Strict specs enforcement

E14: AllowCreate

Author: tvdijen

src/XML/samlp/NameIDPolicy.php

@@ -6,7 +6,9 @@
 
 use DOMElement;
 use SimpleSAML\SAML2\Assert\Assert;
+use SimpleSAML\SAML2\Constants as C;
 use SimpleSAML\SAML2\Exception\ArrayValidationException;
+use SimpleSAML\SAML2\Exception\ProtocolViolationException;
 use SimpleSAML\SAML2\Type\SAMLAnyURIValue;
 use SimpleSAML\SAML2\Type\SAMLStringValue;
 use SimpleSAML\XML\ArrayizableElementInterface;
@@ -19,7 +21,6 @@
 use function array_filter;
 use function array_key_exists;
 use function array_keys;
-use function var_export;
 
 /**
  * Class for handling SAML2 NameIDPolicy.
@@ -45,6 +46,22 @@ public function __construct(
         protected ?SAMLStringValue $SPNameQualifier = null,
         protected ?BooleanValue $AllowCreate = null,
     ) {
+        if (
+            $AllowCreate !== null
+            && $Format !== null
+            && $AllowCreate->equals(BooleanValue::fromBoolean(true))
+        ) {
+            // Per Errata E14: AllowCreate
+            Assert::notSame(
+                $Format->getValue(),
+                C::NAMEID_TRANSIENT,
+                sprintf(
+                    'AllowCreate=\"true\" MUST NOT be used in conjunction with the %s <NameID> Format.',
+                    C::NAMEID_TRANSIENT,
+                ),
+                ProtocolViolationException::class,
+            );
+        }
     }
 
 
@@ -125,7 +142,7 @@ public function toXML(?DOMElement $parent = null): DOMElement
         }
 
         if ($this->getAllowCreate() !== null) {
-            $e->setAttribute('AllowCreate', var_export($this->getAllowCreate()->toBoolean(), true));
+            $e->setAttribute('AllowCreate', $this->getAllowCreate()->getValue());
         }
 
         return $e;
@@ -218,6 +235,12 @@ public function toArray(): array
             'AllowCreate' => $this->getAllowCreate()?->toBoolean(),
         ];
 
-        return array_filter($data);
+        return array_filter(
+            $data,
+            function ($v, $k) {
+                return $v !== null;
+            },
+            ARRAY_FILTER_USE_BOTH,
+        );
     }
 }

