Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ensure the NameID is correctly set #1319

Merged
merged 1 commit into from
Sep 4, 2024
Merged

Ensure the NameID is correctly set #1319

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 6 additions & 5 deletions library/EngineBlock/Corto/Filter/Command/AddIdentityAttributes.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@
* limitations under the License.
*/

use OpenConext\EngineBlock\Metadata\AttributeReleasePolicy;
use OpenConext\EngineBlock\Metadata\Entity\ServiceProvider;
use Psr\Log\LoggerInterface;
use SAML2\Constants;
Expand Down Expand Up @@ -84,11 +85,6 @@ public function execute()
$isResolved = true;
$this->_response->getAssertion()->setNameId($nameId);
}

// If there's an ARP, but it does not contain the EPTI, we're done now.
if (!$arp->hasAttribute(Constants::EPTI_URN_MACE)) {
return;
}
}

if (!$isResolved || !isset($nameId)){
Expand All @@ -105,6 +101,11 @@ public function execute()
$this->_response->getAssertion()->setNameId($nameId);
}

// If there's an ARP, but it does not contain the EPTI, we're done now.
if ($arp instanceof AttributeReleasePolicy && !$arp->hasAttribute(Constants::EPTI_URN_MACE)) {
return;
}

// We arrive here if either:
// 1) the ARP is NULL, this means no ARP = let everything through including EPTI; or
// 2) the ARP is not null and does contain the EPTI attribute.
Expand Down
69 changes: 69 additions & 0 deletions src/OpenConext/EngineBlockFunctionalTestingBundle/Features/NameIdFormat.feature
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
Feature:
To ensure no confusion about the NameID Format
As EngineBlock
I want to be sure after ARP my name id format is presented correctly to the SP

Background:
Given an EngineBlock instance on "vm.openconext.org"
And no registered SPs
And no registered Idps
And an Identity Provider named "SSO-IdP"
And a Service Provider named "SSO-SP"

Scenario: EngineBlock should not update the Unspecified NameIdFormat when no ARP filters are applied
Given SP "SSO-SP" uses the Unspecified NameID format
When I log in at "SSO-SP"
And I pass through EngineBlock
And I pass through the IdP
When I give my consent
And I pass through EngineBlock
And the response should match xpath '/samlp:Response/saml:Assertion/saml:Subject/saml:NameID[@Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"]'

Scenario: EngineBlock should not update the Unspecified NameIdFormat when the ARP is applied
Given SP "SSO-SP" uses the Unspecified NameID format
And SP "SSO-SP" allows an attribute named "urn:mace:dir:attribute-def:uid"
When I log in at "SSO-SP"
And I pass through EngineBlock
And I pass through the IdP
When I give my consent
And I pass through EngineBlock
And the response should match xpath '/samlp:Response/saml:Assertion/saml:Subject/saml:NameID[@Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"]'

Scenario: EngineBlock should not update the Persistent NameIdFormat when no ARP filters are applied
Given SP "SSO-SP" uses the Persistent NameID format
When I log in at "SSO-SP"
And I pass through EngineBlock
And I pass through the IdP
When I give my consent
And I pass through EngineBlock
And the response should match xpath '/samlp:Response/saml:Assertion/saml:Subject/saml:NameID[@Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"]'

Scenario: EngineBlock should not update the Persistent NameIdFormat when the ARP is applied
Given SP "SSO-SP" uses the Persistent NameID format
And SP "SSO-SP" allows an attribute named "urn:mace:dir:attribute-def:uid"
And SP "SSO-SP" allows an attribute named "urn:mace:terena.org:attribute-def:schacHomeOrganization"
When I log in at "SSO-SP"
And I pass through EngineBlock
And I pass through the IdP
When I give my consent
And I pass through EngineBlock
And the response should match xpath '/samlp:Response/saml:Assertion/saml:Subject/saml:NameID[@Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"]'

Scenario: EngineBlock should not update the Transient NameIdFormat when no ARP filters are applied
Given SP "SSO-SP" uses the Transient NameID format
When I log in at "SSO-SP"
And I pass through EngineBlock
And I pass through the IdP
When I give my consent
And I pass through EngineBlock
And the response should match xpath '/samlp:Response/saml:Assertion/saml:Subject/saml:NameID[@Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"]'

Scenario: EngineBlock should not update the Transient NameIdFormat when the ARP is applied
Given SP "SSO-SP" uses the Transient NameID format
And SP "SSO-SP" allows an attribute named "urn:mace:terena.org:attribute-def:schacHomeOrganization"
When I log in at "SSO-SP"
And I pass through EngineBlock
And I pass through the IdP
When I give my consent
And I pass through EngineBlock
And the response should match xpath '/samlp:Response/saml:Assertion/saml:Subject/saml:NameID[@Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"]'