From b8bfe56adf16f75ac3116b96e3c6df7abd65742c Mon Sep 17 00:00:00 2001
From: Paul Caskey <pcaskey@pcaskeys-MacBook-Pro.local>
Date: Thu, 7 Mar 2019 12:47:06 -0600
Subject: [PATCH] set downstream nameID

Set the downstream NameID to the value of a specific attribute
regardless of what was received from the upstream IdP.
---
 src/satosa/frontends/saml2.py | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/satosa/frontends/saml2.py b/src/satosa/frontends/saml2.py
index 690c0935c..6e7f2a365 100644
--- a/src/satosa/frontends/saml2.py
+++ b/src/satosa/frontends/saml2.py
@@ -332,6 +332,16 @@ def _handle_authn_response(self, context, internal_response, idp):
         sp_policy = policies.get('default', {})
         sp_policy.update(policies.get(sp_entity_id, {}))
 
+        persistent_nameid_attr = sp_policy.get('persistent_nameid_from_attribute', {})
+        if persistent_nameid_attr:
+            satosa_logging(logger, logging.DEBUG, "Constructing persistent NameID for " + ava[persistent_nameid_attr], context.state)
+            name_id = NameID(
+                text=ava[persistent_nameid_attr],
+                format=NAMEID_FORMAT_PERSISTENT,
+                sp_name_qualifier=None,
+                name_qualifier=None,
+            )
+
         sign_assertion = sp_policy.get('sign_assertion', False)
         sign_response = sp_policy.get('sign_response', True)
         sign_alg = sp_policy.get('sign_alg', 'SIG_RSA_SHA256')