[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: custom NameID formats



I think I found part of the problem.  I'm trying to force in the *fn* CGI
variable with the class name, and it kept making an AuthnRequest with
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.

I did some quick grepping of the code, and the zxid_saml2_map_nid_fmt()
function in zxidsso.c only checks the first character in a switch
statement.  It just so happens, the class name starts with *urn:* which
falls into the condition of 'unspfd'.

I patched that function up to use a full strcmp(), which unfortunately adds
70 nanoseconds of CPU time to the check.  :-P   Appears to work with my
custom NameID format now.  Would you like to review this below and maybe
commit it to the next release?

Thanks,

--Cal

--- zxidsso.c.orig      2011-02-08 17:10:39.000000000 -0600
+++ zxidsso.c   2011-02-08 17:16:07.000000000 -0600
@@ -61,18 +61,31 @@
 /* Called by:  zxid_map_identity_token, zxid_mk_authn_req,
zxid_nidmap_identity_token */
 const char* zxid_saml2_map_nid_fmt(const char* f)
 {
-  switch (f[0]) {
-  case 'n' /*'none'*/:   return "";
-  case 'p' /*'prstnt'*/: return SAML2_PERSISTENT_NID_FMT;
-  case 't' /*'trnsnt'*/: return SAML2_TRANSIENT_NID_FMT;
-  case 'u' /*'unspfd'*/: return SAML2_UNSPECIFIED_NID_FMT;
-  case 'e' /*'emladr'*/: return SAML2_EMAILADDR_NID_FMT;
-  case 'x' /*'x509sn'*/: return SAML2_X509_NID_FMT;
-  case 'w' /*'windmn'*/: return SAML2_WINDOMAINQN_NID_FMT;
-  case 'k' /*'kerbrs'*/: return SAML2_KERBEROS_NID_FMT;
-  case 's' /*'saml'*/:   return SAML2_ENTITY_NID_FMT;
-  default:               return f;
+  if ( f != NULL && f[0] != NULL )
+  {
+       if ( ! strcmp("none", f) )
+               return "";
+       if ( ! strcmp("prstnt", f) )
+               return SAML2_PERSISTENT_NID_FMT;
+       if ( ! strcmp("trnsnt", f) )
+               return SAML2_TRANSIENT_NID_FMT;
+       if ( ! strcmp("unspfd", f) )
+               return SAML2_UNSPECIFIED_NID_FMT;
+       if ( ! strcmp("emladr", f) )
+               return SAML2_EMAILADDR_NID_FMT;
+       if ( ! strcmp("x509sn", f) )
+               return SAML2_X509_NID_FMT;
+       if ( ! strcmp("windmn", f) )
+               return SAML2_WINDOMAINQN_NID_FMT;
+       if ( ! strcmp("kerbrs", f) )
+               return SAML2_KERBEROS_NID_FMT;
+       if ( ! strcmp("saml", f) )
+               return SAML2_ENTITY_NID_FMT;
+
+       return f;
   }
+  // failsafe
+  return "";
 }

 /*() Map protocol binding form field to SAML specified URN string. */


On Tue, Feb 8, 2011 at 4:02 PM, Cal Heldenbrand <cal@xxxxxxxxxxx> wrote:

> Hi everyone (and Sampo),
>
> I'm working on integrating my zxid SP with an IdP that decided to use a
> custom NameID format other than the usual persistent / transient URN names.
>
> Currently I'm seeing that the *fn* variable in the IdP configuration
> screen is hard coded with only "prstnt" or "trnsnt".  Is there any way to
> change this, or is the NameID format hard coded in the lower level API?
>
> Thanks,
>
> --Cal