Persistent ID should not be equal to userid !

According to the spec: Persistent name identifiers
generated by identity providers MUST be constructed using pseudo-random values that have no discernible correspondence with the subject's actual identifier (for example, username)

Author: Roland Hedberg

src/saml2/ident.py

@@ -163,8 +163,8 @@ def get_nameid(self, userid, nformat, sp_name_qualifier, name_qualifier):
 
             _id = "%s@%s" % (_id, self.domain)
 
-        if nformat == NAMEID_FORMAT_PERSISTENT:
-            _id = userid
+        # if nformat == NAMEID_FORMAT_PERSISTENT:
+        #     _id = userid
 
         nameid = NameID(format=nformat, sp_name_qualifier=sp_name_qualifier,
                         name_qualifier=name_qualifier, text=_id)

tests/test_33_identifier.py

@@ -84,6 +84,17 @@ def test_persistent_1(self):
 
         assert id == "foobar"
 
+    def test_persistent_2(self):
+        userid = 'foobar'
+        nameid1 = self.id.persistent_nameid(userid, sp_name_qualifier="sp1",
+                                            name_qualifier="name0")
+
+        nameid2 = self.id.persistent_nameid(userid, sp_name_qualifier="sp1",
+                                            name_qualifier="name0")
+
+        # persistent NameIDs should be _persistent_ :-)
+        assert nameid1 == nameid2
+
     def test_transient_1(self):
         policy = Policy({
             "default": {
@@ -124,8 +135,8 @@ def test_vo_1(self):
                                      'name_qualifier'])
         assert nameid.sp_name_qualifier == 'http://vo.example.org/biomed'
         assert nameid.format == NAMEID_FORMAT_PERSISTENT
-        # we want to keep the user identifier in the nameid node
-        assert nameid.text == "foobar"
+        # we want to *NOT* keep the user identifier in the nameid node
+        assert nameid.text != "foobar"
 
     def test_vo_2(self):
         policy = Policy({