NameIDPolicy with a transient name identifer have allowCreate set #2602
Description
The SAML Version 2.0 Errata 05 states in lines 252-255 (pg 12) that:
The use of the AllowCreate attribute MUST NOT be used and SHOULD be ignored in conjunction
with requests for or assertions issued with name identifiers with a Format of
urn:oasis:names:tc:SAML:2.0:nameid-format:transient (they preclude any such state in
and of themselves).
SSP explicitly sets allowCreate="true" when using a transient name identifier in at least one place -- unfortunately, the common default case of no explicit NameIDPolicy having been configured:
simplesamlphp/src/SimpleSAML/Utils/Config/Metadata.php
Lines 135 to 136 in 3860264
I suspect it also does not enforce the MUST NOT in allowing a NameIDPolicy that violates this to be explicitly configured:
simplesamlphp/src/SimpleSAML/Utils/Config/Metadata.php
Lines 144 to 149 in 3860264
but I have not verified that behaviour. It also think may also be desirable to allow people to knowingly violate the spec, but perhaps a warning needs to go somewhere?
The behaviour of the SHOULD on the SP side may need further checking too, but saml:TransientNameID seems to ignore it completely.
Expected behaviour
Compliance with the MUST NOT in the approved errata
Additional context
This came up in the context of monitor.eduroam.org:
I have tweaked a metadata parser for for edugain metadata and I came across a problem with the monitor.eduroam.org service, in that it seems to define the following NameIDPolicy:
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" AllowCreate="true" />ADFS does not seem to understand this and returns:
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester"> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy" /> </samlp:StatusCode>