FIx 159. Adjusted acs.jsp to extract NameQualifier and SPNameQualifier from SAMLResponse. Adjusted dologout to provide NameQualifier and SPNameQualifier to logout method. Add getNameIdNameQualifier to Auth and SamlResponse. Extend logout method from Auth and LogoutRequest constructor to support SPNameQualifier parameter

Author: pitbulk

README.md

@@ -445,8 +445,13 @@ if (!errors.isEmpty()) {
 } else {
     Map<String, List<String>> attributes = auth.getAttributes();
     String nameId = auth.getNameId();
+    String nameIdFormat = auth.getNameIdFormat();
+    String sessionIndex = auth.getSessionIndex();
+
     session.setAttribute("attributes", attributes);
     session.setAttribute("nameId", nameId);
+    session.setAttribute("nameIdFormat", nameIdFormat);
+    session.setAttribute("sessionIndex", sessionIndex);
 
     String relayState = request.getParameter("RelayState");
 
@@ -517,7 +522,20 @@ If we don't want that processSLO to destroy the session, pass the keepLocalSessi
 In order to send a Logout Request to the IdP:
 ```
 Auth auth = new Auth(request, response);
-auth.logout();
+
+String nameId = null;
+if (session.getAttribute("nameId") != null) {
+    nameId = session.getAttribute("nameId").toString();
+}
+String nameIdFormat = null;
+if (session.getAttribute("nameIdFormat") != null) {
+    nameIdFormat = session.getAttribute("nameIdFormat").toString();
+}
+String sessionIndex = null;
+if (session.getAttribute("sessionIndex") != null) {
+    sessionIndex = session.getAttribute("sessionIndex").toString();
+}
+auth.logout(null, nameId, sessionIndex, nameIdFormat);
 ```
 The Logout Request will be sent signed or unsigned based on the security settings 'onelogin.saml2.security.logoutrequest_signed'
 

core/src/main/java/com/onelogin/saml2/authn/SamlResponse.java

@@ -65,6 +65,11 @@ public class SamlResponse {
 	 */
 	private Document decryptedDocument;
 
+	/**
+	 * NameID Data
+	 */
+	private HashMap<String,String> nameIdData = null;
+
 	/**
 	 * URL of the current host + current view
 	 */
@@ -421,6 +426,9 @@ public boolean isValid() {
      *
      */
 	public HashMap<String,String> getNameIdData() throws Exception {
+		if (this.nameIdData != null) {
+			return this.nameIdData;
+		}
 		HashMap<String,String> nameIdData = new HashMap<String, String>();
 
 		NodeList encryptedIDNodes = this.queryAssertion("/saml:Subject/saml:EncryptedID");
@@ -477,6 +485,7 @@ public HashMap<String,String> getNameIdData() throws Exception {
 				throw new ValidationError("No name id found in Document.", ValidationError.NO_NAMEID);
 			}
 		}
+		this.nameIdData = nameIdData;
 		return nameIdData;
 	}
 
@@ -514,6 +523,40 @@ public String getNameIdFormat() throws Exception {
 		return nameidFormat;
 	}
 
+    /**
+     * Gets the NameID NameQualifier provided from the SAML Response String.
+     *
+     * @return string NameQualifier
+     *
+     * @throws Exception
+     */
+	public String getNameIdNameQualifier() throws Exception {
+		HashMap<String,String> nameIdData = getNameIdData();
+		String nameQualifier = null;
+		if (!nameIdData.isEmpty() && nameIdData.containsKey("NameQualifier")) {
+			LOGGER.debug("SAMLResponse has NameID NameQualifier --> " + nameIdData.get("NameQualifier"));
+			nameQualifier = nameIdData.get("NameQualifier");
+		}
+		return nameQualifier;
+	}
+
+    /**
+     * Gets the NameID SP NameQualifier provided from the SAML Response String.
+     *
+     * @return string SP NameQualifier
+     *
+     * @throws Exception
+     */
+	public String getNameIdSPNameQualifier() throws Exception {
+		HashMap<String,String> nameIdData = getNameIdData();
+		String spNameQualifier = null;
+		if (!nameIdData.isEmpty() && nameIdData.containsKey("SPNameQualifier")) {
+			LOGGER.debug("SAMLResponse has NameID NameQualifier --> " + nameIdData.get("SPNameQualifier"));
+			spNameQualifier = nameIdData.get("SPNameQualifier");
+		}
+		return spNameQualifier;
+	}
+
 	/**
      * Gets the Attributes from the AttributeStatement element.
      *