tests/SAML2/Binding/HTTPRedirectTest.php

@@ -69,7 +69,7 @@ public static function tearDownAfterClass(): void
     public function testRequestParsing(): void
     {
         $q = [
-            'SAMLRequest' => 'pVJNjxMxDP0ro9yn88FOtRu1lcpWiEoLVNvCgQtKE6eNlHGG2IHl35OZLmLZQy+crNh+z88vXpDq/SDXic/4CN8TEBdPvUeSU2EpUkQZFDmSqHogyVru1x8eZDur5RADBx28eAG5jlBEENkFFMV2sxTfzO0dmKa11namPuoc39hba+fqpqlbM6/b5mZ+1LWtj6L4ApEycikyUYYTJdgisULOqbrpyqYt67tD28iulV33VRSbvI1DxRPqzDyQrCrAk0OYUYpWB4QnnqGvVN4fkJ2emitnhoocnjyU5E5YjnrXf6TfB6TUQ9xD/OE0fH58+EueHbHOv2Yn1w8eRneqPpiU68M5DxjfdIltqTRNWQNWJc8lDaLYPfv71qHJaq5be7w0kXx/OOzK3af9QawWI7ecrIqr/9HYAyujWL2SuKheDlhcbuljlrbd7IJ3+lfxLsRe8XXlY8aZ0k6tkqNCcvkzsuXeh5/3ERTDUnBMIKrVZeS/F7v6DQ==',
+            'SAMLRequest' => 'pVJNbxMxEP0rK983+0E3aq0kUmiEiFQgagIHLsixx4kl73jxjKH8e7ybIkoPuXAazcd78+ZpFqR6P8h14jM+wvcExMVT75Hk1FiKFFEGRY4kqh5Ispb79YcH2c5qOcTAQQcvXkCuIxQRRHYBRbHdLMU3c3sHpmmttZ2pjzrHN/bW2rm6aerWzOu2uZkfdW3royi+QKSMXIpMlOFECbZIrJBzqW66smnL+u7QNrJrZdd9FcUmX+NQ8YQ6Mw8kqwrw5BBmlKLVAeGJZ+grle8HZKen4cqZoSKHJw8luROWo971H+n3ASn1EPcQfzgNnx8f/pJnR6zzr9nJ9YOH0Z2qDybl/nDOC8acLrEtlaapasCq5LmkQRS7Z3/fOjRZzXVrj5chku8Ph125+7Q/iNVi5JaTVXH1Pxp7YGUUq1cSF9XLBYvLL33M0rabXfBO/yrehdgrvq58rDhT2mlUJqQBtLMOTDbd+/DzPoJiWAqOCUS1uiz992dXvwE=',
         ];
         $request = new ServerRequest('GET', 'http://tnyholm.se');
         $request = $request->withQueryParams($q);
@@ -109,11 +109,11 @@ public function testResponseParsing(): void
      */
     public function testRequestParsingMoreParams(): void
     {
-        $request = 'SAMLRequest=pVJNb9swDP0rhu6O7XjeGiEJkDYoGqDbgibboZdCkahEgEx5Ir11%2F36y02FdD7n0JPDjPT4%2BcU6q9Z1c9XzCB%2FjRA3H23HokORYWoo8ogyJHElULJFnL3erzvZxOStnFwEEHL15BLiMUEUR2AUW2WS%2FEUw2NrXRp7NWshEPVzJqm%2BTQzVV1DddC21rUy1tq6norsO0RKyIVIRAlO1MMGiRVySpVVk1fTvKr25ZVsGvnh46PI1mkbh4pH1Im5I1kUgEeHMKE%2BWh0QnnmCvlBpf0B2emwunOkKcnj0kJM7Yj7oXf2VfhOQ%2BhbiDuJPp%2BHbw%2F0%2F8uSIdf4tO7m28zC4U7TB9KnendKAIabzO82VpjFrwKrec06dyLYv%2Fl47NEnNZWsP5yaSd%2Fv9Nt9%2B3e3Fcj5wy9GquHyPxhZYGcXqjcR58XrA%2FHxLX5K0zXobvNO%2Fs9sQW8WXlQ8ZZ3I7tkqOCsmlz0iWex9%2B3URQDAvBsQdRLM8j%2F7%2FY5R8%3D&RelayState=https%3A%2F%2Fprofile.surfconext.nl%2F&SAMLEncoding=urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Abindings%3AURL-Encoding%3ADEFLATE';
+        $request = 'SAMLRequest=pVJNbxMxEP0rK983%2B0E3aq0kUmiEiFQgagIHLsixx4kl73jxjKH8e7ybIkoPuXAazcd78%2BZpFqR6P8h14jM%2BwvcExMVT75Hk1FiKFFEGRY4kqh5Ispb79YcH2c5qOcTAQQcvXkCuIxQRRHYBRbHdLMU3c3sHpmmttZ2pjzrHN%2FbW2rm6aerWzOu2uZkfdW3royi%2BQKSMXIpMlOFECbZIrJBzqW66smnL%2Bu7QNrJrZdd9FcUmX%2BNQ8YQ6Mw8kqwrw5BBmlKLVAeGJZ%2Bgrle8HZKen4cqZoSKHJw8luROWo971H%2Bn3ASn1EPcQfzgNnx8f%2FpJnR6zzr9nJ9YOH0Z2qDybl%2FnDOC8acLrEtlaapasCq5LmkQRS7Z3%2FfOjRZzXVrj5chku8Ph125%2B7Q%2FiNVi5JaTVXH1Pxp7YGUUq1cSF9XLBYvLL33M0rabXfBO%2Fyrehdgrvq58rDhT2mlUJqQBtLMOTDbd%2B%2FDzPoJiWAqOCUS1uiz992dXvwE%3D&RelayState=https%3A%2F%2Fprofile.surfconext.nl%2F&SAMLEncoding=urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Abindings%3AURL-Encoding%3ADEFLATE';
         $_SERVER['QUERY_STRING'] = $request;
 
