Make SPNameQualifier optional on the generateNameId method. Avoid the use of SPNameQualifier when generating the NameID on the LogoutRequest builder.

Author: pitbulk

src/onelogin/saml2/logout_request.py

@@ -65,13 +65,15 @@ def __init__(self, settings, request=None, name_id=None, session_index=None):
 
             if name_id is not None:
                 nameIdFormat = sp_data['NameIDFormat']
+                spNameQualifier = None
             else:
                 name_id = idp_data['entityId']
                 nameIdFormat = OneLogin_Saml2_Constants.NAMEID_ENTITY
+                spNameQualifier = sp_data['entityId']
 
             name_id_obj = OneLogin_Saml2_Utils.generate_name_id(
                 name_id,
-                sp_data['entityId'],
+                spNameQualifier,
                 nameIdFormat,
                 cert
             )

src/onelogin/saml2/utils.py

@@ -611,7 +611,8 @@ def generate_name_id(value, sp_nq, sp_format, cert=None, debug=False):
         name_id_container.setAttribute("xmlns:saml", OneLogin_Saml2_Constants.NS_SAML)
 
         name_id = doc.createElement('saml:NameID')
-        name_id.setAttribute('SPNameQualifier', sp_nq)
+        if sp_nq is not None:
+            name_id.setAttribute('SPNameQualifier', sp_nq)
         name_id.setAttribute('Format', sp_format)
         name_id.appendChild(doc.createTextNode(value))
         name_id_container.appendChild(name_id)

tests/src/OneLogin/saml2_tests/utils_test.py

@@ -557,9 +557,10 @@ def testQuery(self):
         signature_nodes_5 = OneLogin_Saml2_Utils.query(dom, './/ds:SignatureValue', assertion)
         self.assertEqual(1, len(signature_nodes_5))
 
-    def testGenerateNameId(self):
+    def testGenerateNameIdWithSPNameQualifier(self):
         """
         Tests the generateNameId method of the OneLogin_Saml2_Utils
+        Adding a SPNameQualifier
         """
         name_id_value = 'ONELOGIN_ce998811003f4e60f8b07a311dc641621379cfde'
         entity_id = 'http://stuff.com/endpoints/metadata.php'
@@ -577,6 +578,25 @@ def testGenerateNameId(self):
         expected_name_id_enc = '<saml:EncryptedID><xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/><dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><xenc:EncryptedKey><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/><xenc:CipherData><xenc:CipherValue>'
         self.assertIn(expected_name_id_enc, name_id_enc)
 
+    def testGenerateNameIdWithoutSPNameQualifier(self):
+        """
+        Tests the generateNameId method of the OneLogin_Saml2_Utils
+        """
+        name_id_value = 'ONELOGIN_ce998811003f4e60f8b07a311dc641621379cfde'
+        name_id_format = 'urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified'
+
+        name_id = OneLogin_Saml2_Utils.generate_name_id(name_id_value, None, name_id_format)
+        expected_name_id = '<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified">ONELOGIN_ce998811003f4e60f8b07a311dc641621379cfde</saml:NameID>'
+        self.assertEqual(name_id, expected_name_id)
+
+        settings_info = self.loadSettingsJSON()
+        x509cert = settings_info['idp']['x509cert']
+        key = OneLogin_Saml2_Utils.format_cert(x509cert)
+
+        name_id_enc = OneLogin_Saml2_Utils.generate_name_id(name_id_value, None, name_id_format, key)
+        expected_name_id_enc = '<saml:EncryptedID><xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/><dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><xenc:EncryptedKey><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/><xenc:CipherData><xenc:CipherValue>'
+        self.assertIn(expected_name_id_enc, name_id_enc)
+
     def testCalculateX509Fingerprint(self):
         """
         Tests the calculateX509Fingerprint method of the OneLogin_Saml2_Utils