Persistent ID should not be equal to userid !

According to the spec: Persistent name identifiers generated by identity providers MUST be constructed using pseudo-random values that have no discernible correspondence with the subject's actual identifier (for example, username)
2016-02-11 14:47:01 +01:00
parent 454ef61d7c
commit 773bf9570b
2 changed files with 15 additions and 4 deletions
--- a/src/saml2/ident.py
+++ b/src/saml2/ident.py
@@ -163,8 +163,8 @@ class IdentDB(object):
            _id = "%s@%s" % (_id, self.domain)
-        if nformat == NAMEID_FORMAT_PERSISTENT:
+        # if nformat == NAMEID_FORMAT_PERSISTENT:
-            _id = userid
+        #     _id = userid
        nameid = NameID(format=nformat, sp_name_qualifier=sp_name_qualifier,
                        name_qualifier=name_qualifier, text=_id)
--- a/tests/test_33_identifier.py
+++ b/tests/test_33_identifier.py
@@ -84,6 +84,17 @@ class TestIdentifier():
        assert id == "foobar"
    def test_persistent_2(self):
        userid = 'foobar'
        nameid1 = self.id.persistent_nameid(userid, sp_name_qualifier="sp1",
                                            name_qualifier="name0")
        nameid2 = self.id.persistent_nameid(userid, sp_name_qualifier="sp1",
                                            name_qualifier="name0")
        # persistent NameIDs should be _persistent_ :-)
        assert nameid1 == nameid2
    def test_transient_1(self):
        policy = Policy({
            "default": {
@@ -124,8 +135,8 @@ class TestIdentifier():
                                     'name_qualifier'])
        assert nameid.sp_name_qualifier == 'http://vo.example.org/biomed'
        assert nameid.format == NAMEID_FORMAT_PERSISTENT
-        # we want to keep the user identifier in the nameid node
+        # we want to *NOT* keep the user identifier in the nameid node
-        assert nameid.text == "foobar"
+        assert nameid.text != "foobar"
    def test_vo_2(self):
        policy = Policy({