Add support for configuring name ID format

Author: itzg

README.md

@@ -18,6 +18,7 @@ Flags:
   -h, --help                                       help for saml-auth-proxy
       --idp-ca-path string                         Optional path to a CA certificate PEM file for the IdP [SAML_PROXY_IDP_CA_PATH]
       --idp-metadata-url string                    URL of the IdP's metadata XML [SAML_PROXY_IDP_METADATA_URL]
+      --name-id-format string                      One of unspecified, transient (default), email, or persistent to use a standard format or give a full URN of the name ID format [SAML_PROXY_NAME_ID_FORMAT]
       --name-id-mapping string                     Name of the request header to convey the SAML nameID/subject [SAML_PROXY_NAME_ID_MAPPING]
       --new-auth-webhook-url string                URL of webhook that will get POST'ed when a new authentication is processed [SAML_PROXY_NEW_AUTH_WEBHOOK_URL]
       --sp-cert-path string                        Path to the X509 public certificate PEM file for this SP [SAML_PROXY_SP_CERT_PATH] (default "saml-auth-proxy.cert")

cmd/root.go

@@ -28,6 +28,8 @@ func init() {
 	rootCmd.Flags().StringVar(&serverConfig.IdpMetadataUrl, "idp-metadata-url", "", "URL of the IdP's metadata XML")
 	rootCmd.Flags().StringVar(&serverConfig.IdpCaFile, "idp-ca-path", "",
 		"Optional path to a CA certificate PEM file for the IdP")
+	rootCmd.Flags().StringVar(&serverConfig.NameIdFormat, "name-id-format", "",
+		"One of unspecified, transient (default), email, or persistent to use a standard format or give a full URN of the name ID format")
 	rootCmd.Flags().StringVar(&serverConfig.SpKeyPath, "sp-key-path", "saml-auth-proxy.key", "Path to the X509 private key PEM file for this SP")
 	rootCmd.Flags().StringVar(&serverConfig.SpCertPath, "sp-cert-path", "saml-auth-proxy.cert", "Path to the X509 public certificate PEM file for this SP")
 	rootCmd.Flags().StringToStringVar(&serverConfig.AttributeHeaderMappings, "attribute-header-mappings", nil,

server/server.go

@@ -4,6 +4,7 @@ import (
 	"crypto/rsa"
 	"crypto/tls"
 	"crypto/x509"
+	"github.com/crewjam/saml"
 	"github.com/crewjam/saml/samlsp"
 	"github.com/pkg/errors"
 	"io/ioutil"
@@ -18,6 +19,7 @@ type Config struct {
 	BackendUrl              string
 	IdpMetadataUrl          string
 	IdpCaFile               string
+	NameIdFormat            string
 	SpKeyPath               string
 	SpCertPath              string
 	NameIdHeaderMapping     string
@@ -63,6 +65,19 @@ func Start(cfg *Config) error {
 		return errors.Wrap(err, "Failed to initialize SP")
 	}
 
+	switch cfg.NameIdFormat {
+	case "unspecified":
+		samlSP.ServiceProvider.AuthnNameIDFormat = saml.UnspecifiedNameIDFormat
+	case "transient":
+		samlSP.ServiceProvider.AuthnNameIDFormat = saml.TransientNameIDFormat
+	case "email":
+		samlSP.ServiceProvider.AuthnNameIDFormat = saml.EmailAddressNameIDFormat
+	case "persistent":
+		samlSP.ServiceProvider.AuthnNameIDFormat = saml.PersistentNameIDFormat
+	default:
+		samlSP.ServiceProvider.AuthnNameIDFormat = saml.NameIDFormat(cfg.NameIdFormat)
+	}
+
 	proxy, err := NewProxy(cfg)
 	if err != nil {
 		return errors.Wrap(err, "Failed to create proxy")