         $q = [
-            'SAMLRequest' => 'pVJNb9swDP0rhu6O7XjeGiEJkDYoGqDbgibboZdCkahEgEx5Ir11/36y02FdD7n0JPDjPT4+cU6q9Z1c9XzCB/jRA3H23HokORYWoo8ogyJHElULJFnL3erzvZxOStnFwEEHL15BLiMUEUR2AUW2WS/EUw2NrXRp7NWshEPVzJqm+TQzVV1DddC21rUy1tq6norsO0RKyIVIRAlO1MMGiRVySpVVk1fTvKr25ZVsGvnh46PI1mkbh4pH1Im5I1kUgEeHMKE+Wh0QnnmCvlBpf0B2emwunOkKcnj0kJM7Yj7oXf2VfhOQ+hbiDuJPp+Hbw/0/8uSIdf4tO7m28zC4U7TB9KnendKAIabzO82VpjFrwKrec06dyLYv/l47NEnNZWsP5yaSd/v9Nt9+3e3Fcj5wy9GquHyPxhZYGcXqjcR58XrA/HxLX5K0zXobvNO/s9sQW8WXlQ8ZZ3I7tkqOCsmlz0iWex9+3URQDAvBsQdRLM8j/7/Y5R8=',
+            'SAMLRequest' => 'pVJNbxMxEP0rK983+0E3aq0kUmiEiFQgagIHLsixx4kl73jxjKH8e7ybIkoPuXAazcd78+ZpFqR6P8h14jM+wvcExMVT75Hk1FiKFFEGRY4kqh5Ispb79YcH2c5qOcTAQQcvXkCuIxQRRHYBRbHdLMU3c3sHpmmttZ2pjzrHN/bW2rm6aerWzOu2uZkfdW3royi+QKSMXIpMlOFECbZIrJBzqW66smnL+u7QNrJrZdd9FcUmX+NQ8YQ6Mw8kqwrw5BBmlKLVAeGJZ+grle8HZKen4cqZoSKHJw8luROWo971H+n3ASn1EPcQfzgNnx8f/pJnR6zzr9nJ9YOH0Z2qDybl/nDOC8acLrEtlaapasCq5LmkQRS7Z3/fOjRZzXVrj5chku8Ph125+7Q/iNVi5JaTVXH1Pxp7YGUUq1cSF9XLBYvLL33M0rabXfBO/yrehdgrvq58rDhT2mlUJqQBtLMOTDbd+/DzPoJiWAqOCUS1uiz992dXvwE=',
             'RelayState' => 'https://profile.surfconext.nl/',
             'SAMLEncoding' => 'urn:oasis:names:tc:SAML:2.0:bindings:URL-Encoding:DEFLATE',
         ];
@@ -135,10 +135,10 @@ public function testRequestParsingMoreParams(): void
     public function testSignedRequestValidation(): void
     {
         $q = [
-            'SAMLRequest' => 'hVLLbttADPwVYe+ylJXsyAvbgBujqIG0MWK3h1wCVkvFC+xDXVJp+/ddywmS9uCeCJAznOGACwJne7Ue+Ojv8ceAxNkvZz2pcbAUQ/QqABlSHhyS4lbt159vlZyUqo+BQxuseEe5zAAijGyCF9l2sxSPjZ41jW5npZxjpWvsrisoZ9ddV8NU6is5nTczXTfTeS2ybxgpMZciLUp0ogG3nhg8p1Ypq7y8ymV1kJUqa1XJB5Ft0jXGA4+sI3NPqiiM7icuhBxiezTPOPG2cEEPFif9sS9OJ5wgBRn/ZHFvnvyd32N8Ni2KbP1q/yZ4GhzGl8nX+9s3AY0u/E+BzlXm0NLY1djBYDmnXmS7l1g/GK+Ti8uJfj+DSH06HHb57m5/EKvFabcaE4qrV1v/OEoOHDJoYFgU7/GL80d8SUrbzS5Y0/7OPobogC8bOXWMzrsRqjiCJ4OeU2jWhp83EYFxKTgOKIrVWfLvv1v9AQ==',
-            'RelayState' => 'https://demo.moo-archive.nl/module.php/admin/test/default-sp',
