Bug: Add configuration to allow nameId to not be validated

silverstripe · Oct 9, 2022 · de6c24e · de6c24e
1 parent 010496a
commit de6c24e
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 1 deletion.
diff --git a/_config/saml.yml b/_config/saml.yml
@@ -20,6 +20,9 @@ SilverStripe\SAML\Services\SAMLConfiguration:
   strict: true
   debug: false
   expect_binary_nameid: true
+  # If expect_binary_nameid is set to false, then you might also need to clarify whether or not you expect the nameid
+  # to be a valid GUID
+  validate_nameid_as_guid: true
   allow_insecure_email_linking: false
   Security:
     # Algorithm that the toolkit will use on signing process. Options:

diff --git a/src/Control/SAMLController.php b/src/Control/SAMLController.php
@@ -137,11 +137,15 @@ public function acs()
 
             // transform the NameId to guid
             $guid = $helper->binToStrGuid($decodedNameId);
+            $validateGuid = true;
         } else {
             $guid = $auth->getNameId();
+            // If you do not expect your NameId to be formatted as a valid GUID, then you can update this config to
+            // false
+            $validateGuid = Config::inst()->get(SAMLConfiguration::class, 'validate_nameid_as_guid');
         }
 
-        if (!$helper->validGuid($guid)) {
+        if ($validateGuid && !$helper->validGuid($guid)) {
             $errorMessage = "Not a valid GUID '{$guid}' received from server.";
             $this->getLogger()->error($errorMessage);
             $this->getForm()->sessionMessage($errorMessage, ValidationResult::TYPE_ERROR);