Add support for nameid formats

Author: timlegge

lib/GADS.pm

@@ -1595,10 +1595,23 @@ any ['get', 'post'] => '/user_export/?' => require_any_role [qw/useradmin supera
 
 any ['get', 'post'] => '/authentication_providers/' => require_any_role [qw/useradmin superadmin/] => sub {
 
+    my @name_ids = (
+            { label_plain => 'emailAddress',               value => 'emailAddress' },
+            { label_plain => 'unspecified',                value => 'unspecified' },
+            { label_plain => 'X509SubjectName',            value => 'X509SubjectName' },
+            { label_plain => 'WindowsDomainQualifiedName', value => 'WindowsDomainQualifiedName' },
+            { label_plain => 'entity',                     value => 'entity' },
+            { label_plain => 'transient',                  value => 'transient' },
+            { label_plain => 'persistent',                 value => 'persistent' },
+    );
+
     my $auth = GADS::Authentication->new(schema => schema);
     template 'authentication/providers' => {
             providers       => $auth,
             permissions     => "permisission", #$auth->permissions,
+            values   => {
+                saml2_nameid  => \@name_ids,
+            },
             page            => 'system_settings',
     };
 };
@@ -1732,6 +1745,7 @@ any ['get', 'post'] => '/authentication_providers/:id' => require_any_role [qw/u
             ) : (),
             saml2_relaystate      => param('saml2_relaystate'),
             saml2_groupname       => param('saml2_groupname'),
+            saml2_nameid          => param('saml2_nameid'),
             enabled               => param('enabled'),
         );
         # FIXME: Remove permissions below
@@ -1763,6 +1777,8 @@ any ['get', 'post'] => '/authentication_providers/:id' => require_any_role [qw/u
         return forwardHome(
             { danger => "Cannot delete an enabled authentication provider" } )
             if $usero->enabled;
+	# FIXME: Will panic here if a user is still associated with this provider
+	# timlegge - fix
         if (process( sub { $usero->retire(current_user => logged_in_user) }))
         {
             #FIXME: fix audit
@@ -1777,12 +1793,23 @@ any ['get', 'post'] => '/authentication_providers/:id' => require_any_role [qw/u
             { 'label_plain' => 'builtin', value => 'builtin'},
     );
 
+    my @name_ids = (
+            { label_plain => 'emailAddress',               value => 'emailAddress' },
+            { label_plain => 'unspecified',                value => 'unspecified' },
+            { label_plain => 'X509SubjectName',            value => 'X509SubjectName' },
+            { label_plain => 'WindowsDomainQualifiedName', value => 'WindowsDomainQualifiedName' },
+            { label_plain => 'entity',                     value => 'entity' },
+            { label_plain => 'transient',                  value => 'transient' },
+            { label_plain => 'persistent',                 value => 'persistent' },
+    );
+
     # FIXME need to revise what is passed to the template
     my $output = template 'authentication/provider_edit' => {
         editprovider => $editProvider,
         groups   => GADS::Groups->new(schema => schema)->all,
         values   => {
             type	  => \@types,
+            saml2_nameid  => \@name_ids,
         },
         permissions => $userso->permissions,
         page        => 'admin',

lib/GADS/API.pm

@@ -789,6 +789,7 @@ sub _post_add_authentication_providers
         saml2_relaystate      => $body->{saml2_relaystate},
         saml2_groupname       => $body->{saml2_groupname},
         saml2_unique_id       => $body->{saml2_unique_id},
+        saml2_nameid          => $body->{saml2_nameid},
         enabled               => $body->{enabled},
     );
 

lib/GADS/SAML.pm

@@ -11,7 +11,7 @@ use Net::SAML2::IdP;
 use Net::SAML2::SP;
 use Net::SAML2::Protocol::Assertion;
 use Net::SAML2::Protocol::AuthnRequest;
-use URN::OASIS::SAML2 qw(:bindings :urn);
+use URN::OASIS::SAML2 qw(:bindings :urn :nameid);
 
 use MIME::Base64;
 