core/src/main/java/com/onelogin/saml2/logout/LogoutRequest.java

@@ -70,6 +70,16 @@ public class LogoutRequest {
      */
 	private String nameIdFormat;
 
+	/**
+     * nameId NameQualifier
+     */
+	private String nameIdNameQualifier;
+
+	/**
+     * nameId SP NameQualifier
+     */
+	private String nameIdSPNameQualifier;
+	
 	/**
      * SessionIndex. When the user is logged, this stored it from the AuthnStatement of the SAML Response
      */
@@ -103,27 +113,33 @@ public class LogoutRequest {
 	 *              The SessionIndex (taken from the SAML Response in the SSO process).
 	 * @param nameIdFormat
 	 *              The nameIdFormat that will be set in the LogoutRequest.
-	 * @throws XMLEntityException 
+	 * @param nameIdNameQualifier
+	 *				The NameID NameQualifier that will be set in the LogoutRequest.
+	 * @param nameIdSPNameQualifier
+	 *				The SP Name Qualifier that will be set in the LogoutRequest.
 	 *
+	 * @throws XMLEntityException
 	 */
-	public LogoutRequest(Saml2Settings settings, HttpRequest request, String nameId, String sessionIndex, String nameIdFormat) throws XMLEntityException {
+	public LogoutRequest(Saml2Settings settings, HttpRequest request, String nameId, String sessionIndex, String nameIdFormat, String nameIdNameQualifier, String nameIdSPNameQualifier) throws XMLEntityException {
 		this.settings = settings;
 		this.request = request;
-
+	
 		String samlLogoutRequest = null;
-
+	
 		if (request != null) {
 			samlLogoutRequest = request.getParameter("SAMLRequest");
 			currentUrl = request.getRequestURL();
 		}
-
+	
 		if (samlLogoutRequest == null) {
 			id = Util.generateUniqueID();
 			issueInstant = Calendar.getInstance();
 			this.nameId = nameId;
 			this.nameIdFormat = nameIdFormat;
+			this.nameIdNameQualifier = nameIdNameQualifier;
+			this.nameIdSPNameQualifier = nameIdSPNameQualifier;
 			this.sessionIndex = sessionIndex;
-
+	
 			StrSubstitutor substitutor = generateSubstitutor(settings);
 			logoutRequestString = substitutor.replace(getLogoutRequestTemplate());
 		} else {
@@ -132,6 +148,48 @@ public LogoutRequest(Saml2Settings settings, HttpRequest request, String nameId,
 		}
 	}
 
