From de6c24e753067e22cccf99adcd576b408dba1e42 Mon Sep 17 00:00:00 2001
From: Chris Penny <chris.penny@gmail.com>
Date: Tue, 4 Oct 2022 13:25:09 +1300
Subject: [PATCH] Bug: Add configuration to allow nameId to not be validated

---
 _config/saml.yml               | 3 +++
 src/Control/SAMLController.php | 6 +++++-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/_config/saml.yml b/_config/saml.yml
index c4e0e72..7032a68 100644
--- a/_config/saml.yml
+++ b/_config/saml.yml
@@ -20,6 +20,9 @@ SilverStripe\SAML\Services\SAMLConfiguration:
   strict: true
   debug: false
   expect_binary_nameid: true
+  # If expect_binary_nameid is set to false, then you might also need to clarify whether or not you expect the nameid
+  # to be a valid GUID
+  validate_nameid_as_guid: true
   allow_insecure_email_linking: false
   Security:
     # Algorithm that the toolkit will use on signing process. Options:
diff --git a/src/Control/SAMLController.php b/src/Control/SAMLController.php
index ba53d00..e53dc52 100644
--- a/src/Control/SAMLController.php
+++ b/src/Control/SAMLController.php
@@ -137,11 +137,15 @@ public function acs()
 
             // transform the NameId to guid
             $guid = $helper->binToStrGuid($decodedNameId);
+            $validateGuid = true;
         } else {
             $guid = $auth->getNameId();
+            // If you do not expect your NameId to be formatted as a valid GUID, then you can update this config to
+            // false
+            $validateGuid = Config::inst()->get(SAMLConfiguration::class, 'validate_nameid_as_guid');
         }
 
-        if (!$helper->validGuid($guid)) {
+        if ($validateGuid && !$helper->validGuid($guid)) {
             $errorMessage = "Not a valid GUID '{$guid}' received from server.";
             $this->getLogger()->error($errorMessage);
             $this->getForm()->sessionMessage($errorMessage, ValidationResult::TYPE_ERROR);