Add possibility to handle nameId NameQualifier attribute in SLO Request

brenard · brenard · commit 292da61d0d84 · 2017-06-16T17:33:06.000+02:00
diff --git a/lib/Saml2/Auth.php b/lib/Saml2/Auth.php
@@ -34,6 +34,14 @@ class OneLogin_Saml2_Auth
      */
     private $_nameidFormat;
 
+
+    /**
+     * NameID NameQualifier
+     *
+     * @var string
+     */
+    private $_nameidNameQualifier;
+
     /**
      * If user is authenticated.
      *
@@ -177,6 +185,7 @@ public function processResponse($requestId = null)
                 $this->_attributes = $response->getAttributes();
                 $this->_nameid = $response->getNameId();
                 $this->_nameidFormat = $response->getNameIdFormat();
+                $this->_nameidNameQualifier = $response->getNameIdNameQualifier();
                 $this->_authenticated = true;
                 $this->_sessionIndex = $response->getSessionIndex();
                 $this->_sessionExpiration = $response->getSessionNotOnOrAfter();
@@ -336,6 +345,16 @@ public function getNameIdFormat()
         return $this->_nameidFormat;
     }
 
+    /**
+     * Returns the nameID NameQualifier
+     *
+     * @return string  The nameID NameQualifier of the assertion
+     */
+    public function getNameIdNameQualifier()
+    {
+        return $this->_nameidNameQualifier;
+    }
+
     /**
      * Returns the SessionIndex
      *
@@ -436,18 +455,19 @@ public function login($returnTo = null, $parameters = array(), $forceAuthn = fal
     /**
      * Initiates the SLO process.
      *
-     * @param string|null $returnTo      The target URL the user should be returned to after logout.
-     * @param array       $parameters    Extra parameters to be added to the GET
-     * @param string|null $nameId        The NameID that will be set in the LogoutRequest.
-     * @param string|null $sessionIndex  The SessionIndex (taken from the SAML Response in the SSO process).
-     * @param bool        $stay          True if we want to stay (returns the url string) False to redirect
-     * @param string|null $nameIdFormat  The NameID Format will be set in the LogoutRequest.
+     * @param string|null $returnTo            The target URL the user should be returned to after logout.
+     * @param array       $parameters          Extra parameters to be added to the GET
+     * @param string|null $nameId              The NameID that will be set in the LogoutRequest.
+     * @param string|null $sessionIndex        The SessionIndex (taken from the SAML Response in the SSO process).
+     * @param bool        $stay                True if we want to stay (returns the url string) False to redirect
+     * @param string|null $nameIdFormat        The NameID Format will be set in the LogoutRequest.
+     * @param string|null $nameIdNameQualifier The NameID NameQualifier will be set in the LogoutRequest.
      *
      * @return If $stay is True, it return a string with the SLO URL + LogoutRequest + parameters
      *
      * @throws OneLogin_Saml2_Error
      */
-    public function logout($returnTo = null, $parameters = array(), $nameId = null, $sessionIndex = null, $stay = false, $nameIdFormat = null)
+    public function logout($returnTo = null, $parameters = array(), $nameId = null, $sessionIndex = null, $stay = false, $nameIdFormat = null, $nameIdNameQualifier = null)
     {
         assert('is_array($parameters)');
 
@@ -466,7 +486,7 @@ public function logout($returnTo = null, $parameters = array(), $nameId = null,
             $nameIdFormat = $this->_nameidFormat;
         }
 
-        $logoutRequest = new OneLogin_Saml2_LogoutRequest($this->_settings, null, $nameId, $sessionIndex, $nameIdFormat);
+        $logoutRequest = new OneLogin_Saml2_LogoutRequest($this->_settings, null, $nameId, $sessionIndex, $nameIdFormat, $nameIdNameQualifier);
 
         $this->_lastRequest = $logoutRequest->getXML();
         $this->_lastRequestID = $logoutRequest->id;
diff --git a/lib/Saml2/LogoutRequest.php b/lib/Saml2/LogoutRequest.php
@@ -38,8 +38,9 @@ class OneLogin_Saml2_LogoutRequest
      * @param string|null             $nameId       The NameID that will be set in the LogoutRequest.
      * @param string|null             $sessionIndex The SessionIndex (taken from the SAML Response in the SSO process).
      * @param string|null             $nameIdFormat The NameID Format will be set in the LogoutRequest.
+     * @param string|null             $nameIdNameQualifier The NameID NameQualifier will be set in the LogoutRequest.
      */
-    public function __construct(OneLogin_Saml2_Settings $settings, $request = null, $nameId = null, $sessionIndex = null, $nameIdFormat = null)
+    public function __construct(OneLogin_Saml2_Settings $settings, $request = null, $nameId = null, $sessionIndex = null, $nameIdFormat = null, $nameIdNameQualifier = null)
     {
         $this->_settings = $settings;
 
@@ -85,7 +86,8 @@ public function __construct(OneLogin_Saml2_Settings $settings, $request = null,
                 $nameId,
                 $spNameQualifier,
                 $nameIdFormat,
-                $cert
+                $cert,
+                $nameIdNameQualifier
             );
 
             $sessionIndexStr = isset($sessionIndex) ? "<samlp:SessionIndex>{$sessionIndex}</samlp:SessionIndex>" : "";
diff --git a/lib/Saml2/Response.php b/lib/Saml2/Response.php
@@ -648,6 +648,21 @@ public function getNameIdFormat()
         return $nameIdFormat;
     }
 
+    /**
+     * Gets the NameID NameQualifier provided by the SAML response from the IdP.
+     *
+     * @return string Name ID NameQualifier
+     */
+    public function getNameIdNameQualifier()
+    {
+        $nameIdNameQualifier = null;
+        $nameIdData = $this->getNameIdData();
+        if (!empty($nameIdData) && isset($nameIdData['NameQualifier'])) {
+            $nameIdNameQualifier = $nameIdData['NameQualifier'];
+        }
+        return $nameIdNameQualifier;
+    }
+
     /**
      * Gets the SessionNotOnOrAfter from the AuthnStatement.
      * Could be used to set the local session expiration
diff --git a/lib/Saml2/Utils.php b/lib/Saml2/Utils.php
@@ -951,10 +951,11 @@ public static function formatFingerPrint($fingerprint)
      * @param string      $spnq   SP Name Qualifier
      * @param string      $format SP Format
      * @param string|null $cert   IdP Public cert to encrypt the nameID
+     * @param string|null $nq     IdP Name Qualifier
      *
      * @return string $nameIDElement DOMElement | XMLSec nameID
      */
-    public static function generateNameId($value, $spnq, $format, $cert = null)
+    public static function generateNameId($value, $spnq, $format, $cert = null, $nq = null)
     {
 
         $doc = new DOMDocument();
@@ -963,6 +964,9 @@ public static function generateNameId($value, $spnq, $format, $cert = null)
         if (isset($spnq)) {
             $nameId->setAttribute('SPNameQualifier', $spnq);
         }
+        if (isset($nq)) {
+            $nameId->setAttribute('NameQualifier', $nq);
+        }
         $nameId->setAttribute('Format', $format);
         $nameId->appendChild($doc->createTextNode($value));
 
