diff --git a/docs/source/simplesamlphp-idp.xml b/docs/source/simplesamlphp-idp.xml
index 53c800442d1c0e5528ec9eb989ab521ad01ac6dd..34bff2640a95c1f620af508570f99cbdc9dbc0bc 100644
--- a/docs/source/simplesamlphp-idp.xml
+++ b/docs/source/simplesamlphp-idp.xml
@@ -378,26 +378,75 @@ openssl x509 -req -days 60 -in server2.csr -signkey server2.key -out server2.crt
<glossdef>
<para>The attribute name of an attribute which uniquely
identifies the user. This attribute is used if simpleSAMLphp
- needs to generate a persistent unique identifier for the
- user. This option can be set in both the IdP-hosted and the
- SP-remote metadata. The value in the sp-remote metadata has the
- highest priority. The default value is
+ needs to generate a persistent unique identifier for the user.
+ This option can be set in both the IdP-hosted and the SP-remote
+ metadata. The value in the sp-remote metadata has the highest
+ priority. The default value is
<literal>eduPersonPrincipalName</literal>.</para>
</glossdef>
</glossentry>
+ <glossentry>
+ <glossterm>AttributeNameFormat</glossterm>
+
+ <glossdef>
+ <para>What value will be set in the Format field of attribute
+ statements. This parameter can be configured multiple places,
+ and the actual value used is fetched from metadata by the
+ following priority:</para>
+
+ <orderedlist>
+ <listitem>
+ <para>SP Remote Metadata</para>
+ </listitem>
+
+ <listitem>
+ <para>IdP Hosted Metadata</para>
+ </listitem>
+
+ <listitem>
+ <para>Default value:
+ <literal>urn:oasis:names:tc:SAML:2.0:attrname-format:basic</literal></para>
+ </listitem>
+ </orderedlist>
+
+ <para>Some examples of values specified in the SAML 2.0 Core
+ Specification:</para>
+
+ <itemizedlist>
+ <listitem>
+ <para><literal>urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified</literal></para>
+ </listitem>
+
+ <listitem>
+ <para><literal>urn:oasis:names:tc:SAML:2.0:attrname-format:uri</literal>
+ (Used as default in Shibboleth 2.0)</para>
+ </listitem>
+
+ <listitem>
+ <para><literal>urn:oasis:names:tc:SAML:2.0:attrname-format:basic</literal>
+ (Used as default in Sun Access Manager)</para>
+ </listitem>
+
+ <listitem>
+ <para>You can define your own value.</para>
+ </listitem>
+ </itemizedlist>
+ </glossdef>
+ </glossentry>
+
<glossentry>
<glossterm>SingleSignOnService</glossterm>
<glossdef>
- <para>Override the default URL for the SingleSignOnService
- for this IdP. This is an absolute URL. The default value is
+ <para>Override the default URL for the SingleSignOnService for
+ this IdP. This is an absolute URL. The default value is
<literal><simpleSAMLphp-root>/saml2/idp/SSOService.php</literal></para>
<para>Note that this only changes the values in the generated
metadata and in the messages sent to others. You must also
- configure your webserver to deliver this URL to the correct
- PHP page.</para>
+ configure your webserver to deliver this URL to the correct PHP
+ page.</para>
</glossdef>
</glossentry>
@@ -405,14 +454,14 @@ openssl x509 -req -days 60 -in server2.csr -signkey server2.key -out server2.crt
<glossterm>SingleLogoutService</glossterm>
<glossdef>
- <para>Override the default URL for the SingleLogoutService
- for this IdP. This is an absolute URL. The default value is
+ <para>Override the default URL for the SingleLogoutService for
+ this IdP. This is an absolute URL. The default value is
<literal><simpleSAMLphp-root>/saml2/idp/SingleLogoutService.php</literal></para>
<para>Note that this only changes the values in the generated
metadata and in the messages sent to others. You must also
- configure your webserver to deliver this URL to the correct
- PHP page.</para>
+ configure your webserver to deliver this URL to the correct PHP
+ page.</para>
</glossdef>
</glossentry>
</glosslist>
@@ -521,6 +570,55 @@ openssl x509 -req -days 60 -in server2.csr -signkey server2.key -out server2.crt
</glossdef>
</glossentry>
+ <glossentry>
+ <glossterm>AttributeNameFormat</glossterm>
+
+ <glossdef>
+ <para>What value will be set in the Format field of attribute
+ statements. This parameter can be configured multiple places,
+ and the actual value used is fetched from metadata by the
+ following priority:</para>
+
+ <orderedlist>
+ <listitem>
+ <para>SP Remote Metadata</para>
+ </listitem>
+
+ <listitem>
+ <para>IdP Hosted Metadata</para>
+ </listitem>
+
+ <listitem>
+ <para>Default value:
+ <literal>urn:oasis:names:tc:SAML:2.0:attrname-format:basic</literal></para>
+ </listitem>
+ </orderedlist>
+
+ <para>Some examples of values specified in the SAML 2.0 Core
+ Specification:</para>
+
+ <itemizedlist>
+ <listitem>
+ <para><literal>urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified</literal></para>
+ </listitem>
+
+ <listitem>
+ <para><literal>urn:oasis:names:tc:SAML:2.0:attrname-format:uri</literal>
+ (Used as default in Shibboleth 2.0)</para>
+ </listitem>
+
+ <listitem>
+ <para><literal>urn:oasis:names:tc:SAML:2.0:attrname-format:basic</literal>
+ (Used as default in Sun Access Manager)</para>
+ </listitem>
+
+ <listitem>
+ <para>You can define your own value.</para>
+ </listitem>
+ </itemizedlist>
+ </glossdef>
+ </glossentry>
+
<glossentry>
<glossterm>base64attributes</glossterm>
@@ -656,10 +754,10 @@ openssl x509 -req -days 60 -in server2.csr -signkey server2.key -out server2.crt
<glossdef>
<para>The attribute name of an attribute which uniquely
identifies the user. This attribute is used if simpleSAMLphp
- needs to generate a persistent unique identifier for the
- user. This option can be set in both the IdP-hosted and the
- SP-remote metadata. The value in the sp-remote metadata has the
- highest priority. The default value is
+ needs to generate a persistent unique identifier for the user.
