Allow AuthnRequest with no NameIDPolicy

Author: pitbulk

README.md

@@ -498,10 +498,11 @@ We can set a 'return_to' url parameter to the login function and that will be co
 target_url = 'https://example.com'
 auth.login(return_to=target_url)
 ```
-The login method can recieve 2 more optional parameters:
+The login method can recieve 3 more optional parameters:
 
-* force_authn  When true the AuthNReuqest will set the ForceAuthn='true'
-* is_passive   When true the AuthNReuqest will set the Ispassive='true'
+* force_authn       When true the AuthNReuqest will set the ForceAuthn='true'
+* is_passive        When true the AuthNReuqest will set the Ispassive='true'
+* set_nameid_policy When true the AuthNReuqest will set a nameIdPolicy element.
 
 #### The SP Endpoints ####
 

src/onelogin/saml2/auth.py

@@ -261,22 +261,26 @@ def get_attribute(self, name):
         assert isinstance(name, compat.str_type)
         return self.__attributes.get(name)
 
-    def login(self, return_to=None, force_authn=False, is_passive=False):
+    def login(self, return_to=None, force_authn=False, is_passive=False, set_nameid_policy=True):
         """
         Initiates the SSO process.
 
         :param return_to: Optional argument. The target URL the user should be redirected to after login.
         :type return_to: string
 
         :param force_authn: Optional argument. When true the AuthNReuqest will set the ForceAuthn='true'.
-        :type force_authn: string
+        :type force_authn: bool
 
         :param is_passive: Optional argument. When true the AuthNReuqest will set the Ispassive='true'.
-        :type is_passive: string
+        :type is_passive: bool
+
+        :param set_nameid_policy: Optional argument. When true the AuthNReuqest will set a nameIdPolicy element.
+        :type set_nameid_policy: bool
 
         :returns: Redirection url
+        :rtype: string
         """
-        authn_request = OneLogin_Saml2_Authn_Request(self.__settings, force_authn, is_passive)
+        authn_request = OneLogin_Saml2_Authn_Request(self.__settings, force_authn, is_passive, set_nameid_policy)
 
         saml_request = authn_request.get_request()
         parameters = {'SAMLRequest': saml_request}

src/onelogin/saml2/authn_request.py

@@ -22,7 +22,7 @@ class OneLogin_Saml2_Authn_Request(object):
 
     """
 
-    def __init__(self, settings, force_authn=False, is_passive=False):
+    def __init__(self, settings, force_authn=False, is_passive=False, set_nameid_policy=True):
         """
         Constructs the AuthnRequest object.
 
@@ -34,6 +34,9 @@ def __init__(self, settings, force_authn=False, is_passive=False):
 
         :param is_passive: Optional argument. When true the AuthNReuqest will set the Ispassive='true'.
         :type is_passive: bool
+
+        :param set_nameid_policy: Optional argument. When true the AuthNReuqest will set a nameIdPolicy element.
+        :type set_nameid_policy: bool
         """
         self.__settings = settings
 
@@ -47,10 +50,6 @@ def __init__(self, settings, force_authn=False, is_passive=False):
 
         destination = idp_data['singleSignOnService']['url']
 
-        name_id_policy_format = sp_data['NameIDFormat']
-        if security['wantNameIdEncrypted']:
-            name_id_policy_format = OneLogin_Saml2_Constants.NAMEID_ENCRYPTED
-
         provider_name_str = ''
         organization_data = settings.get_organization()
         if isinstance(organization_data, dict) and organization_data:
@@ -72,6 +71,17 @@ def __init__(self, settings, force_authn=False, is_passive=False):
         if is_passive is True:
             is_passive_str = 'IsPassive="true"'
 
+        nameid_policy_str = ''
+        if set_nameid_policy:
+            name_id_policy_format = sp_data['NameIDFormat']
+            if security['wantNameIdEncrypted']:
+                name_id_policy_format = OneLogin_Saml2_Constants.NAMEID_ENCRYPTED
+
+            nameid_policy_str = """
+    <samlp:NameIDPolicy
+        Format="%s"
+        AllowCreate="true" />""" % name_id_policy_format
+
         requested_authn_context_str = ''
         if security['requestedAuthnContext'] is not False:
             authn_comparison = 'exact'
@@ -102,7 +112,7 @@ def __init__(self, settings, force_authn=False, is_passive=False):
                 'destination': destination,
                 'assertion_url': sp_data['assertionConsumerService']['url'],
                 'entity_id': sp_data['entityId'],
-                'name_id_policy': name_id_policy_format,
+                'nameid_policy_str': nameid_policy_str,
                 'requested_authn_context_str': requested_authn_context_str,
                 'attr_consuming_service_str': attr_consuming_service_str,
             }