@@ -168,10 +168,25 @@ sub initiate
     unlink $cacert_fh->filename;
     my $sso_url = $idp->sso_url('urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect');
 
+    my %name_ids = (
+        emailAddress               => NAMEID_EMAIL,
+        unspecified                => NAMEID_UNSPECIFIED,
+        X509SubjectName            => NAMEID_X509_SUBJECT_NAME,
+        WindowsDomainQualifiedName => NAMEID_WINDOWS_DOMAIN_QUALIFIED_NAME,
+        entity                     => NAMEID_FORMAT_ENTITY,
+        transient                  => NAMEID_TRANSIENT,
+        persistent                 => NAMEID_PERSISTENT,
+    );
+    # saml2_nameid can be undefined, blank or a value. Undefined will result in
+    # the previous behaviour of requesting the email address. Blank will not
+    # send the format request ($nameid will be undefined)
+    my $nameid = defined $self->authentication->saml2_nameid
+        ? $name_ids{$self->authentication->saml2_nameid} : NAMEID_EMAIL;
+
     my $authnreq = Net::SAML2::Protocol::AuthnRequest->new(
         issuer      => $self->authentication->sso_xml,
         destination => $sso_url,
-        nameid_format => $idp->format('emailAddress') || undef,
+        $nameid ? (nameidpolicy_format => $nameid) : (), # don't send nameidpolicy_format if $nameid is undefined
         assertion_url => $self->authentication->sso_url,
     );
 

lib/GADS/Schema/Result/Authentication.pm

@@ -46,6 +46,8 @@ __PACKAGE__->add_columns(
   { data_type => "smallint", default_value => 0, is_nullable => 0 },
   "saml2_unique_id",
   { data_type => "varchar", is_nullable => 1, size => 80 },
+  "saml2_nameid",
+  { data_type => "varchar", is_nullable => 1, size => 30 },
   "error_messages",
   { data_type => "text", is_nullable => 1 },
 );

lib/GADS/Schema/Result/Site.pm

@@ -323,6 +323,12 @@ sub provider_fields
           type          => 'freetext',
           placeholder   => 'http://schemas.xmlsoap.org/claims/Group',
         },
+        {
+          name        => 'saml2_nameid',
+          description => 'SAML NameID format',
+          type        => 'dropdown',
+          is_required => 1,
+        },
         {
           name          => 'xml',
           description   => 'Identity Provider Metadata XML',

lib/GADS/Schema/ResultSet/Authentication.pm

@@ -81,6 +81,7 @@ sub create_provider
         saml2_unique_id       => $params{saml2_unique_id},
         saml2_relaystate      => $params{saml2_relaystate},
         saml2_groupname       => $params{saml2_groupname},
+        saml2_nameid          => $params{saml2_nameid},
     });
 
     my $audit = GADS::Audit->new(schema => $self->result_source->schema, user => $params{auth_provider_change});

views/authentication/provider_edit.tt

@@ -103,6 +103,16 @@
                   {id = "1", name = "Enable Authentication Provider"},
                   {id = "0", name = "Disable Authentication Provider"}
                 ];
+            ELSIF field.type == "dropdown";
+              INCLUDE fields/select.tt
+                id = field.name
+                name = field.name
+                label = field.description
+                placeholder = field.placeholder
+                items = values.${field.name}
+                filter = "html"
+                sub_field = sub_field
+                sub_params = sub_params;
 
             END;
           %]

views/wizard/provider_add.tt

@@ -11,7 +11,7 @@
       firstFrameFields.push(field);
     ELSIF field.name == "entity_id" OR field.name == "saml2_firstname" OR
       field.name == "saml2_surname" OR field.name == "saml2_groupname" OR
-      field.name == "xml" OR field.name == "saml2_relaystate";
+      field.name == "xml" OR field.name == "saml2_relaystate" OR field.name == "saml2_nameid";
       secondFrameFields.push(field);
     ELSE;
       thirdFrameFields.push(field);