diff --git a/modules/core/lib/Auth/Process/TargetedID.php b/modules/core/lib/Auth/Process/TargetedID.php
index 3852d63dd30060ddd9592ea747cb8045be0d0869..af1f99a574345672b131275f13beeba8da711bfe 100644
--- a/modules/core/lib/Auth/Process/TargetedID.php
+++ b/modules/core/lib/Auth/Process/TargetedID.php
@@ -39,6 +39,14 @@ class sspmod_core_Auth_Process_TargetedID extends SimpleSAML_Auth_ProcessingFilt
private $attribute = NULL;
+ /**
+ * Whether the attribute should be generated as a NameID value, or as a simple string.
+ *
+ * @var boolean
+ */
+ private $generateNameId = FALSE;
+
+
/**
* Initialize this filter.
*
@@ -56,6 +64,13 @@ class sspmod_core_Auth_Process_TargetedID extends SimpleSAML_Auth_ProcessingFilt
throw new Exception('Invalid attribute name given to core:TargetedID filter.');
}
}
+
+ if (array_key_exists('nameId', $config)) {
+ $this->generateNameId = $config['nameId'];
+ if (!is_bool($this->generateNameId)) {
+ throw new Exception('Invalid value of \'nameId\'-option to core:TargetedID filter.');
+ }
+ }
}
@@ -106,7 +121,31 @@ class sspmod_core_Auth_Process_TargetedID extends SimpleSAML_Auth_ProcessingFilt
$uidData .= strlen($userID) . ':' . $userID;
$uidData .= $secretSalt;
- $state['Attributes']['eduPersonTargetedID'] = array(hash('sha1', $uidData));
+ $uid = hash('sha1', $uidData);
+
+ if ($this->generateNameId) {
+ /* Convert the targeted ID to a SAML 2.0 name identifier element. */
+ $nameId = array(
+ 'Format' => SAML2_Const::NAMEID_PERSISTENT,
+ 'Value' => $uid,
+ );
+
+ if (isset($state['Source']['entityid'])) {
+ $nameId['NameQualifier'] = $state['Source']['entityid'];
+ }
+ if (isset($state['Destination']['entityid'])) {
+ $nameId['SPNameQualifier'] = $state['Source']['entityid'];
+ }
+
+ $doc = new DOMDocument();
+ $root = $doc->createElement('root');
+ $doc->appendChild($root);
+
+ SAML2_Utils::addNameId($root, $nameId);
+ $uid = $root->childNodes;
+ }
+
+ $state['Attributes']['eduPersonTargetedID'] = array($uid);
}