+            'SAMLRequest' => 'hVPLjtpAEPwVa+7GD+wljACJgKIgbbIISA65RI2nvYw0D2d6vNn8fcbGKFYe5GSpu6q7qqa9INCq4evWX8wBv7VIPnrVyhDvG0vWOsMtkCRuQCNxX/Hj+sMjzycpb5z1trKKjSj3GUCEzktrWLTbLtnX8iEDmGdpNoVyLqbzdDpNi3NZlOciq0QhYDYDgfOsqFn0GR0F5pKFQYFO1OLOkAfjQynNH+I0j/M3pzzlZcbT2RcWbYMbacD3rIv3DfEkkaKZaGtjcNVFvuDEqERb0SqcNJcm6Sx0kISkeVZ4lM/myRzRvcgKWbS+yd9YQ61GN3Q+HR5/LRCo7f820PWbx1BRXxVYQ6t8TA2L9kOsb6URQcX9RM9XEPH3p9M+3j8dT2y16GbzPiG3usn6TVFQoNGDAA+LZIxfXC/iY9i02+6tktWP6J11Gvx9IV1Firjuodw7MCTR+BCaUvb7xiF4XLIaFCFLbluGk0PRH2BI1eOrH/SPSxsVLueA9apTMHLCaxTo+hfmMMJzZSEffP11zrX3TwHJn7/F6ic=',
+            'RelayState' => 'https://demo.moo-archive.nl/module.php/debugsp/test/default-sp',
             'SigAlg' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
-            'Signature' => 'T8+SG10HcgOkpw4cUFTnoF9WWrlYnllnqKruvmVcyinbiJsdnw7EMxM6Lr/5Mo/Rk3Hd7x8tuQ955Vv96jMRKGfdvq8Dh1gx4PKJPHXFWBSipWOc9UDNT0N3addnk9PiSaQ5YehT9lZ4agoSmKqiWNrE4qpKIcgWdh0GgiYDUto=',
+            'Signature' => 'imAC2OqhtdL8BejmMvZG1+JgAaEo9JbMtaymXRJCkC0MYfKrda+Xfm3ZIJRi7SuCdw6wHLUsc0D2ZPI7DkLsqIQ/G8qZzdaPwLjSI+cEjKuGpLz+rTPofeRplqGhTfT32bQ4bwLEDEhBk6FxUDl63pTnYgo49Fi+3GlXtbmMK2I=',
         ];
         $request = new ServerRequest('GET', 'http://tnyholm.se');
         $request = $request->withQueryParams($q);
@@ -200,9 +200,9 @@ public function testInvalidEncodingSpecified(): void
     public function testNoSigAlgSpecified(): void
     {
         $q = [
-            'SAMLRequest' => 'nVLBauMwEP0Vo7sjW7FpKpJA2rBsoNuGOruHXhZFHm8EsuRqxtv27yvbWWgvYelFgjfvzbx5zBJVazu56enkHuG5B6TktbUO5VhYsT446RUalE61gJK0rDY/7qSYZbILnrz2ln2QXFYoRAhkvGPJbrtiv7VoygJEoTJ9LOusXDSFuJ4vdH6cxwoIEGUjsrqoFUt+QcCoXLHYKMoRe9g5JOUoQlleprlI8/yQz6W4ksXiiSXbuI1xikbViahDyfkRSM2wD40DmjnL0bSdhcE6Hx7BTd3xqnqoIPw1GmbdqWPJNx80jCGtGIUeWLL5t8mtd9i3EM78n493/zWr9XVvx+58mj39IlUaR/QmKOPq4Dtkyf4c9E1EjPtzOePjREL5/XDYp/uH6sDWy6G3HDML66+5ayO7VlHx2dySf2y9nM7pPprabffeGv02ZNcquux5QEydNiNVUlAODTiKMVvrX24DKIJz8nw9jfx8tOt3',
-            'RelayState' => 'https://profile.surfconext.nl/',
