diff --git a/authentik/providers/saml/processors/assertion.py b/authentik/providers/saml/processors/assertion.py index ea273ab6b..f441fe657 100644 --- a/authentik/providers/saml/processors/assertion.py +++ b/authentik/providers/saml/processors/assertion.py @@ -24,6 +24,7 @@ from authentik.sources.saml.processors.constants import ( SAML_NAME_ID_FORMAT_EMAIL, SAML_NAME_ID_FORMAT_PERSISTENT, SAML_NAME_ID_FORMAT_TRANSIENT, + SAML_NAME_ID_FORMAT_UNSPECIFIED, SAML_NAME_ID_FORMAT_WINDOWS, SAML_NAME_ID_FORMAT_X509, SIGN_ALGORITHM_TRANSFORM_MAP, @@ -165,7 +166,10 @@ class AssertionProcessor: if name_id.attrib["Format"] == SAML_NAME_ID_FORMAT_EMAIL: name_id.text = self.http_request.user.email return name_id - if name_id.attrib["Format"] == SAML_NAME_ID_FORMAT_PERSISTENT: + if name_id.attrib["Format"] in [ + SAML_NAME_ID_FORMAT_PERSISTENT, + SAML_NAME_ID_FORMAT_UNSPECIFIED, + ]: name_id.text = persistent return name_id if name_id.attrib["Format"] == SAML_NAME_ID_FORMAT_X509: diff --git a/authentik/providers/saml/processors/request_parser.py b/authentik/providers/saml/processors/request_parser.py index 7cc18e572..dec31251a 100644 --- a/authentik/providers/saml/processors/request_parser.py +++ b/authentik/providers/saml/processors/request_parser.py @@ -20,7 +20,7 @@ from authentik.sources.saml.processors.constants import ( RSA_SHA256, RSA_SHA384, RSA_SHA512, - SAML_NAME_ID_FORMAT_EMAIL, + SAML_NAME_ID_FORMAT_UNSPECIFIED, ) LOGGER = get_logger() @@ -42,7 +42,7 @@ class AuthNRequest: relay_state: Optional[str] = None - name_id_policy: str = SAML_NAME_ID_FORMAT_EMAIL + name_id_policy: str = SAML_NAME_ID_FORMAT_UNSPECIFIED class AuthNRequestParser: @@ -72,7 +72,9 @@ class AuthNRequestParser: name_id_policies = root.findall(f"{{{NS_SAML_PROTOCOL}}}NameIDPolicy") if len(name_id_policies) > 0: name_id_policy = name_id_policies[0] - auth_n_request.name_id_policy = name_id_policy.attrib["Format"] + auth_n_request.name_id_policy = name_id_policy.attrib.get( + "Format", SAML_NAME_ID_FORMAT_UNSPECIFIED + ) return auth_n_request diff --git a/authentik/providers/saml/tests/test_auth_n_request.py b/authentik/providers/saml/tests/test_auth_n_request.py index b5527b5d5..ba5915a8e 100644 --- a/authentik/providers/saml/tests/test_auth_n_request.py +++ b/authentik/providers/saml/tests/test_auth_n_request.py @@ -14,7 +14,7 @@ from authentik.providers.saml.processors.assertion import AssertionProcessor from authentik.providers.saml.processors.request_parser import AuthNRequestParser from authentik.sources.saml.exceptions import MismatchedRequestID from authentik.sources.saml.models import SAMLSource -from authentik.sources.saml.processors.constants import SAML_NAME_ID_FORMAT_EMAIL +from authentik.sources.saml.processors.constants import SAML_NAME_ID_FORMAT_UNSPECIFIED from authentik.sources.saml.processors.request import ( SESSION_REQUEST_ID, RequestProcessor, @@ -206,5 +206,5 @@ class TestAuthNRequest(TestCase): REDIRECT_REQUEST, REDIRECT_RELAY_STATE, REDIRECT_SIGNATURE, REDIRECT_SIG_ALG ) self.assertEqual(parsed_request.id, "_dcf55fcd27a887e60a7ef9ee6fd3adab") - self.assertEqual(parsed_request.name_id_policy, SAML_NAME_ID_FORMAT_EMAIL) + self.assertEqual(parsed_request.name_id_policy, SAML_NAME_ID_FORMAT_UNSPECIFIED) self.assertEqual(parsed_request.relay_state, REDIRECT_RELAY_STATE) diff --git a/authentik/sources/saml/processors/constants.py b/authentik/sources/saml/processors/constants.py index b688ddac6..967a365cb 100644 --- a/authentik/sources/saml/processors/constants.py +++ b/authentik/sources/saml/processors/constants.py @@ -15,6 +15,9 @@ NS_MAP = { SAML_NAME_ID_FORMAT_EMAIL = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" SAML_NAME_ID_FORMAT_PERSISTENT = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" +SAML_NAME_ID_FORMAT_UNSPECIFIED = ( + "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" +) SAML_NAME_ID_FORMAT_X509 = "urn:oasis:names:tc:SAML:2.0:nameid-format:X509SubjectName" SAML_NAME_ID_FORMAT_WINDOWS = ( "urn:oasis:names:tc:SAML:2.0:nameid-format:WindowsDomainQualifiedName"