diff options
| author | Jaime Pérez <jaime.perez@uninett.no> | 2016-12-12 12:21:31 +0100 |
|---|---|---|
| committer | Jaime Pérez <jaime.perez@uninett.no> | 2016-12-12 12:21:31 +0100 |
| commit | a890b60438d4c8bcdcfd770361aedbbe64ad4c74 (patch) | |
| tree | 36bdd97114e6f6aa30b4a8098e3e2f49b043e521 | |
| parent | baba857afb874d8d6cac0fd8e976ff2859a6cd60 (diff) | |
| download | simplesamlphp-a890b60438d4c8bcdcfd770361aedbbe64ad4c74.zip simplesamlphp-a890b60438d4c8bcdcfd770361aedbbe64ad4c74.tar.gz simplesamlphp-a890b60438d4c8bcdcfd770361aedbbe64ad4c74.tar.bz2 | |
bugfix: Make sure a persistent NameID is not generated by default when the UserID is missing in the state array.
This allowed misconfigured IdPs (i.e. those without both a PersistenNameID authproc filter, a “userid.attribute” configuration option and no “eduPersonPrincipalName” attribute available after running all the authentication processing filters) to generate a persistent NameID based on “null”, effectively giving all users the same identifier.
| -rw-r--r-- | modules/saml/lib/IdP/SAML2.php | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/modules/saml/lib/IdP/SAML2.php b/modules/saml/lib/IdP/SAML2.php index 92e5363..e8521ef 100644 --- a/modules/saml/lib/IdP/SAML2.php +++ b/modules/saml/lib/IdP/SAML2.php @@ -680,6 +680,7 @@ class sspmod_saml_IdP_SAML2 if ($attribute === null) { if (!isset($state['UserID'])) { SimpleSAML\Logger::error('Unable to generate NameID. Check the userid.attribute option.'); + return null; } $attributeValue = $state['UserID']; $idpEntityId = $idpMetadata->getString('entityid'); |