+	/**
+	 * Constructs the LogoutRequest object.
+	 *
+	 * @param settings
+	 *              OneLogin_Saml2_Settings
+	 * @param request
+     *              the HttpRequest object to be processed (Contains GET and POST parameters, request URL, ...).
+	 * @param nameId
+	 *              The NameID that will be set in the LogoutRequest.
+	 * @param sessionIndex
+	 *              The SessionIndex (taken from the SAML Response in the SSO process).
+	 * @param nameIdFormat
+	 *              The nameIdFormat that will be set in the LogoutRequest.
+	 * @param nameIdNameQualifier
+	 *				The NameID NameQualifier will be set in the LogoutRequest.
+	 *
+	 * @throws XMLEntityException
+	 */
+	public LogoutRequest(Saml2Settings settings, HttpRequest request, String nameId, String sessionIndex, String nameIdFormat, String nameIdNameQualifier) throws XMLEntityException {
+		this(settings, request, nameId, sessionIndex, nameIdFormat, nameIdNameQualifier, null);
+	}
+
+	/**
+	 * Constructs the LogoutRequest object.
+	 *
+	 * @param settings
+	 *              OneLogin_Saml2_Settings
+	 * @param request
+     *              the HttpRequest object to be processed (Contains GET and POST parameters, request URL, ...).
+	 * @param nameId
+	 *              The NameID that will be set in the LogoutRequest.
+	 * @param sessionIndex
+	 *              The SessionIndex (taken from the SAML Response in the SSO process).
+	 * @param nameIdFormat
+	 *              The nameIdFormat that will be set in the LogoutRequest.
+	 *
+	 * @throws XMLEntityException
+	 */
+	public LogoutRequest(Saml2Settings settings, HttpRequest request, String nameId, String sessionIndex, String nameIdFormat) throws XMLEntityException {
+		this(settings, request, nameId, sessionIndex, nameIdFormat, null);
+	}
+
 	/**
 	 * Constructs the LogoutRequest object.
 	 *
@@ -239,7 +297,8 @@ private StrSubstitutor generateSubstitutor(Saml2Settings settings) {
 		valueMap.put("issuer", settings.getSpEntityId());
 
 		String nameIdFormat = null;
-		String spNameQualifier = null;
+		String spNameQualifier = this.nameIdSPNameQualifier;
+		String nameQualifier = this.nameIdNameQualifier;
 		if (nameId != null) {
 			if (this.nameIdFormat == null && !settings.getSpNameIDFormat().equals(Constants.NAMEID_UNSPECIFIED)) {
 				nameIdFormat = settings.getSpNameIDFormat();
@@ -248,16 +307,27 @@ private StrSubstitutor generateSubstitutor(Saml2Settings settings) {
 			}
 		} else {
 			nameId = settings.getIdpEntityId();
-			nameIdFormat = Constants.NAMEID_ENTITY;
-			spNameQualifier = settings.getSpEntityId();
+			nameIdFormat = Constants.NAMEID_ENTITY;			
 		}
 
+		// From saml-core-2.0-os 8.3.6, when the entity Format is used: "The NameQualifier, SPNameQualifier, and
+        // SPProvidedID attributes MUST be omitted.		
+		if (nameIdFormat != null && nameIdFormat.equals(Constants.NAMEID_ENTITY)) {
+			nameQualifier = null;
+			spNameQualifier = null;
+		}
+
+		// NameID Format UNSPECIFIED omitted
+		if (nameIdFormat != null && nameIdFormat.equals(Constants.NAMEID_UNSPECIFIED)) {
+			nameIdFormat = null;
+		}
+		
 		X509Certificate cert = null;
 		if (settings.getNameIdEncrypted()) {
 			cert = settings.getIdpx509cert();
 		}
 
-		String nameIdStr = Util.generateNameId(nameId, spNameQualifier, nameIdFormat, cert);
+		String nameIdStr = Util.generateNameId(nameId, spNameQualifier, nameIdFormat, nameQualifier, cert);
 		valueMap.put("nameIdStr", nameIdStr);
 
 		String sessionIndexStr = "";

core/src/main/java/com/onelogin/saml2/util/Util.java

@@ -948,7 +948,7 @@ public static Boolean validateMetadataSign(Document doc, X509Certificate cert, S
 		}
 		return false;
     }
-    
+
 	/**
 	 * Validate signature of the Node.
 	 *
@@ -1405,24 +1405,32 @@ public static SamlResponseStatus getStatus(String statusXpath, Document dom) thr
 	 * 				 SP Name Qualifier
 	 * @param format
 	 * 				 SP Format
+	 * @param nq
+	 * 				 Name Qualifier
 	 * @param cert
 	 * 				 IdP Public certificate to encrypt the nameID
 	 *
 	 * @return Xml contained in the document.
 	 */
-	public static String generateNameId(String value, String spnq, String format, X509Certificate cert) {
+	public static String generateNameId(String value, String spnq, String format, String nq, X509Certificate cert) {
 		String res = null;
 		try {
 		  	DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
 		  	dbf.setNamespaceAware(true);
 			Document doc = dbf.newDocumentBuilder().newDocument();
 			Element nameId = doc.createElement("saml:NameID");
+
 			if (spnq != null && !spnq.isEmpty()) {
 				nameId.setAttribute("SPNameQualifier", spnq);
 			}
 			if (format != null && !format.isEmpty()) {
 				nameId.setAttribute("Format", format);
 			}
+			if ((nq != null) && !nq.isEmpty())
+			{
+				nameId.setAttribute("NameQualifier", nq);
+			}
+
 			nameId.appendChild(doc.createTextNode(value));
 			doc.appendChild(nameId);
 
