Skip to content
Browse files

bugfix: Make sure a persistent NameID is not generated by default whe…

…n the UserID is missing in the state array.

This allowed misconfigured IdPs (i.e. those without both a PersistenNameID authproc filter, a “userid.attribute” configuration option and no “eduPersonPrincipalName” attribute available after running all the authentication processing filters) to generate a persistent NameID based on “null”, effectively giving all users the same identifier.
  • Loading branch information...
jaimeperez committed Dec 12, 2016
1 parent 300d8aa commit 90dca835158495b173808273e7df127303b8b953
Showing with 1 addition and 0 deletions.
  1. +1 −0 modules/saml/lib/IdP/SAML2.php
@@ -623,6 +623,7 @@ private static function generateNameIdValue(SimpleSAML_Configuration $idpMetadat
if ($attribute === NULL) {
if (!isset($state['UserID'])) {
SimpleSAML_Logger::error('Unable to generate NameID. Check the userid.attribute option.');
return NULL;
$attributeValue = $state['UserID'];
$idpEntityId = $idpMetadata->getString('entityid');

0 comments on commit 90dca83

Please sign in to comment.
You can’t perform that action at this time.