Fix Issue with LogoutRequest rejected by ADFS due NameID with unspecified format instead no format attribute

Author: pitbulk

core/src/main/java/com/onelogin/saml2/logout/LogoutRequest.java

@@ -241,7 +241,7 @@ private StrSubstitutor generateSubstitutor(Saml2Settings settings) {
 		String nameIdFormat = null;
 		String spNameQualifier = null;
 		if (nameId != null) {
-			if (this.nameIdFormat == null) {
+			if (this.nameIdFormat == null && !settings.getSpNameIDFormat().equals(Constants.NAMEID_UNSPECIFIED)) {
 				nameIdFormat = settings.getSpNameIDFormat();
 			} else {
 				nameIdFormat = this.nameIdFormat;

core/src/main/java/com/onelogin/saml2/util/Util.java

@@ -1191,7 +1191,7 @@ public static String generateNameId(String value, String spnq, String format, X5
 				nameId.setAttribute("SPNameQualifier", spnq);
 			}
 			if (format != null && !format.isEmpty()) {
-			nameId.setAttribute("Format", format);
+				nameId.setAttribute("Format", format);
 			}
 			nameId.appendChild(doc.createTextNode(value));
 			doc.appendChild(nameId);
@@ -1246,6 +1246,18 @@ public static String generateNameId(String value, String spnq, String format, X5
 	public static String generateNameId(String value, String spnq, String format) {
 		return generateNameId(value, spnq, format, null);
 	}
+
+	/**
+	 * Generates a nameID.
+	 *
+	 * @param value
+	 * 				 The value
+	 *
+	 * @return Xml contained in the document.
+	 */
+	public static String generateNameId(String value) {
+		return generateNameId(value, null, null, null);
+	}
 
 	/**
 	 * Method to generate a symmetric key for encryption

core/src/test/java/com/onelogin/saml2/test/logout/LogoutRequestTest.java

@@ -228,7 +228,6 @@ public void testGetNameIdData() throws Exception {
 		String logoutRequestStr = Util.base64decodedInflated(logoutRequestStringBase64);
 		assertThat(logoutRequestStr, containsString("<samlp:LogoutRequest"));
 		String nameIdDataStr = LogoutRequest.getNameIdData(logoutRequestStr, null).toString();
-		assertThat(nameIdDataStr, containsString("Format=urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"));
 		assertThat(nameIdDataStr, containsString("Value=ONELOGIN_1e442c129e1f822c8096086a1103c5ee2c7cae1c"));
 		assertThat(nameIdDataStr, not(containsString("SPNameQualifier")));
 
@@ -249,7 +248,6 @@ public void testGetNameIdData() throws Exception {
 		logoutRequestStr = Util.base64decodedInflated(logoutRequestStringBase64);
 		PrivateKey key = settings.getSPkey();
 		nameIdDataStr = LogoutRequest.getNameIdData(logoutRequestStr, key).toString();
-		assertThat(nameIdDataStr, containsString("Format=urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"));
 		assertThat(nameIdDataStr, containsString("Value=ONELOGIN_1e442c129e1f822c8096086a1103c5ee2c7cae1c"));
 		assertThat(nameIdDataStr, not(containsString("SPNameQualifier")));	
 
@@ -268,6 +266,16 @@ public void testGetNameIdData() throws Exception {
 		assertThat(nameIdDataStr, containsString("Format=urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress"));
 		assertThat(nameIdDataStr, containsString("Value=ONELOGIN_9c86c4542ab9d6fce07f2f7fd335287b9b3cdf69"));
 		assertThat(nameIdDataStr, containsString("SPNameQualifier=https://pitbulk.no-ip.org/newonelogin/demo1/metadata.php"));
+	
+		settings = new SettingsBuilder().fromFile("config/config.emailaddressformat.properties").build();
+		logoutRequest = new LogoutRequest(settings, null, "ONELOGIN_1e442c129e1f822c8096086a1103c5ee2c7cae1c", null); 
+		logoutRequestStringBase64 = logoutRequest.getEncodedLogoutRequest();
+		logoutRequestStr = Util.base64decodedInflated(logoutRequestStringBase64);
+		assertThat(logoutRequestStr, containsString("<samlp:LogoutRequest"));
+		nameIdDataStr = LogoutRequest.getNameIdData(logoutRequestStr, null).toString();
+		assertThat(nameIdDataStr, containsString("Value=ONELOGIN_1e442c129e1f822c8096086a1103c5ee2c7cae1c"));
+		assertThat(nameIdDataStr, containsString("Format=urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"));
+		assertThat(nameIdDataStr, not(containsString("SPNameQualifier")));		
 	}
 
