From 75a62121c4254fb3e615dba34bbfb11eb6523f11 Mon Sep 17 00:00:00 2001 From: briskt <3172830+briskt@users.noreply.github.com> Date: Mon, 17 Jun 2024 16:54:39 +0800 Subject: [PATCH] NameIDPolicy must now be an array [skip ci] --- .../sp-local/config/authsources-pwmanager.php | 10 ++++++++-- development/sp-local/config/authsources.php | 12 +++++++++--- docs/editing_authprocs.md | 7 ++++++- modules/sildisco/src/Auth/Process/AddIdp2NameId.php | 5 ++++- 4 files changed, 27 insertions(+), 7 deletions(-) diff --git a/development/sp-local/config/authsources-pwmanager.php b/development/sp-local/config/authsources-pwmanager.php index 80aee9c9..3b0b4b62 100644 --- a/development/sp-local/config/authsources-pwmanager.php +++ b/development/sp-local/config/authsources-pwmanager.php @@ -15,7 +15,10 @@ 'entityID' => 'http://pwmanager.local:8084', 'idp' => 'http://ssp-idp1.local:8085', 'discoURL' => null, - 'NameIDPolicy' => "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent", + 'NameIDPolicy' => [ + 'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent', + 'AllowCreate' => true, + ], ], 'mfa-idp-no-port' => [ @@ -23,6 +26,9 @@ 'entityID' => 'http://pwmanager.local', 'idp' => 'http://ssp-idp1.local', 'discoURL' => null, - 'NameIDPolicy' => "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent", + 'NameIDPolicy' => [ + 'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent', + 'AllowCreate' => true, + ], ], ]; diff --git a/development/sp-local/config/authsources.php b/development/sp-local/config/authsources.php index def226f1..a6d91c06 100644 --- a/development/sp-local/config/authsources.php +++ b/development/sp-local/config/authsources.php @@ -29,8 +29,11 @@ 'discoURL' => null, // Tell the Hub which format to use for the NameID - 'NameIDPolicy' => "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent", - + 'NameIDPolicy' => [ + 'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent', + 'AllowCreate' => true, + ], + // Specify what private key to use (such as for decrypting assertions). 'privatekey' => 'ssp-hub-sp1.pem', ], @@ -51,7 +54,10 @@ 'discoURL' => null, // Tell the Hub which format to use for the NameID - 'NameIDPolicy' => "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent", + 'NameIDPolicy' => [ + 'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent', + 'AllowCreate' => true, + ], // Specify what private key to use (such as for decrypting assertions). 'privatekey' => 'ssp-hub-sp1.pem', diff --git a/docs/editing_authprocs.md b/docs/editing_authprocs.md index 42a62368..88013fa8 100644 --- a/docs/editing_authprocs.md +++ b/docs/editing_authprocs.md @@ -16,7 +16,12 @@ The IdP's metadata needs to include an `'IDPNamespace'` entry with a string valu In order for this to work, the SP needs to include a line in its authsources.php file in the Hub's entry ... -` 'NameIDPolicy' => "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",` +``` + 'NameIDPolicy' => [ + 'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent', + 'AllowCreate' => true, + ], +``` In addition, the IDP's sp-remote metadata stanza for the Hub needs to include ... diff --git a/modules/sildisco/src/Auth/Process/AddIdp2NameId.php b/modules/sildisco/src/Auth/Process/AddIdp2NameId.php index 3516881d..583a5db5 100644 --- a/modules/sildisco/src/Auth/Process/AddIdp2NameId.php +++ b/modules/sildisco/src/Auth/Process/AddIdp2NameId.php @@ -11,7 +11,10 @@ * * Also, for this to work, the SP needs to include a line in its * authsources.php file in the IdP's entry ... - * 'NameIDPolicy' => "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent", + * 'NameIDPolicy' => [ + * 'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent', + * 'AllowCreate' => true, + * ], * */ class AddIdp2NameId extends \SimpleSAML\Auth\ProcessingFilter {