Skip to content

Commit

Permalink
🐛 [open-formulieren/open-forms#4785] Remove the NameIDFormat element
Browse files Browse the repository at this point in the history
While having this element present passes XSD validation against the
SAML 2.0 metadata schema, this is not accepted by brokers anymore
because of the line in the AS1.24a specification saying that unlisted
elements must not be included in the metadata.

I've opted to drop this key/element in the eHerkenning SAML client
implementation rather than the base class because I don't know if
removing it entirely will cause the DigiD metadata to break. It would
probably be wise to *not* share a common base class anymore for DigiD
and eHerkenning as it proves to be quite a maintenance nightmare.

Documentation at the time of writing: https://afsprakenstelsel.etoegang.nl/Startpagina/v3/dv-metadata-for-hm
  • Loading branch information
sergei-maertens committed Dec 18, 2024
1 parent c554cbd commit edeedfd
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 1 deletion.
5 changes: 5 additions & 0 deletions digid_eherkenning/saml2/eherkenning.py
Original file line number Diff line number Diff line change
Expand Up @@ -469,6 +469,11 @@ def create_config_dict(self, conf: EHerkenningConfig) -> EHerkenningSAMLConfig:
config_dict: EHerkenningSAMLConfig = super().create_config_dict(conf)

sp_config = config_dict["sp"]
# may not be included for eHerkenning/EIDAS since AS1.24a, see:
# https://afsprakenstelsel.etoegang.nl/Startpagina/v3/dv-metadata-for-hm
#
# ... Elements not listed in this table MUST NOT be included in the metadata.
del sp_config["NameIDFormat"]

# we have multiple services, so delete the config for the "single service" variant
attribute_consuming_services = create_attribute_consuming_services(conf)
Expand Down
2 changes: 1 addition & 1 deletion digid_eherkenning/types.py
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ class ServiceProviderSAMLConfig(TypedDict):
assertionConsumerService: dict
singleLogoutService: dict
attributeConsumingServices: list[dict]
NameIDFormat: str
NameIDFormat: str # may not be included for eHerkenning
x509cert: str
privateKey: str
privateKeyPassphrase: Optional[str]
Expand Down

0 comments on commit edeedfd

Please sign in to comment.