[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: custom NameID formats



Cal Heldenbrand <cal@xxxxxxxxxxx> said:
> I think I found part of the problem.  I'm trying to force in the *fn* CGI
> variable with the class name, and it kept making an AuthnRequest with
> urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.
> 
> I did some quick grepping of the code, and the zxid_saml2_map_nid_fmt()
> function in zxidsso.c only checks the first character in a switch
> statement.  It just so happens, the class name starts with *urn:* which
> falls into the condition of 'unspfd'.

Got me. Yes that is sloppy.

> I patched that function up to use a full strcmp(), which unfortunately adds
> 70 nanoseconds of CPU time to the check.  :-P   Appears to work with my

Quite insignificant compated to RSA operations.

> custom NameID format now.  Would you like to review this below and maybe
> commit it to the next release?

Thanks for the patch.

Cheers,
--Sampo

> Thanks,
> 
> --Cal
> 
> --- zxidsso.c.orig      2011-02-08 17:10:39.000000000 -0600
> +++ zxidsso.c   2011-02-08 17:16:07.000000000 -0600
> @@ -61,18 +61,31 @@
>  /* Called by:  zxid_map_identity_token, zxid_mk_authn_req,
> zxid_nidmap_identity_token */
>  const char* zxid_saml2_map_nid_fmt(const char* f)
>  {
> -  switch (f[0]) {
> -  case 'n' /*'none'*/:   return "";
> -  case 'p' /*'prstnt'*/: return SAML2_PERSISTENT_NID_FMT;
> -  case 't' /*'trnsnt'*/: return SAML2_TRANSIENT_NID_FMT;
> -  case 'u' /*'unspfd'*/: return SAML2_UNSPECIFIED_NID_FMT;
> -  case 'e' /*'emladr'*/: return SAML2_EMAILADDR_NID_FMT;
> -  case 'x' /*'x509sn'*/: return SAML2_X509_NID_FMT;
> -  case 'w' /*'windmn'*/: return SAML2_WINDOMAINQN_NID_FMT;
> -  case 'k' /*'kerbrs'*/: return SAML2_KERBEROS_NID_FMT;
> -  case 's' /*'saml'*/:   return SAML2_ENTITY_NID_FMT;
> -  default:               return f;
> +  if ( f != NULL && f[0] != NULL )
> +  {
> +       if ( ! strcmp("none", f) )
> +               return "";
> +       if ( ! strcmp("prstnt", f) )
> +               return SAML2_PERSISTENT_NID_FMT;
> +       if ( ! strcmp("trnsnt", f) )
> +               return SAML2_TRANSIENT_NID_FMT;
> +       if ( ! strcmp("unspfd", f) )
> +               return SAML2_UNSPECIFIED_NID_FMT;
> +       if ( ! strcmp("emladr", f) )
> +               return SAML2_EMAILADDR_NID_FMT;
> +       if ( ! strcmp("x509sn", f) )
> +               return SAML2_X509_NID_FMT;
> +       if ( ! strcmp("windmn", f) )
> +               return SAML2_WINDOMAINQN_NID_FMT;
> +       if ( ! strcmp("kerbrs", f) )
> +               return SAML2_KERBEROS_NID_FMT;
> +       if ( ! strcmp("saml", f) )
> +               return SAML2_ENTITY_NID_FMT;
> +
> +       return f;
>    }
> +  // failsafe
> +  return "";
>  }
> 
>  /*() Map protocol binding form field to SAML specified URN string. */
> 
> 
> On Tue, Feb 8, 2011 at 4:02 PM, Cal Heldenbrand <cal@xxxxxxxxxxx> wrote:
> 
> > Hi everyone (and Sampo),
> >
> > I'm working on integrating my zxid SP with an IdP that decided to use a
> > custom NameID format other than the usual persistent / transient URN names.
> >
> > Currently I'm seeing that the *fn* variable in the IdP configuration
> > screen is hard coded with only "prstnt" or "trnsnt".  Is there any way to
> > change this, or is the NameID format hard coded in the lower level API?
> >
> > Thanks,
> >
> > --Cal