From eda9c9369f9b28c115a4bd599809643422d79120 Mon Sep 17 00:00:00 2001
From: Hans Zandbelt <hans.zandbelt@surfnet.nl>
Date: Thu, 30 Oct 2008 10:22:46 +0000
Subject: [PATCH] increase support for persistent name identifiers: for now
 only based on a specified attribute value (like e-mail nameid format)

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@955 44740490-163a-0410-bde0-09ae8108e29a
---
 lib/SimpleSAML/XML/SAML20/AuthnResponse.php | 9 +++++++--
 metadata-templates/saml20-sp-remote.php     | 2 +-
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/lib/SimpleSAML/XML/SAML20/AuthnResponse.php b/lib/SimpleSAML/XML/SAML20/AuthnResponse.php
index 57b33a27d..48c98a2a4 100644
--- a/lib/SimpleSAML/XML/SAML20/AuthnResponse.php
+++ b/lib/SimpleSAML/XML/SAML20/AuthnResponse.php
@@ -14,6 +14,7 @@ class SimpleSAML_XML_SAML20_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
 	const PROTOCOL = 'urn:oasis:names:tc:SAML:2.0';
 	
 	const TRANSIENT 	= 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient';
+	const PERSISTENT 	= 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent';
 	const EMAIL 		= 'urn:oasis:names:tc:SAML:2.0:nameid-format:email';
 
 	/* Namespaces used in the XML representation of this object.
@@ -682,7 +683,7 @@ class SimpleSAML_XML_SAML20_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
 		/**
 		 * Handling NameID
 		 */
-		if ($nameidformat == self::EMAIL) {
+		if ( ($nameidformat == self::EMAIL) or ($nameidformat == self::PERSISTENT) ) {
 			$nameIdValue = $attributes[$spmd['simplesaml.nameidattribute']][0];
 		} else {
 			$nameIdValue = SimpleSAML_Utilities::generateID();
@@ -753,13 +754,17 @@ class SimpleSAML_XML_SAML20_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
 		if (!empty($spnamequalifier)) {
 			$spnamequalifiertext = ' SPNameQualifier="' . htmlspecialchars($spnamequalifier) . '"';
 		}
+
+		if ($value == null) {
+			throw new Exception("NameID value is empty probably because of a configuration error (ie. the attribute that was configured as the simplesaml.nameidattribute setting was not found).");
+		}
 		
 		if ($type == self::EMAIL) {
 			return '<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"' . 
 				$spnamequalifiertext . '>' . htmlspecialchars($value) . '</saml:NameID>';
 
 		} else {
-			return '<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"' . 
+			return '<saml:NameID Format="' . $type . '"' . 
 				$spnamequalifiertext. '>' . htmlspecialchars($value). '</saml:NameID>';
 		}
 		
diff --git a/metadata-templates/saml20-sp-remote.php b/metadata-templates/saml20-sp-remote.php
index 76f0039a9..8ff768f10 100644
--- a/metadata-templates/saml20-sp-remote.php
+++ b/metadata-templates/saml20-sp-remote.php
@@ -13,7 +13,7 @@
  *   - simplesaml.attributes (Will you send an attributestatement [true/false])
  *   - NameIDFormat
  *   - ForceAuthn (default: "false")
- *   - simplesaml.nameidattribute (only needed when you are using NameID format email.
+ *   - simplesaml.nameidattribute (only needed when you are using NameID format email or persistent).
  *
  *   - 'base64attributes'	=>	false,
  *   - 'simplesaml.attributes'	=>	true,
-- 
GitLab