From edeedfdd7ec64a6ff520450f55479b2356c989c9 Mon Sep 17 00:00:00 2001 From: Sergei Maertens Date: Wed, 18 Dec 2024 16:52:43 +0100 Subject: [PATCH] :bug: [open-formulieren/open-forms#4785] Remove the NameIDFormat element While having this element present passes XSD validation against the SAML 2.0 metadata schema, this is not accepted by brokers anymore because of the line in the AS1.24a specification saying that unlisted elements must not be included in the metadata. I've opted to drop this key/element in the eHerkenning SAML client implementation rather than the base class because I don't know if removing it entirely will cause the DigiD metadata to break. It would probably be wise to *not* share a common base class anymore for DigiD and eHerkenning as it proves to be quite a maintenance nightmare. Documentation at the time of writing: https://afsprakenstelsel.etoegang.nl/Startpagina/v3/dv-metadata-for-hm --- digid_eherkenning/saml2/eherkenning.py | 5 +++++ digid_eherkenning/types.py | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/digid_eherkenning/saml2/eherkenning.py b/digid_eherkenning/saml2/eherkenning.py index 5f5f96a..a64d0b5 100644 --- a/digid_eherkenning/saml2/eherkenning.py +++ b/digid_eherkenning/saml2/eherkenning.py @@ -469,6 +469,11 @@ def create_config_dict(self, conf: EHerkenningConfig) -> EHerkenningSAMLConfig: config_dict: EHerkenningSAMLConfig = super().create_config_dict(conf) sp_config = config_dict["sp"] + # may not be included for eHerkenning/EIDAS since AS1.24a, see: + # https://afsprakenstelsel.etoegang.nl/Startpagina/v3/dv-metadata-for-hm + # + # ... Elements not listed in this table MUST NOT be included in the metadata. + del sp_config["NameIDFormat"] # we have multiple services, so delete the config for the "single service" variant attribute_consuming_services = create_attribute_consuming_services(conf) diff --git a/digid_eherkenning/types.py b/digid_eherkenning/types.py index 36ef8c8..f55e1f4 100644 --- a/digid_eherkenning/types.py +++ b/digid_eherkenning/types.py @@ -48,7 +48,7 @@ class ServiceProviderSAMLConfig(TypedDict): assertionConsumerService: dict singleLogoutService: dict attributeConsumingServices: list[dict] - NameIDFormat: str + NameIDFormat: str # may not be included for eHerkenning x509cert: str privateKey: str privateKeyPassphrase: Optional[str]