-            'Signature' => 'b+qe/XGgICOrEL1v9dwuoy0RJtJ/GNAr7gJGYSJzLG0riPKwo7v5CH8GPC2P9IRikaeaNeQrnhBAaf8FCWrO0cLFw4qR6msK9bxRBGk+hIaTUYCh54ETrVCyGlmBneMgC5/iCRvtEW3ESPXCCqt8Ncu98yZmv9LIVyHSl67Se+fbB9sDw3/fzwYIHRMqK2aS8jnsnqlgnBGGOXqIqN3+d/2dwtCfz14s/9odoYzSUv32qfNPiPez6PSNqwhwH7dWE3TlO/jZmz0DnOeQ2ft6qdZEi5ZN5KCV6VmNKpkrLMq6DDPnuwPm/8oCAoT88R2jG7uf9QZB+ArWJKMEhDLsCA==',
+            'SAMLRequest' => 'hVPLjtpAEPwVa+7GD+wljACJgKIgbbIISA65RI2nvYw0D2d6vNn8fcbGKFYe5GSpu6q7qqa9INCq4evWX8wBv7VIPnrVyhDvG0vWOsMtkCRuQCNxX/Hj+sMjzycpb5z1trKKjSj3GUCEzktrWLTbLtnX8iEDmGdpNoVyLqbzdDpNi3NZlOciq0QhYDYDgfOsqFn0GR0F5pKFQYFO1OLOkAfjQynNH+I0j/M3pzzlZcbT2RcWbYMbacD3rIv3DfEkkaKZaGtjcNVFvuDEqERb0SqcNJcm6Sx0kISkeVZ4lM/myRzRvcgKWbS+yd9YQ61GN3Q+HR5/LRCo7f820PWbx1BRXxVYQ6t8TA2L9kOsb6URQcX9RM9XEPH3p9M+3j8dT2y16GbzPiG3usn6TVFQoNGDAA+LZIxfXC/iY9i02+6tktWP6J11Gvx9IV1Firjuodw7MCTR+BCaUvb7xiF4XLIaFCFLbluGk0PRH2BI1eOrH/SPSxsVLueA9apTMHLCaxTo+hfmMMJzZSEffP11zrX3TwHJn7/F6ic=',
+            'RelayState' => 'https://demo.moo-archive.nl/module.php/debugsp/test/default-sp',
+            'Signature' => 'imAC2OqhtdL8BejmMvZG1+JgAaEo9JbMtaymXRJCkC0MYfKrda+Xfm3ZIJRi7SuCdw6wHLUsc0D2ZPI7DkLsqIQ/G8qZzdaPwLjSI+cEjKuGpLz+rTPofeRplqGhTfT32bQ4bwLEDEhBk6FxUDl63pTnYgo49Fi+3GlXtbmMK2I=',
         ];
         $request = new ServerRequest('GET', 'http://tnyholm.se');
         $request = $request->withQueryParams($q);
@@ -348,11 +348,11 @@ public function testDuplicateQueryParameters(): void
     {
         $q = [
             /** @phpstan-ignore array.duplicateKey */
-            'SAMLRequest' => 'nVLBauMwEP0Vo7sjW7FpKpJA2rBsoNuGOruHXhZFHm8EsuRqxtv27yvbWWgvYelFgjfvzbx5zBJVazu56enkHuG5B6TktbUO5VhYsT446RUalE61gJK0rDY/7qSYZbILnrz2ln2QXFYoRAhkvGPJbrtiv7VoygJEoTJ9LOusXDSFuJ4vdH6cxwoIEGUjsrqoFUt+QcCoXLHYKMoRe9g5JOUoQlleprlI8/yQz6W4ksXiiSXbuI1xikbViahDyfkRSM2wD40DmjnL0bSdhcE6Hx7BTd3xqnqoIPw1GmbdqWPJNx80jCGtGIUeWLL5t8mtd9i3EM78n493/zWr9XVvx+58mj39IlUaR/QmKOPq4Dtkyf4c9E1EjPtzOePjREL5/XDYp/uH6sDWy6G3HDML66+5ayO7VlHx2dySf2y9nM7pPprabffeGv02ZNcquux5QEydNiNVUlAODTiKMVvrX24DKIJz8nw9jfx8tOt3',
