Don't add AllowCreate for default transient name ids

http://docs.oasis-open.org/security/saml/v2.0/errata05/os/saml-v2.0-errata05-os.html#__RefHeading__8058_1983180497: "The use of the AllowCreate attribute MUST NOT be used and SHOULD be ignored in conjunction with requests for or assertions issued with name identifiers with a Format of urn:oasis:names:tc:SAML:2.0:nameid-format:transient (they preclude any such state in and of themselves)."
author: Fredrik Thulin <fredrik@thulin.net> 2019-05-08 16:33:47 +0200
committer: Fredrik Thulin <fredrik@thulin.net> 2019-05-08 16:33:47 +0200
commit: df9b35d7aa3f89a74a1a95ee0b96306f730d3f15 (patch)
tree: a32966fd4d08790846d968ebfe77f298c20f907d
parent: d3aa78eeb7d37c12688f783cb4db1c7263a14ad6 (diff)
download: pysaml2-df9b35d7aa3f89a74a1a95ee0b96306f730d3f15.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/src/saml2/client_base.py b/src/saml2/client_base.py
index 39a7d0ed..15e3b0ec 100644
--- a/src/saml2/client_base.py
+++ b/src/saml2/client_base.py
@@ -339,6 +339,10 @@ class Base(Entity):
                     # If no nameid_format has been set in the configuration
                     # or passed in then transient is the default.
                     if nameid_format is None:
+                        # SAML 2.0 errata says AllowCreate MUST NOT be used for
+                        # transient ids - to make a conservative change this is
+                        # only applied for the default cause
+                        allow_create = None
                         nameid_format = NAMEID_FORMAT_TRANSIENT
 
                     # If a list has been configured or passed in choose the
author	Fredrik Thulin <fredrik@thulin.net>	2019-05-08 16:33:47 +0200
committer	Fredrik Thulin <fredrik@thulin.net>	2019-05-08 16:33:47 +0200
commit	df9b35d7aa3f89a74a1a95ee0b96306f730d3f15 (patch)
tree	a32966fd4d08790846d968ebfe77f298c20f907d
parent	d3aa78eeb7d37c12688f783cb4db1c7263a14ad6 (diff)
download	pysaml2-df9b35d7aa3f89a74a1a95ee0b96306f730d3f15.tar.gz