NameIDFormat'];
+		} else {
+			$nameIdFormat = NULL;
+		}
+
+		if ($nameIdFormat === NULL || !isset($state['saml:NameID'][$nameIdFormat])) {
+			/* Either not set in request, or not set to a format we supply. Fall back to old generation method. */
+			$nameIdFormat = $dstMetadata->getString('NameIDFormat', 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient');
+		}
 
 		if (isset($state['saml:NameID'][$nameIdFormat])) {
 			$nameId = $state['saml:NameID'][$nameIdFormat];
-- 
GitLab