Skip to content

Commit 90dca83

Browse files
committed
bugfix: Make sure a persistent NameID is not generated by default when the UserID is missing in the state array.
This allowed misconfigured IdPs (i.e. those without both a PersistenNameID authproc filter, a “userid.attribute” configuration option and no “eduPersonPrincipalName” attribute available after running all the authentication processing filters) to generate a persistent NameID based on “null”, effectively giving all users the same identifier.
1 parent 300d8aa commit 90dca83

File tree

1 file changed

+1
-0
lines changed

1 file changed

+1
-0
lines changed

Diff for: modules/saml/lib/IdP/SAML2.php

+1
Original file line numberDiff line numberDiff line change
@@ -623,6 +623,7 @@ private static function generateNameIdValue(SimpleSAML_Configuration $idpMetadat
623623
if ($attribute === NULL) {
624624
if (!isset($state['UserID'])) {
625625
SimpleSAML_Logger::error('Unable to generate NameID. Check the userid.attribute option.');
626+
return NULL;
626627
}
627628
$attributeValue = $state['UserID'];
628629
$idpEntityId = $idpMetadata->getString('entityid');

0 commit comments

Comments
 (0)