Remove NameId requirement on SAMLResponse

Author: pitbulk

README.md

@@ -327,6 +327,10 @@ In addition to the required settings data (idp, sp), there is extra information
         // this SP to be signed. [Metadata of the SP will offer this info]
         "wantAssertionsSigned": false,
 
+        // Indicates a requirement for the NameID element on the SAMLResponse 
+        // received by this SP to be present.
+        "wantNameId": true,
+
         // Indicates a requirement for the NameID received by
         // this SP to be encrypted.
         "wantNameIdEncrypted": false,

demo-django/saml/advanced_settings.json

@@ -7,6 +7,7 @@
         "signMetadata": false,
         "wantMessagesSigned": false,
         "wantAssertionsSigned": false,
+        "wantNameId" : true,
         "wantNameIdEncrypted": false,
         "signatureAlgorithm": "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
     },

demo-flask/saml/advanced_settings.json

@@ -7,6 +7,7 @@
         "signMetadata": false,
         "wantMessagesSigned": false,
         "wantAssertionsSigned": false,
+        "wantNameId" : true,
         "wantNameIdEncrypted": false,
         "signatureAlgorithm": "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
     },

src/onelogin/saml2/auth.py

@@ -210,7 +210,7 @@ def get_nameid(self):
         Returns the nameID.
 
         :returns: NameID
-        :rtype: string
+        :rtype: string|None
         """
         return self.__nameid
 
@@ -226,7 +226,7 @@ def get_session_expiration(self):
         """
         Returns the SessionNotOnOrAfter from the AuthnStatement.
         :returns: The SessionNotOnOrAfter of the assertion
-        :rtype: DateTime|null
+        :rtype: DateTime|None
         """
         return self.__session_expiration
 

src/onelogin/saml2/response.py

@@ -273,6 +273,8 @@ def get_nameid_data(self):
         :rtype: dict
         """
         nameid = None
+        nameid_data = {}
+
         encrypted_id_data_nodes = self.__query_assertion('/saml:Subject/saml:EncryptedID/xenc:EncryptedData')
         if encrypted_id_data_nodes:
             encrypted_data = encrypted_id_data_nodes[0]
@@ -283,24 +285,29 @@ def get_nameid_data(self):
             if nameid_nodes:
                 nameid = nameid_nodes[0]
         if nameid is None:
-            raise Exception('Not NameID found in the assertion of the Response')
-
-        nameid_data = {'Value': nameid.text}
-        for attr in ['Format', 'SPNameQualifier', 'NameQualifier']:
-            value = nameid.get(attr, None)
-            if value:
-                nameid_data[attr] = value
+            security = self.__settings.get_security_data()
+            if security.get('wantNameId', True):
+                raise Exception('Not NameID found in the assertion of the Response')
+        else:
+            nameid_data = {'Value': nameid.text}
+            for attr in ['Format', 'SPNameQualifier', 'NameQualifier']:
+                value = nameid.get(attr, None)
+                if value:
+                    nameid_data[attr] = value
         return nameid_data
 
     def get_nameid(self):
         """
         Gets the NameID provided by the SAML Response from the IdP
 
         :returns: NameID (value)
-        :rtype: string
+        :rtype: string|None
         """
+        nameid_value = None
         nameid_data = self.get_nameid_data()
-        return nameid_data['Value']
+        if nameid_data and 'Value' in nameid_data.keys():
+            nameid_value = nameid_data['Value']
+        return nameid_value
 
     def get_session_not_on_or_after(self):
         """

src/onelogin/saml2/settings.py

@@ -302,6 +302,10 @@ def __add_default_values(self):
         if 'wantAssertionsSigned' not in self.__security:
             self.__security['wantAssertionsSigned'] = False
 
+        # NameID element expected
+        if 'wantNameId' not in self.__security.keys():
+            self.__security['wantNameId'] = True
+
         # Encrypt expected
         if 'wantAssertionsEncrypted' not in self.__security:
             self.__security['wantAssertionsEncrypted'] = False

tests/src/OneLogin/saml2_tests/response_test.py

@@ -63,7 +63,8 @@ def testReturnNameId(self):
         """
         Tests the get_nameid method of the OneLogin_Saml2_Response
         """
-        settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
+        json_settings = self.loadSettingsJSON()
+        settings = OneLogin_Saml2_Settings(json_settings)
         xml = self.file_contents(join(self.data_path, 'responses', 'response1.xml.base64'))
         response = OneLogin_Saml2_Response(settings, xml)
         self.assertEqual('support@onelogin.com', response.get_nameid())
@@ -84,11 +85,39 @@ def testReturnNameId(self):
         except Exception as e:
             self.assertIn('Not NameID found in the assertion of the Response', str(e))
 