 	/**

core/src/test/java/com/onelogin/saml2/test/util/UtilsTest.java

@@ -1717,7 +1717,25 @@ public void testGenerateNameId() throws URISyntaxException, IOException, Certifi
 		assertThat(nameIdEnc, containsString("http://www.w3.org/2001/04/xmlenc#aes128-cbc"));
 		assertThat(nameIdEnc, containsString("http://www.w3.org/2001/04/xmlenc#rsa-1_5"));
 	}
-	
+
+	/**
+	 * Tests the generateNameId method
+	 *
+	 * @throws IOException 
+	 * @throws URISyntaxException 
+	 * @throws CertificateException 
+	 *
+	 * @see com.onelogin.saml2.util.Util#generateNameId
+	 */
+	@Test
+	public void testGenerateNameIdWithoutFormat() throws URISyntaxException, IOException, CertificateException {
+        String nameIdValue = "ONELOGIN_ce998811003f4e60f8b07a311dc641621379cfde";
+        String nameId = Util.generateNameId(nameIdValue);
+
+        String expectedNameId = "<saml:NameID>ONELOGIN_ce998811003f4e60f8b07a311dc641621379cfde</saml:NameID>";
+        assertEquals(expectedNameId, nameId);        
+	}
+
 	/**
 	 * Tests the generateUniqueID method
 	 * 

core/src/test/resources/config/config.emailaddressformat.properties

@@ -0,0 +1,30 @@
+#  Service Provider Data that we are deploying
+#  Identifier of the SP entity  (must be a URI)
+onelogin.saml2.sp.entityid = http://localhost:8080/java-saml-jspsample/metadata.jsp
+# Specifies info about where and how the <AuthnResponse> message MUST be
+#  returned to the requester, in this case our SP.
+# URL Location where the <Response> from the IdP will be returned
+onelogin.saml2.sp.assertion_consumer_service.url = http://localhost:8080/java-saml-jspsample/acs.jsp
+
+# Specifies info about Logout service
+# URL Location where the <LogoutResponse> from the IdP will be returned or where to send the <LogoutRequest>
+onelogin.saml2.sp.single_logout_service.url = http://localhost:8080/java-saml-jspsample/sls.jsp
+
+# Specifies constraints on the name identifier to be used to
+# represent the requested subject.
+onelogin.saml2.sp.nameidformat = urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
+
+# Identity Provider Data that we want connect with our SP
+# Identifier of the IdP entity  (must be a URI)
+onelogin.saml2.idp.entityid = http://idp.example.com/
+
+# SSO endpoint info of the IdP. (Authentication Request protocol)
+# URL Target of the IdP where the SP will send the Authentication Request Message
+onelogin.saml2.idp.single_sign_on_service.url = http://idp.example.com/simplesaml/saml2/idp/SSOService.php
+
+# SLO endpoint info of the IdP.
+# URL Location of the IdP where the SP will send the SLO Request
+onelogin.saml2.idp.single_logout_service.url = http://idp.example.com/simplesaml/saml2/idp/SingleLogoutService.php
+
+# Public x509 certificate of the IdP
+onelogin.saml2.idp.x509cert = -----BEGIN CERTIFICATE-----\nMIIBrTCCAaGgAwIBAgIBATADBgEAMGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRUwEwYDVQQHDAxTYW50YSBNb25pY2ExETAPBgNVBAoMCE9uZUxvZ2luMRkwFwYDVQQDDBBhcHAub25lbG9naW4uY29tMB4XDTEwMTAxMTIxMTUxMloXDTE1MTAxMTIxMTUxMlowZzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFTATBgNVBAcMDFNhbnRhIE1vbmljYTERMA8GA1UECgwIT25lTG9naW4xGTAXBgNVBAMMEGFwcC5vbmVsb2dpbi5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMPmjfjy7L35oDpeBXBoRVCgktPkLno9DOEWB7MgYMMVKs2B6ymWQLEWrDugMK1hkzWFhIb5fqWLGbWy0J0veGR9/gHOQG+rD/I36xAXnkdiXXhzoiAG/zQxM0edMOUf40n314FC8moErcUg6QabttzesO59HFz6shPuxcWaVAgxAgMBAAEwAwYBAAMBAA==\n-----END CERTIFICATE-----