bugfix: Make sure a persistent NameID is not generated by default whe…

…n the UserID is missing in the state array. This allowed misconfigured IdPs (i.e. those without both a PersistenNameID authproc filter, a “userid.attribute” configuration option and no “eduPersonPrincipalName” attribute available after running all the authentication processing filters) to generate a persistent NameID based on “null”, effectively giving all users the same identifier.
simplesamlphp · Dec 12, 2016 · 90dca83 · 90dca83
1 parent 300d8aa
commit 90dca83
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/modules/saml/lib/IdP/SAML2.php b/modules/saml/lib/IdP/SAML2.php
@@ -623,6 +623,7 @@ private static function generateNameIdValue(SimpleSAML_Configuration $idpMetadat
 			if ($attribute === NULL) {
 				if (!isset($state['UserID'])) {
 					SimpleSAML_Logger::error('Unable to generate NameID. Check the userid.attribute option.');
+					return NULL;
 				}
 				$attributeValue = $state['UserID'];
 				$idpEntityId = $idpMetadata->getString('entityid');