Trying to get NameID (email address) value
530 views
Skip to first unread message
nate
Jun 7, 2018, 6:30:09 PM6/7/18
to SimpleSAMLphp
I am trying to get the NameID (email address ) using this code and do comparison with database email addresses. This following code returns 'fail'. I checked var_dump($nameid) but it returns the following markup. How do I get the just 'email' address from this markup? thanks for any help.
$as = new \SimpleSAML\Auth\Simple('default-sp');$as->requireAuth();
$nameid = $as->getAuthData('saml:sp:NameID');
//echo $nameid;
$emailval = "TestUs...@testcom.com"
if ($nameid == $emailval)
{
echo 'success'
}
else
{
echo 'fail'
}
{ ["nodeName":protected]=> string(11) "saml:NameID" ["Format"]=> string(51) "urn:oasis:names:tc:SAML:2.0:nameid-format:transient" ["SPProvidedID"]=> NULL ["value"]=> string(28) "TestUs...@testcom.com" ["NameQualifier"]=> string(38) "http://test3333.com/adfs/services/trust" ["SPNameQualifier"]=> string(87) "https://testsite1222.com/simplesaml/module.php/saml/sp/metadata.php/default-sp" ["element"]=> object(DOMElement)#8 (1) { ["schemaTypeInfo"]=> NULL } ["%"]=> string(1) "%" }
Chrys31
Jun 8, 2018, 2:19:21 AM6/8/18
to SimpleSAMLphp
Hi,
You can try this
$attributes = $as->getAttributes();
$eMail = $attributes['saml:NameID'];
Sorry for my bad english :(
Chrys.
Peter Schober
Jun 8, 2018, 2:57:30 AM6/8/18
to SimpleSAMLphp
* nate <nram...@gmail.com> [2018-06-08 00:30]:
a complex data structure (an XML element with XML attributes and
string content on-the-wire; SimpleSAMLphp exposes this as nested PHP
arrays), not a plain string. Therefore your comparison must always fail:
This should be obvious from the dumped value:
> { ["nodeName":protected]=> string(11) "saml:NameID" ["Format"]=> string(51)
> "urn:oasis:names:tc:SAML:2.0:nameid-format:transient" ["SPProvidedID"]=>
> NULL ["value"]=> string(28) "TestUs...@testcom.com" ["NameQualifier"]=>
> string(38) "http://test3333.com/adfs/services/trust" ["SPNameQualifier"]=>
> string(87)
> "https://testsite1222.com/simplesaml/module.php/saml/sp/metadata.php/default-sp"
[...]
The constituent parts of the NameID are exposed via the API, e.g.:
print "NameIDFormat: " . $nameid->Format . "\n";
print "NameID NameQualifier: " . $nameid->NameQualifier. "\n";
print "NameID value: " . $nameid->value . "\n";
So the last one ($nameid->value) is what you'd need to compare
against.
BUT you must also take the Format into account, and depending on the
format also some of the qualifiers (NameQualifier as the asserting
party's entityID, and sometimes even SPNameQualifier as the relying
party's entityID, i.e., your own), e.g. the value of a 'persistent'
NameID is *only* unique if you qualify it with $nameid->NameQualifier
at least.
Also note that the example NameID you post is incorrect, as its format
is "transient" but it's value is not a transient value, but an email
address. So the IDP sending this is misconfigured.
Transient NameIDs serve no purpose other than possibly coordinating
logout with the IDP, noone should care about their values, as
transient NameIDs to not suitably identify a subject to an
application.
So correct code needs to check for the nameid->Format and would only
assume its value to be an email address if the NameFormat says so:
The standard NameID formats are part of SAML Core,
https://wiki.oasis-open.org/security e.g. the current "merged" version
http://www.oasis-open.org/committees/download.php/56776/sstc-saml-core-errata-2.0-wd-07.pdf
Section 8.3 has the "Name Identifier Format Identifiers", so email
(8.3.2) is "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress".
So:
* the IDP needs to be fixed to set the correct format
* your code needs to be expanded to check the format
* your code needs to be expaneded to only compare the value of a
NameID of the correct/expected format.
If your SP also federates with other IDPs you'll have to have code for
all kinds of NameID formats, of course.
-peter
> $as = new \SimpleSAML\Auth\Simple('default-sp');
> $as->requireAuth();
> $nameid = $as->getAuthData('saml:sp:NameID');
That's correct. You simply fail to take into account that a NameID is
> $as->requireAuth();
> $nameid = $as->getAuthData('saml:sp:NameID');
a complex data structure (an XML element with XML attributes and
string content on-the-wire; SimpleSAMLphp exposes this as nested PHP
arrays), not a plain string. Therefore your comparison must always fail:
This should be obvious from the dumped value:
> { ["nodeName":protected]=> string(11) "saml:NameID" ["Format"]=> string(51)
> "urn:oasis:names:tc:SAML:2.0:nameid-format:transient" ["SPProvidedID"]=>
> NULL ["value"]=> string(28) "TestUs...@testcom.com" ["NameQualifier"]=>
> string(38) "http://test3333.com/adfs/services/trust" ["SPNameQualifier"]=>
> string(87)
> "https://testsite1222.com/simplesaml/module.php/saml/sp/metadata.php/default-sp"
The constituent parts of the NameID are exposed via the API, e.g.:
print "NameIDFormat: " . $nameid->Format . "\n";
print "NameID NameQualifier: " . $nameid->NameQualifier. "\n";
print "NameID value: " . $nameid->value . "\n";
So the last one ($nameid->value) is what you'd need to compare
against.
BUT you must also take the Format into account, and depending on the
format also some of the qualifiers (NameQualifier as the asserting
party's entityID, and sometimes even SPNameQualifier as the relying
party's entityID, i.e., your own), e.g. the value of a 'persistent'
NameID is *only* unique if you qualify it with $nameid->NameQualifier
at least.
Also note that the example NameID you post is incorrect, as its format
is "transient" but it's value is not a transient value, but an email
address. So the IDP sending this is misconfigured.
Transient NameIDs serve no purpose other than possibly coordinating
logout with the IDP, noone should care about their values, as
transient NameIDs to not suitably identify a subject to an
application.
So correct code needs to check for the nameid->Format and would only
assume its value to be an email address if the NameFormat says so:
The standard NameID formats are part of SAML Core,
https://wiki.oasis-open.org/security e.g. the current "merged" version
http://www.oasis-open.org/committees/download.php/56776/sstc-saml-core-errata-2.0-wd-07.pdf
Section 8.3 has the "Name Identifier Format Identifiers", so email
(8.3.2) is "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress".
So:
* the IDP needs to be fixed to set the correct format
* your code needs to be expanded to check the format
* your code needs to be expaneded to only compare the value of a
NameID of the correct/expected format.
If your SP also federates with other IDPs you'll have to have code for
all kinds of NameID formats, of course.
-peter
Reply all
Reply to author
Forward
0 new messages