protected function _getNameIdFormat(EngineBlock_Saml2_AuthnRequestAnnotationDecorator $request, ServiceProvider $spEntityMetadata) { // If a NameIDFormat was explicitly set in the ServiceRegistry, use that... if ($spEntityMetadata->nameIdFormat) { return $spEntityMetadata->nameIdFormat; } // If the SP requests a specific NameIDFormat in their AuthnRequest /** @var SAML2_AuthnRequest $request */ $nameIdPolicy = $request->getNameIdPolicy(); if (!empty($nameIdPolicy['Format'])) { $mayUseRequestedNameIdFormat = true; $requestedNameIdFormat = $nameIdPolicy['Format']; // Do we support the NameID Format that the SP requests? if (!in_array($requestedNameIdFormat, $this->SUPPORTED_NAMEID_FORMATS)) { EngineBlock_ApplicationSingleton::getLog()->notice("Whoa, SP '{$spEntityMetadata->entityId}' requested '{$requestedNameIdFormat}' " . "however we don't support that format, opting to try something else it supports " . "instead of sending an error. SP might not be happy with this violation of the spec " . "but it's probably a lot happier with a valid Response than an Error Response"); $mayUseRequestedNameIdFormat = false; } // Is this SP restricted to specific NameIDFormats? if (!empty($spEntityMetadata->supportedNameIdFormats)) { if (!in_array($requestedNameIdFormat, $spEntityMetadata->supportedNameIdFormats)) { EngineBlock_ApplicationSingleton::getLog()->notice("Whoa, SP '{$spEntityMetadata->entityId}' requested '{$requestedNameIdFormat}' " . "opting to try something else it supports " . "instead of sending an error. SP might not be happy with this violation of the spec " . "but it's probably a lot happier with a valid Response than an Error Response"); $mayUseRequestedNameIdFormat = false; } } if ($mayUseRequestedNameIdFormat) { return $requestedNameIdFormat; } } // So neither a NameIDFormat is explicitly set in the metadata OR a (valid) NameIDPolicy is set in the AuthnRequest // so we check what the SP supports (or what JANUS claims that it supports) and // return the least privacy sensitive one. if (!empty($spEntityMetadata->supportedNameIdFormats)) { foreach ($this->SUPPORTED_NAMEID_FORMATS as $supportedNameIdFormat) { if (in_array($supportedNameIdFormat, $spEntityMetadata->supportedNameIdFormats)) { return $supportedNameIdFormat; } } } throw new EngineBlock_Exception("Whoa, SP '{$spEntityMetadata->entityId}' has no NameIDFormat set, did send a (valid) NameIDPolicy and has no supported NameIDFormats set... I give up...", EngineBlock_Exception::CODE_NOTICE); }