Respect SP choice for NameID, and create test users separately

adricasti · adricasti · commit 49664373809d · 2025-05-29T16:31:10.000+02:00
diff --git a/.gitignore b/.gitignore
@@ -3,6 +3,7 @@ coverage.html
 vendor/
 **/*.cert
 **/*.key
+example/*.sh
 
 # IDE-specific settings
 .idea
diff --git a/example/idp/go.mod b/example/idp/go.mod
@@ -4,16 +4,14 @@ go 1.23
 
 toolchain go1.24.2
 
-require (
-	github.com/crewjam/saml v0.5.1
-	golang.org/x/crypto v0.33.0
-)
+require github.com/crewjam/saml v0.5.1
 
 require (
 	github.com/beevik/etree v1.5.0 // indirect
 	github.com/jonboulle/clockwork v0.2.2 // indirect
 	github.com/mattermost/xml-roundtrip-validator v0.1.0 // indirect
 	github.com/russellhaering/goxmldsig v1.4.0 // indirect
+	golang.org/x/crypto v0.33.0 // indirect
 )
 
 // Replace the remote saml module with your local version
diff --git a/example/idp/idp.go b/example/idp/idp.go
@@ -8,8 +8,6 @@ import (
 	"net/http"
 	"net/url"
 
-	"golang.org/x/crypto/bcrypt"
-
 	"github.com/crewjam/saml/logger"
 	"github.com/crewjam/saml/samlidp"
 )
@@ -47,31 +45,5 @@ func main() {
 		logr.Fatalf("%s", err)
 	}
 
-	hashedPassword, _ := bcrypt.GenerateFromPassword([]byte("hunter2"), bcrypt.DefaultCost)
-	err = idpServer.Store.Put("/users/alice", samlidp.User{Name: "alice",
-		HashedPassword: hashedPassword,
-		Groups:         []string{"Administrators", "Users"},
-		Email:          "alice@example.com",
-		CommonName:     "Alice Smith",
-		Surname:        "Smith",
-		GivenName:      "Alice",
-	})
-	if err != nil {
-		logr.Fatalf("%s", err)
-	}
-
-	err = idpServer.Store.Put("/users/bob", samlidp.User{
-		Name:           "bob",
-		HashedPassword: hashedPassword,
-		Groups:         []string{"Users"},
-		Email:          "bob@example.com",
-		CommonName:     "Bob Smith",
-		Surname:        "Smith",
-		GivenName:      "Bob",
-	})
-	if err != nil {
-		logr.Fatalf("%s", err)
-	}
-
 	http.ListenAndServe(":8080", idpServer)
 }
diff --git a/identity_provider.go b/identity_provider.go
@@ -802,7 +802,11 @@ func (DefaultAssertionMaker) MakeAssertion(req *IdpAuthnRequest, session *Sessio
 
 	nameIDFormat := "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
 
-	if session.NameIDFormat != "" {
+	// Check if the SP has requested a specific NameID format in the AuthnRequest
+	if req.Request.NameIDPolicy != nil && req.Request.NameIDPolicy.Format != nil {
+		nameIDFormat = *req.Request.NameIDPolicy.Format
+	} else if session.NameIDFormat != "" {
+		// Fall back to session's format if available
 		nameIDFormat = session.NameIDFormat
 	}
 
