diff options
author | Fredrik Thulin <fredrik@thulin.net> | 2019-05-08 16:33:47 +0200 |
---|---|---|
committer | Fredrik Thulin <fredrik@thulin.net> | 2019-05-08 16:33:47 +0200 |
commit | df9b35d7aa3f89a74a1a95ee0b96306f730d3f15 (patch) | |
tree | a32966fd4d08790846d968ebfe77f298c20f907d /src/saml2 | |
parent | d3aa78eeb7d37c12688f783cb4db1c7263a14ad6 (diff) | |
download | pysaml2-df9b35d7aa3f89a74a1a95ee0b96306f730d3f15.tar.gz |
Don't add AllowCreate for default transient name ids
http://docs.oasis-open.org/security/saml/v2.0/errata05/os/saml-v2.0-errata05-os.html#__RefHeading__8058_1983180497:
"The use of the AllowCreate attribute MUST NOT be used and SHOULD be
ignored in conjunction with requests for or assertions issued with name
identifiers with a Format of
urn:oasis:names:tc:SAML:2.0:nameid-format:transient (they preclude any
such state in and of themselves)."
Diffstat (limited to 'src/saml2')
-rw-r--r-- | src/saml2/client_base.py | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/src/saml2/client_base.py b/src/saml2/client_base.py index 39a7d0ed..15e3b0ec 100644 --- a/src/saml2/client_base.py +++ b/src/saml2/client_base.py @@ -339,6 +339,10 @@ class Base(Entity): # If no nameid_format has been set in the configuration # or passed in then transient is the default. if nameid_format is None: + # SAML 2.0 errata says AllowCreate MUST NOT be used for + # transient ids - to make a conservative change this is + # only applied for the default cause + allow_create = None nameid_format = NAMEID_FORMAT_TRANSIENT # If a list has been configured or passed in choose the |