+        json_settings['security']['wantNameId'] = True
+        settings = OneLogin_Saml2_Settings(json_settings)
+
+        response_5 = OneLogin_Saml2_Response(settings, xml_4)
+        try:
+            response_5.get_nameid()
+            self.assertTrue(False)
+        except Exception as e:
+            self.assertIn('Not NameID found in the assertion of the Response', e.message)
+
+        json_settings['security']['wantNameId'] = False
+        settings = OneLogin_Saml2_Settings(json_settings)
+
+        response_6 = OneLogin_Saml2_Response(settings, xml_4)
+        nameid_6 = response_6.get_nameid()
+        self.assertIsNone(nameid_6)
+
+        del json_settings['security']['wantNameId']
+        settings = OneLogin_Saml2_Settings(json_settings)
+
+        response_7 = OneLogin_Saml2_Response(settings, xml_4)
+        try:
+            response_7.get_nameid()
+            self.assertTrue(False)
+        except Exception as e:
+            self.assertIn('Not NameID found in the assertion of the Response', e.message)
+
     def testGetNameIdData(self):
         """
         Tests the get_nameid_data method of the OneLogin_Saml2_Response
         """
-        settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
+        json_settings = self.loadSettingsJSON()
+        settings = OneLogin_Saml2_Settings(json_settings)
         xml = self.file_contents(join(self.data_path, 'responses', 'response1.xml.base64'))
         response = OneLogin_Saml2_Response(settings, xml)
         expected_nameid_data = {
@@ -126,6 +155,33 @@ def testGetNameIdData(self):
         except Exception as e:
             self.assertIn('Not NameID found in the assertion of the Response', str(e))
 
+        json_settings['security']['wantNameId'] = True
+        settings = OneLogin_Saml2_Settings(json_settings)
+
+        response_5 = OneLogin_Saml2_Response(settings, xml_4)
+        try:
+            response_5.get_nameid_data()
+            self.assertTrue(False)
+        except Exception as e:
+            self.assertIn('Not NameID found in the assertion of the Response', e.message)
+
+        json_settings['security']['wantNameId'] = False
+        settings = OneLogin_Saml2_Settings(json_settings)
+
+        response_6 = OneLogin_Saml2_Response(settings, xml_4)
+        nameid_data_6 = response_6.get_nameid_data()
+        self.assertEqual({}, nameid_data_6)
+
+        del json_settings['security']['wantNameId']
+        settings = OneLogin_Saml2_Settings(json_settings)
+
+        response_7 = OneLogin_Saml2_Response(settings, xml_4)
+        try:
+            response_7.get_nameid_data()
+            self.assertTrue(False)
+        except Exception as e:
+            self.assertIn('Not NameID found in the assertion of the Response', e.message)
+
     def testCheckStatus(self):
         """
         Tests the check_status method of the OneLogin_Saml2_Response

tests/src/OneLogin/saml2_tests/settings_test.py

@@ -590,8 +590,49 @@ def testGetSecurityData(self):
         self.assertIn('signMetadata', security)
         self.assertIn('wantMessagesSigned', security)
         self.assertIn('wantAssertionsSigned', security)
+        self.assertIn('requestedAuthnContext', security)
+        self.assertIn('wantNameId', security)
         self.assertIn('wantNameIdEncrypted', security)
 
+    def testGetDefaultSecurityValues(self):
+        """
+        Tests default values of Security advanced sesettings
+        """
+        settings_json = self.loadSettingsJSON()
+        del settings_json['security']
+        settings = OneLogin_Saml2_Settings(settings_json)
+        security = settings.get_security_data()
+
+        self.assertIn('nameIdEncrypted', security)
+        self.assertFalse(security.get('nameIdEncrypted'))
+
+        self.assertIn('authnRequestsSigned', security)
+        self.assertFalse(security.get('authnRequestsSigned'))
+
+        self.assertIn('logoutRequestSigned', security)
+        self.assertFalse(security.get('logoutRequestSigned'))
+
+        self.assertIn('logoutResponseSigned', security)
+        self.assertFalse(security.get('logoutResponseSigned'))
+
+        self.assertIn('signMetadata', security)
+        self.assertFalse(security.get('signMetadata'))
+
+        self.assertIn('wantMessagesSigned', security)
+        self.assertFalse(security.get('wantMessagesSigned'))
+
+        self.assertIn('wantAssertionsSigned', security)
+        self.assertFalse(security.get('wantAssertionsSigned'))
+
+        self.assertIn('requestedAuthnContext', security)
+        self.assertTrue(security.get('requestedAuthnContext'))
+
+        self.assertIn('wantNameId', security)
+        self.assertTrue(security.get('wantNameId'))
+
+        self.assertIn('wantNameIdEncrypted', security)
+        self.assertFalse(security.get('wantNameIdEncrypted'))
+
     def testGetContacts(self):
         """
         Tests the getContacts method of the OneLogin_Saml2_Settings