@@ -1461,6 +1469,24 @@ public static String generateNameId(String value, String spnq, String format, X5
 		return res;
 	}
 
+	/**
+	 * Generates a nameID.
+	 *
+	 * @param value
+	 * 				 The value
+	 * @param spnq
+	 * 				 SP Name Qualifier
+	 * @param format
+	 * 				 SP Format
+	 * @param cert
+	 * 				 IdP Public certificate to encrypt the nameID
+	 *
+	 * @return Xml contained in the document.
+	 */
+	public static String generateNameId(String value, String spnq, String format, X509Certificate cert) {		
+		return generateNameId(value, spnq, format, null, cert);
+	}
+	
 	/**
 	 * Generates a nameID.
 	 *

core/src/test/java/com/onelogin/saml2/test/authn/AuthnResponseTest.java

@@ -252,7 +252,45 @@ public void testGetNameIdFormat() throws Exception {
 		samlResponse = new SamlResponse(settings, newHttpRequest(samlResponseEncoded));
 		assertNull(samlResponse.getNameIdFormat());
 	}
-	
+
+	/**
+	 * Tests the getNameIdNameQualifier method of SamlResponse
+	 *
+	 * @throws Exception
+	 *
+	 * @see com.onelogin.saml2.authn.SamlResponse#getNameIdNameQualifier
+	 */
+	@Test
+	public void testGetNameIdNameQualifier() throws Exception {
+		Saml2Settings settings = new SettingsBuilder().fromFile("config/config.my.properties").build();
+		String samlResponseEncoded = Util.getFileAsString("data/responses/response1.xml.base64");
+		SamlResponse samlResponse = new SamlResponse(settings, newHttpRequest(samlResponseEncoded));
+		assertNull(samlResponse.getNameIdNameQualifier());
+		
+		samlResponseEncoded = Util.getFileAsString("data/responses/valid_response_with_namequalifier.xml.base64");
+		samlResponse = new SamlResponse(settings, newHttpRequest(samlResponseEncoded));
+		assertEquals("example.com", samlResponse.getNameIdNameQualifier());
+	}
+
+	/**
+	 * Tests the getNameIdSPNameQualifier method of SamlResponse
+	 *
+	 * @throws Exception
+	 *
+	 * @see com.onelogin.saml2.authn.SamlResponse#getNameIdSPNameQualifier
+	 */
+	@Test
+	public void testGetNameIdSPNameQualifier() throws Exception {
+		Saml2Settings settings = new SettingsBuilder().fromFile("config/config.my.properties").build();
+		String samlResponseEncoded = Util.getFileAsString("data/responses/response1.xml.base64");
+		SamlResponse samlResponse = new SamlResponse(settings, newHttpRequest(samlResponseEncoded));
+		assertNull(samlResponse.getNameIdSPNameQualifier());
+		
+		samlResponseEncoded = Util.getFileAsString("data/responses/valid_response_with_namequalifier.xml.base64");
+		samlResponse = new SamlResponse(settings, newHttpRequest(samlResponseEncoded));
+		assertEquals(settings.getSpEntityId(), samlResponse.getNameIdSPNameQualifier());
+	}
+
 	/**
 	 * Tests the getNameId method of SamlResponse
 	 * Case: No NameId