+ This option can be set in both the IdP-hosted and the SP-remote
+ metadata. The value in the sp-remote metadata has the highest
+ priority. The default value is
<literal>eduPersonPrincipalName</literal>.</para>
</glossdef>
</glossentry>
diff --git a/lib/SimpleSAML/XML/SAML20/AuthnResponse.php b/lib/SimpleSAML/XML/SAML20/AuthnResponse.php
index 5bc4e0520af401e5454f183e82a5db33c41e320f..94818d51be6d68c0a45d637f3614cd71fd04e6fe 100644
--- a/lib/SimpleSAML/XML/SAML20/AuthnResponse.php
+++ b/lib/SimpleSAML/XML/SAML20/AuthnResponse.php
@@ -599,9 +599,17 @@ class SimpleSAML_XML_SAML20_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
$nameidformat = isset($spmd['NameIDFormat']) ? $spmd['NameIDFormat'] : 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient';
$spnamequalifier = isset($spmd['SPNameQualifier']) ? $spmd['SPNameQualifier'] : $spmd['entityid'];
+ // Attribute Name Format handling. Priority is 1) SP metadata 2) IdP metadata 3) default setting
+ $attributeNameFormat = 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic';
+ if (isset($spmd['AttributeNameFormat']))
+ $attributeNameFormat = $spmd['AttributeNameFormat'];
+ elseif (isset($idpmd['AttributeNameFormat']))
+ $attributeNameFormat = $idpmd['AttributeNameFormat'];
+
+
$encodedattributes = '';
foreach ($attributes AS $name => $values) {
- $encodedattributes .= self::enc_attribute($name, $values, $base64);
+ $encodedattributes .= self::enc_attribute($name, $values, $base64, $attributeNameFormat);
}
$attributestatement = '<saml:AttributeStatement>' . $encodedattributes . '</saml:AttributeStatement>';
@@ -611,6 +619,7 @@ class SimpleSAML_XML_SAML20_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
$attributestatement = '';
+
/**
* Handling NameID
*/
@@ -702,14 +711,16 @@ class SimpleSAML_XML_SAML20_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
* @param $name Name of this attribute.
* @param $values Array with the values of this attribute.
* @param $base64 Enable base64 encoding of attribute values.
+ * @param $attributeNameFormat Which attribute name format to use. (See SAML 2.0 Spec for details)
*
* @return String containing the encoded saml:attribute value for this
* attribute.
*/
- private static function enc_attribute($name, $values, $base64 = false) {
+ private static function enc_attribute($name, $values, $base64 = false, $attributeNameFormat) {
assert(is_array($values));
- $ret = '<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="' . htmlspecialchars($name) . '">';
+ // Default: urn:oasis:names:tc:SAML:2.0:attrname-format:basic
+ $ret = '<saml:Attribute NameFormat="' . htmlspecialchars($attributeNameFormat) . '" Name="' . htmlspecialchars($name) . '">';
foreach($values as $value) {
if($base64) {
@@ -717,9 +728,13 @@ class SimpleSAML_XML_SAML20_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
} else {
$text = htmlspecialchars($value);
}
+
+ $xsiType = '';
+ if ($attributeNameFormat == 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic')
+ $xsiType = ' xsi:type="xs:string"';
+
- $ret .= '<saml:AttributeValue xsi:type="xs:string">' .
- $text . '</saml:AttributeValue>';
+ $ret .= '<saml:AttributeValue' . $xsiType . '>' . $text . '</saml:AttributeValue>';
}
$ret .= '</saml:Attribute>';