From 773bf9570bd6122e754bb7a67a44e4e21e34e682 Mon Sep 17 00:00:00 2001 From: Roland Hedberg Date: Thu, 11 Feb 2016 14:47:01 +0100 Subject: [PATCH] Persistent ID should not be equal to userid ! According to the spec: Persistent name identifiers generated by identity providers MUST be constructed using pseudo-random values that have no discernible correspondence with the subject's actual identifier (for example, username) --- src/saml2/ident.py | 4 ++-- tests/test_33_identifier.py | 15 +++++++++++++-- 2 files changed, 15 insertions(+), 4 deletions(-) diff --git a/src/saml2/ident.py b/src/saml2/ident.py index 7b1667a..db8365b 100644 --- a/src/saml2/ident.py +++ b/src/saml2/ident.py @@ -163,8 +163,8 @@ class IdentDB(object): _id = "%s@%s" % (_id, self.domain) - if nformat == NAMEID_FORMAT_PERSISTENT: - _id = userid + # if nformat == NAMEID_FORMAT_PERSISTENT: + # _id = userid nameid = NameID(format=nformat, sp_name_qualifier=sp_name_qualifier, name_qualifier=name_qualifier, text=_id) diff --git a/tests/test_33_identifier.py b/tests/test_33_identifier.py index 97168b3..86e2003 100644 --- a/tests/test_33_identifier.py +++ b/tests/test_33_identifier.py @@ -84,6 +84,17 @@ class TestIdentifier(): assert id == "foobar" + def test_persistent_2(self): + userid = 'foobar' + nameid1 = self.id.persistent_nameid(userid, sp_name_qualifier="sp1", + name_qualifier="name0") + + nameid2 = self.id.persistent_nameid(userid, sp_name_qualifier="sp1", + name_qualifier="name0") + + # persistent NameIDs should be _persistent_ :-) + assert nameid1 == nameid2 + def test_transient_1(self): policy = Policy({ "default": { @@ -124,8 +135,8 @@ class TestIdentifier(): 'name_qualifier']) assert nameid.sp_name_qualifier == 'http://vo.example.org/biomed' assert nameid.format == NAMEID_FORMAT_PERSISTENT - # we want to keep the user identifier in the nameid node - assert nameid.text == "foobar" + # we want to *NOT* keep the user identifier in the nameid node + assert nameid.text != "foobar" def test_vo_2(self): policy = Policy({