Merge pull request #200 from skoranda/no_empty_saml_nameid

Do not set NameID if there is no TextContent

Author: c00kiemon5ter

src/satosa/frontends/saml2.py

@@ -311,7 +311,13 @@ def _handle_authn_response(self, context, internal_response, idp):
         nameid_format = subject_type_to_saml_nameid_format(
             internal_response.subject_type
         )
-        name_id = NameID(
+
+        # If the backend did not receive a SAML <NameID> and so
+        # name_id is set to None then do not create a NameID instance.
+        # Instead pass None as the name name_id to the IdP server
+        # instance and it will use its configured policy to construct
+        # a <NameID>, with the default to create a transient <NameID>.
+        name_id = None if not nameid_value else NameID(
             text=nameid_value,
             format=nameid_format,
             sp_name_qualifier=None,

tests/satosa/frontends/test_saml2.py

@@ -190,11 +190,34 @@ def test_handle_authn_response_without_relay_state(self, context, idp_conf, sp_c
         fakesp = FakeSP(SPConfig().load(sp_conf, metadata_construction=False))
         resp = fakesp.parse_authn_request_response(resp_dict["SAMLResponse"][0],
                                                    BINDING_HTTP_REDIRECT)
+
         for key in resp.ava:
             assert USERS["testuser1"][key] == resp.ava[key]
 
         assert samlfrontend.name not in context.state
 
+    def test_handle_authn_response_without_name_id(
+                          self, context, idp_conf, sp_conf, internal_response):
+        samlfrontend = self.setup_for_authn_req(
+                                  context, idp_conf, sp_conf, relay_state=None)
+        _, internal_req = samlfrontend.handle_authn_request(
+                                                context, BINDING_HTTP_REDIRECT)
+
+        # Make sure we are testing the equivalent of a <Response> with no
+        # <NameID> in the <Subject>.
+        assert internal_response.subject_type is None
+        assert internal_response.subject_id is None
+
+        resp = samlfrontend.handle_authn_response(context, internal_response)
+        resp_dict = parse_qs(urlparse(resp.message).query)
+
+        fakesp = FakeSP(SPConfig().load(sp_conf, metadata_construction=False))
+        resp = fakesp.parse_authn_request_response(
+                           resp_dict["SAMLResponse"][0], BINDING_HTTP_REDIRECT)
+
+        # The <NameID> must not have an empty TextContent.
+        assert resp.name_id.text is not None
+
     def test_get_filter_attributes_with_sp_requested_attributes_without_friendlyname(self, idp_conf):
         sp_metadata_str = """<?xml version="1.0"?>
         <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://sp.example.com">