-            'SAMLRequest' => 'hVLLbttADPwVYe+ylJXsyAvbgBujqIG0MWK3h1wCVkvFC+xDXVJp+/ddywmS9uCeCJAznOGACwJne7Ue+Ojv8ceAxNkvZz2pcbAUQ/QqABlSHhyS4lbt159vlZyUqo+BQxuseEe5zAAijGyCF9l2sxSPjZ41jW5npZxjpWvsrisoZ9ddV8NU6is5nTczXTfTeS2ybxgpMZciLUp0ogG3nhg8p1Ypq7y8ymV1kJUqa1XJB5Ft0jXGA4+sI3NPqiiM7icuhBxiezTPOPG2cEEPFif9sS9OJ5wgBRn/ZHFvnvyd32N8Ni2KbP1q/yZ4GhzGl8nX+9s3AY0u/E+BzlXm0NLY1djBYDmnXmS7l1g/GK+Ti8uJfj+DSH06HHb57m5/EKvFabcaE4qrV1v/OEoOHDJoYFgU7/GL80d8SUrbzS5Y0/7OPobogC8bOXWMzrsRqjiCJ4OeU2jWhp83EYFxKTgOKIrVWfLvv1v9AQ==',
-            'RelayState' => 'https://demo.moo-archive.nl/module.php/admin/test/default-sp',
+            'SAMLRequest' => 'pVJNbxMxEP0rK983+0E3aq0kUmiEiFQgagIHLsixx4kl73jxjKH8e7ybIkoPuXAazcd78+ZpFqR6P8h14jM+wvcExMVT75Hk1FiKFFEGRY4kqh5Ispb79YcH2c5qOcTAQQcvXkCuIxQRRHYBRbHdLMU3c3sHpmmttZ2pjzrHN/bW2rm6aerWzOu2uZkfdW3royi+QKSMXIpMlOFECbZIrJBzqW66smnL+u7QNrJrZdd9FcUmX+NQ8YQ6Mw8kqwrw5BBmlKLVAeGJZ+grle8HZKen4cqZoSKHJw8luROWo971H+n3ASn1EPcQfzgNnx8f/pJnR6zzr9nJ9YOH0Z2qDybl/nDOC8acLrEtlaapasCq5LmkQRS7Z3/fOjRZzXVrj5chku8Ph125+7Q/iNVi5JaTVXH1Pxp7YGUUq1cSF9XLBYvLL33M0rabXfBO/yrehdgrvq58rDhT2mlUJqQBtLMOTDbd+/DzPoJiWAqOCUS1uiz992dXvwE=',
+            'SAMLRequest' => 'hVPLjtpAEPwVa+7GD+wljACJgKIgbbIISA65RI2nvYw0D2d6vNn8fcbGKFYe5GSpu6q7qqa9INCq4evWX8wBv7VIPnrVyhDvG0vWOsMtkCRuQCNxX/Hj+sMjzycpb5z1trKKjSj3GUCEzktrWLTbLtnX8iEDmGdpNoVyLqbzdDpNi3NZlOciq0QhYDYDgfOsqFn0GR0F5pKFQYFO1OLOkAfjQynNH+I0j/M3pzzlZcbT2RcWbYMbacD3rIv3DfEkkaKZaGtjcNVFvuDEqERb0SqcNJcm6Sx0kISkeVZ4lM/myRzRvcgKWbS+yd9YQ61GN3Q+HR5/LRCo7f820PWbx1BRXxVYQ6t8TA2L9kOsb6URQcX9RM9XEPH3p9M+3j8dT2y16GbzPiG3usn6TVFQoNGDAA+LZIxfXC/iY9i02+6tktWP6J11Gvx9IV1Firjuodw7MCTR+BCaUvb7xiF4XLIaFCFLbluGk0PRH2BI1eOrH/SPSxsVLueA9apTMHLCaxTo+hfmMMJzZSEffP11zrX3TwHJn7/F6ic=',
+            'RelayState' => 'https://demo.moo-archive.nl/module.php/debugsp/test/default-sp',
             'SigAlg' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
-            'Signature' => 'T8+SG10HcgOkpw4cUFTnoF9WWrlYnllnqKruvmVcyinbiJsdnw7EMxM6Lr/5Mo/Rk3Hd7x8tuQ955Vv96jMRKGfdvq8Dh1gx4PKJPHXFWBSipWOc9UDNT0N3addnk9PiSaQ5YehT9lZ4agoSmKqiWNrE4qpKIcgWdh0GgiYDUto=',
+            'Signature' => 'imAC2OqhtdL8BejmMvZG1+JgAaEo9JbMtaymXRJCkC0MYfKrda+Xfm3ZIJRi7SuCdw6wHLUsc0D2ZPI7DkLsqIQ/G8qZzdaPwLjSI+cEjKuGpLz+rTPofeRplqGhTfT32bQ4bwLEDEhBk6FxUDl63pTnYgo49Fi+3GlXtbmMK2I=',
         ];
 