src/onelogin/saml2/xml_templates.py

@@ -32,12 +32,8 @@ class OneLogin_Saml2_Templates(object):
     Destination="%(destination)s"
     ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
     AssertionConsumerServiceURL="%(assertion_url)s"%(attr_consuming_service_str)s>
-    <saml:Issuer>%(entity_id)s</saml:Issuer>
-
-    <samlp:NameIDPolicy
-        Format="%(name_id_policy)s"
-        AllowCreate="true" />
-        %(requested_authn_context_str)s
+    <saml:Issuer>%(entity_id)s</saml:Issuer>%(nameid_policy_str)s
+%(requested_authn_context_str)s
 </samlp:AuthnRequest>"""
 
     LOGOUT_REQUEST = """\

tests/src/OneLogin/saml2_tests/auth_test.py

@@ -665,6 +665,40 @@ def testLoginIsPassive(self):
         request_3 = compat.to_string(OneLogin_Saml2_Utils.decode_base64_and_inflate(parsed_query_3['SAMLRequest'][0]))
         self.assertIn('IsPassive="true"', request_3)
 
+    def testLoginSetNameIDPolicy(self):
+        """
+        Tests the login method of the OneLogin_Saml2_Auth class
+        Case Logout with no parameters. A AuthN Request is built with and without NameIDPolicy
+        """
+        settings_info = self.loadSettingsJSON()
+        return_to = u'http://example.com/returnto'
+        settings_info['idp']['singleSignOnService']['url']
+
+        auth = OneLogin_Saml2_Auth(self.get_request(), old_settings=settings_info)
+        target_url = auth.login(return_to)
+        parsed_query = parse_qs(urlparse(target_url)[4])
+        sso_url = settings_info['idp']['singleSignOnService']['url']
+        self.assertIn(sso_url, target_url)
+        self.assertIn('SAMLRequest', parsed_query)
+        request = compat.to_string(OneLogin_Saml2_Utils.decode_base64_and_inflate(parsed_query['SAMLRequest'][0]))
+        self.assertIn('<samlp:NameIDPolicy', request)
+
+        auth_2 = OneLogin_Saml2_Auth(self.get_request(), old_settings=settings_info)
+        target_url_2 = auth_2.login(return_to, False, False, True)
+        parsed_query_2 = parse_qs(urlparse(target_url_2)[4])
+        self.assertIn(sso_url, target_url_2)
+        self.assertIn('SAMLRequest', parsed_query_2)
+        request_2 = compat.to_string(OneLogin_Saml2_Utils.decode_base64_and_inflate(parsed_query_2['SAMLRequest'][0]))
+        self.assertIn('<samlp:NameIDPolicy', request_2)
+
+        auth_3 = OneLogin_Saml2_Auth(self.get_request(), old_settings=settings_info)
+        target_url_3 = auth_3.login(return_to, False, False, False)
+        parsed_query_3 = parse_qs(urlparse(target_url_3)[4])
+        self.assertIn(sso_url, target_url_3)
+        self.assertIn('SAMLRequest', parsed_query_3)
+        request_3 = compat.to_string(OneLogin_Saml2_Utils.decode_base64_and_inflate(parsed_query_3['SAMLRequest'][0]))
+        self.assertNotIn('<samlp:NameIDPolicy', request_3)
+
     def testLogout(self):
         """
         Tests the logout method of the OneLogin_Saml2_Auth class

tests/src/OneLogin/saml2_tests/authn_request_test.py

@@ -195,6 +195,31 @@ def testCreateRequestIsPassive(self):
         self.assertRegexpMatches(inflated_3, '^<samlp:AuthnRequest')
         self.assertIn('IsPassive="true"', inflated_3)
 
+    def testCreateRequestSetNameIDPolicy(self):
+        """
+        Tests the OneLogin_Saml2_Authn_Request Constructor.
+        The creation of a deflated SAML Request with and without NameIDPolicy
+        """
+        saml_settings = self.loadSettingsJSON()
+        settings = OneLogin_Saml2_Settings(saml_settings)
+        authn_request = OneLogin_Saml2_Authn_Request(settings)
+        authn_request_encoded = authn_request.get_request()
+        inflated = compat.to_string(OneLogin_Saml2_Utils.decode_base64_and_inflate(authn_request_encoded))
+        self.assertRegexpMatches(inflated, '^<samlp:AuthnRequest')
+        self.assertIn('<samlp:NameIDPolicy', inflated)
+
+        authn_request_2 = OneLogin_Saml2_Authn_Request(settings, False, False, True)
+        authn_request_encoded_2 = authn_request_2.get_request()
+        inflated_2 = compat.to_string(OneLogin_Saml2_Utils.decode_base64_and_inflate(authn_request_encoded_2))
+        self.assertRegexpMatches(inflated_2, '^<samlp:AuthnRequest')
+        self.assertIn('<samlp:NameIDPolicy', inflated_2)
+
+        authn_request_3 = OneLogin_Saml2_Authn_Request(settings, False, False, False)
+        authn_request_encoded_3 = authn_request_3.get_request()
+        inflated_3 = compat.to_string(OneLogin_Saml2_Utils.decode_base64_and_inflate(authn_request_encoded_3))
+        self.assertRegexpMatches(inflated_3, '^<samlp:AuthnRequest')
+        self.assertNotIn('<samlp:NameIDPolicy', inflated_3)
+
     def testCreateDeflatedSAMLRequestURLParameter(self):
         """
         Tests the OneLogin_Saml2_Authn_Request Constructor.