         $request = new ServerRequest('GET', 'http://tnyholm.se');
@@ -363,8 +363,8 @@ public function testDuplicateQueryParameters(): void
 
         $q = [
             /** @phpstan-ignore array.duplicateKey */
-            'SAMLRequest' => 'hVLLbttADPwVYe+ylJXsyAvbgBujqIG0MWK3h1wCVkvFC+xDXVJp+/ddywmS9uCeCJAznOGACwJne7Ue+Ojv8ceAxNkvZz2pcbAUQ/QqABlSHhyS4lbt159vlZyUqo+BQxuseEe5zAAijGyCF9l2sxSPjZ41jW5npZxjpWvsrisoZ9ddV8NU6is5nTczXTfTeS2ybxgpMZciLUp0ogG3nhg8p1Ypq7y8ymV1kJUqa1XJB5Ft0jXGA4+sI3NPqiiM7icuhBxiezTPOPG2cEEPFif9sS9OJ5wgBRn/ZHFvnvyd32N8Ni2KbP1q/yZ4GhzGl8nX+9s3AY0u/E+BzlXm0NLY1djBYDmnXmS7l1g/GK+Ti8uJfj+DSH06HHb57m5/EKvFabcaE4qrV1v/OEoOHDJoYFgU7/GL80d8SUrbzS5Y0/7OPobogC8bOXWMzrsRqjiCJ4OeU2jWhp83EYFxKTgOKIrVWfLvv1v9AQ==',
-            'SAMLRequest' => 'nVLBauMwEP0Vo7sjW7FpKpJA2rBsoNuGOruHXhZFHm8EsuRqxtv27yvbWWgvYelFgjfvzbx5zBJVazu56enkHuG5B6TktbUO5VhYsT446RUalE61gJK0rDY/7qSYZbILnrz2ln2QXFYoRAhkvGPJbrtiv7VoygJEoTJ9LOusXDSFuJ4vdH6cxwoIEGUjsrqoFUt+QcCoXLHYKMoRe9g5JOUoQlleprlI8/yQz6W4ksXiiSXbuI1xikbViahDyfkRSM2wD40DmjnL0bSdhcE6Hx7BTd3xqnqoIPw1GmbdqWPJNx80jCGtGIUeWLL5t8mtd9i3EM78n493/zWr9XVvx+58mj39IlUaR/QmKOPq4Dtkyf4c9E1EjPtzOePjREL5/XDYp/uH6sDWy6G3HDML66+5ayO7VlHx2dySf2y9nM7pPprabffeGv02ZNcquux5QEydNiNVUlAODTiKMVvrX24DKIJz8nw9jfx8tOt3',
+            'SAMLRequest' => 'pVJNbxMxEP0rK983+0E3aq0kUmiEiFQgagIHLsixx4kl73jxjKH8e7ybIkoPuXAazcd78+ZpFqR6P8h14jM+wvcExMVT75Hk1FiKFFEGRY4kqh5Ispb79YcH2c5qOcTAQQcvXkCuIxQRRHYBRbHdLMU3c3sHpmmttZ2pjzrHN/bW2rm6aerWzOu2uZkfdW3royi+QKSMXIpMlOFECbZIrJBzqW66smnL+u7QNrJrZdd9FcUmX+NQ8YQ6Mw8kqwrw5BBmlKLVAeGJZ+grle8HZKen4cqZoSKHJw8luROWo971H+n3ASn1EPcQfzgNnx8f/pJnR6zzr9nJ9YOH0Z2qDybl/nDOC8acLrEtlaapasCq5LmkQRS7Z3/fOjRZzXVrj5chku8Ph125+7Q/iNVi5JaTVXH1Pxp7YGUUq1cSF9XLBYvLL33M0rabXfBO/yrehdgrvq58rDhT2mlUJqQBtLMOTDbd+/DzPoJiWAqOCUS1uiz992dXvwE=',
+            'SAMLRequest' => 'hVPLjtpAEPwVa+7GD+wljACJgKIgbbIISA65RI2nvYw0D2d6vNn8fcbGKFYe5GSpu6q7qqa9INCq4evWX8wBv7VIPnrVyhDvG0vWOsMtkCRuQCNxX/Hj+sMjzycpb5z1trKKjSj3GUCEzktrWLTbLtnX8iEDmGdpNoVyLqbzdDpNi3NZlOciq0QhYDYDgfOsqFn0GR0F5pKFQYFO1OLOkAfjQynNH+I0j/M3pzzlZcbT2RcWbYMbacD3rIv3DfEkkaKZaGtjcNVFvuDEqERb0SqcNJcm6Sx0kISkeVZ4lM/myRzRvcgKWbS+yd9YQ61GN3Q+HR5/LRCo7f820PWbx1BRXxVYQ6t8TA2L9kOsb6URQcX9RM9XEPH3p9M+3j8dT2y16GbzPiG3usn6TVFQoNGDAA+LZIxfXC/iY9i02+6tktWP6J11Gvx9IV1Firjuodw7MCTR+BCaUvb7xiF4XLIaFCFLbluGk0PRH2BI1eOrH/SPSxsVLueA9apTMHLCaxTo+hfmMMJzZSEffP11zrX3TwHJn7/F6ic=',
             'RelayState' => 'https://demo.moo-archive.nl/module.php/admin/test/default-sp',
             'SigAlg' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
             'Signature' => 'T8+SG10HcgOkpw4cUFTnoF9WWrlYnllnqKruvmVcyinbiJsdnw7EMxM6Lr/5Mo/Rk3Hd7x8tuQ955Vv96jMRKGfdvq8Dh1gx4PKJPHXFWBSipWOc9UDNT0N3addnk9PiSaQ5YehT9lZ4agoSmKqiWNrE4qpKIcgWdh0GgiYDUto=',

tests/SAML2/XML/samlp/NameIDPolicyTest.php

@@ -8,6 +8,7 @@
 use PHPUnit\Framework\Attributes\Group;
 use PHPUnit\Framework\TestCase;
 use SimpleSAML\SAML2\Constants as C;
+use SimpleSAML\SAML2\Exception\ProtocolViolationException;
 use SimpleSAML\SAML2\Type\SAMLAnyURIValue;
 use SimpleSAML\SAML2\Type\SAMLStringValue;
 use SimpleSAML\SAML2\XML\samlp\AbstractSamlpElement;
@@ -45,7 +46,7 @@ public static function setUpBeforeClass(): void
         self::$arrayRepresentation = [
             'Format' => C::NAMEID_TRANSIENT,
             'SPNameQualifier' => 'https://some/qualifier',
-            'AllowCreate' => true,
+            'AllowCreate' => false,
         ];
 
         self::$xmlRepresentation = DOMDocumentFactory::fromFile(
@@ -103,4 +104,19 @@ public function testMarshallingEmptyElement(): void
         );
         $this->assertTrue($nameIdPolicy->isEmptyElement());
     }
+
+
+    /**
+     * Illegal combination of AllowCreate=true and transient NameID format is rejected.
+     */
+    public function testIllegalCombinationThrowsException(): void
+    {
+        $this->expectException(ProtocolViolationException::class);
+
+        new NameIDPolicy(
+            SAMLAnyURIValue::fromString(C::NAMEID_TRANSIENT),
+            SAMLStringValue::fromString('urn:x-simplesamlphp:spnamequalifier'),
+            BooleanValue::fromBoolean(true),
+        );
+    }
 }

tests/bin/authnrequest.php

@@ -39,7 +39,7 @@
     subject: $subject,
     issueInstant: SAMLDateTimeValue::fromDateTime(new DateTimeImmutable('now', new DateTimeZone('Z'))),
     issuer: $issuer,
-    id: IDValue::fromString('123'),
+    id: IDValue::fromString('phpunit'),
     destination: SAMLAnyURIValue::fromString('https://tiqr.example.org/idp/profile/saml2/Redirect/SSO'),
 );
 

tests/bin/signedAuthnrequest.php

@@ -0,0 +1,49 @@
+#!/usr/bin/env php
+<?php
+
+require_once(dirname(__FILE__, 3) . '/vendor/autoload.php');
+
+use SimpleSAML\SAML2\Compat\ContainerSingleton;
+use SimpleSAML\SAML2\Compat\MockContainer;
+use SimpleSAML\SAML2\Type\SAMLAnyURIValue;
+use SimpleSAML\SAML2\Type\SAMLDateTimeValue;
+use SimpleSAML\SAML2\Type\SAMLStringValue;
+use SimpleSAML\SAML2\XML\saml\Issuer;
+use SimpleSAML\SAML2\XML\saml\NameID;
+use SimpleSAML\SAML2\XML\saml\Subject;
+use SimpleSAML\SAML2\XML\samlp\AuthnRequest;
+use SimpleSAML\XML\Type\IDValue;
+use SimpleSAML\XMLSecurity\Alg\Signature\SignatureAlgorithmFactory;
+use SimpleSAML\XMLSecurity\Constants as C;
+use SimpleSAML\XMLSecurity\TestUtils\PEMCertificatesMock;
+
+$container = new MockContainer();
+$container->setBlacklistedAlgorithms(null);
+ContainerSingleton::setContainer($container);
+
+$signer = (new SignatureAlgorithmFactory())->getAlgorithm(
+    C::SIG_RSA_SHA256,
+    PEMCertificatesMock::getPrivateKey(PEMCertificatesMock::SELFSIGNED_PRIVATE_KEY),
+);
+
+$nid = new NameID(SAMLStringValue::fromString('test@example.org'));
+
+$issuer = new Issuer(SAMLStringValue::fromString('https://gateway.example.org/saml20/sp/metadata'));
+$subject = new Subject($nid);
+
+$authnRequest = new AuthnRequest(
+    subject: $subject,
+    issueInstant: SAMLDateTimeValue::fromDateTime(new DateTimeImmutable('now', new DateTimeZone('Z'))),
+    issuer: $issuer,
+    id: IDValue::fromString('phpunit'),
+    destination: SAMLAnyURIValue::fromString('https://tiqr.example.org/idp/profile/saml2/Redirect/SSO'),
+);
+
+$unsignedAuthnRequest = $authnRequest->toXML();
+
+echo $unsignedAuthnRequest->ownerDocument->saveXML();
+
+$authnRequest->sign($signer);
+$signedAuthnRequest = $authnRequest->toXML();
+
+echo $signedAuthnRequest->ownerDocument->saveXML();