SAML-Toolkits · pitbulk · Aug 23, 2021 · Aug 19, 2021
diff --git a/core/src/main/java/com/onelogin/saml2/authn/AuthnRequest.java b/core/src/main/java/com/onelogin/saml2/authn/AuthnRequest.java
@@ -229,7 +229,11 @@ private StrSubstitutor generateSubstitutor(AuthnRequestParams params, Saml2Setti
 			if (settings.getWantNameIdEncrypted()) {
 				nameIDPolicyFormat = Constants.NAMEID_ENCRYPTED;
 			}
-			nameIDPolicyStr = "<samlp:NameIDPolicy Format=\"" + Util.toXml(nameIDPolicyFormat) + "\" AllowCreate=\"true\" />";
+			String allowCreateStr = "";
+			if (params.isAllowCreate()) {
+				allowCreateStr = " AllowCreate=\"true\"";
+			}
+			nameIDPolicyStr = "<samlp:NameIDPolicy Format=\"" + Util.toXml(nameIDPolicyFormat) + "\"" + allowCreateStr + " />";
 		}
 		valueMap.put("nameIDPolicyStr", nameIDPolicyStr);
 

diff --git a/core/src/main/java/com/onelogin/saml2/authn/AuthnRequestParams.java b/core/src/main/java/com/onelogin/saml2/authn/AuthnRequestParams.java
@@ -14,9 +14,14 @@ public class AuthnRequestParams {
 	 */
 	private final boolean isPassive;
 	/**
-	 * When true the AuthNReuqest will set a nameIdPolicy
+	 * When true the AuthNRequest will set a nameIdPolicy
 	 */
 	private final boolean setNameIdPolicy;
+	/**
+	 * When true and {@link #setNameIdPolicy} is also <code>true</code>, then the
+	 * AllowCreate='true' will be set on the NameIDPolicy element
+	 */
+	private final boolean allowCreate;
 	/**
 	 * Indicates to the IdP the subject that should be authenticated
 	 */
@@ -29,13 +34,34 @@ public class AuthnRequestParams {
 	 *              whether the <code>ForceAuthn</code> attribute should be set to
 	 *              <code>true</code>
 	 * @param isPassive
-	 *              whether the <code>isPassive</code> attribute should be set to
+	 *              whether the <code>IsPassive</code> attribute should be set to
 	 *              <code>true</code>
 	 * @param setNameIdPolicy
 	 *              whether a <code>NameIDPolicy</code> should be set
 	 */
 	public AuthnRequestParams(boolean forceAuthn, boolean isPassive, boolean setNameIdPolicy) {
-		this(forceAuthn, isPassive, setNameIdPolicy, null);
+		this(forceAuthn, isPassive, setNameIdPolicy, true);
+	}
+
+	/**
+	 * Create a set of authentication request input parameters.
+	 *
+	 * @param forceAuthn
+	 *              whether the <code>ForceAuthn</code> attribute should be set to
+	 *              <code>true</code>
+	 * @param isPassive
+	 *              whether the <code>IsPassive</code> attribute should be set to
+	 *              <code>true</code>
+	 * @param setNameIdPolicy
+	 *              whether a <code>NameIDPolicy</code> should be set
+	 * @param allowCreate
+	 *              whether the <code>AllowCreate</code> attribute should be set to
+	 *              <code>true</code> on the <code>NameIDPolicy</code> element; only
+	 *              meaningful if <code>setNameIdPolicy</code> is also
+	 *              <code>true</code>
+	 */
+	public AuthnRequestParams(boolean forceAuthn, boolean isPassive, boolean setNameIdPolicy, boolean allowCreate) {
+		this(forceAuthn, isPassive, setNameIdPolicy, allowCreate, null);
 	}
 
 	/**
@@ -45,17 +71,42 @@ public AuthnRequestParams(boolean forceAuthn, boolean isPassive, boolean setName
 	 *              whether the <code>ForceAuthn</code> attribute should be set to
 	 *              <code>true</code>
 	 * @param isPassive
-	 *              whether the <code>isPassive</code> attribute should be set to
+	 *              whether the <code>IsPassive</code> attribute should be set to
 	 *              <code>true</code>
 	 * @param setNameIdPolicy
 	 *              whether a <code>NameIDPolicy</code> should be set
 	 * @param nameIdValueReq
 	 *              the subject that should be authenticated
 	 */
 	public AuthnRequestParams(boolean forceAuthn, boolean isPassive, boolean setNameIdPolicy, String nameIdValueReq) {
+		this(forceAuthn, isPassive, setNameIdPolicy, true, nameIdValueReq);
+	}
+
+	/**
+	 * Create a set of authentication request input parameters.
+	 *
+	 * @param forceAuthn
+	 *              whether the <code>ForceAuthn</code> attribute should be set to
+	 *              <code>true</code>
+	 * @param isPassive
+	 *              whether the <code>IsPassive</code> attribute should be set to
+	 *              <code>true</code>
+	 * @param setNameIdPolicy
+	 *              whether a <code>NameIDPolicy</code> should be set
+	 * @param allowCreate
+	 *              the value to set for the <code>allowCreate</code> attribute of
+	 *              <code>NameIDPolicy</code> element; <code>null</code> means it's
+	 *              not set at all; only meaningful when
+	 *              <code>setNameIdPolicy</code> is <code>true</code>
+	 * @param nameIdValueReq
+	 *              the subject that should be authenticated
+	 */
+	public AuthnRequestParams(boolean forceAuthn, boolean isPassive, boolean setNameIdPolicy, boolean allowCreate,
+	            String nameIdValueReq) {
 		this.forceAuthn = forceAuthn;
 		this.isPassive = isPassive;
 		this.setNameIdPolicy = setNameIdPolicy;
+		this.allowCreate = allowCreate;
 		this.nameIdValueReq = nameIdValueReq;
 	}
 
@@ -70,32 +121,42 @@ protected AuthnRequestParams(AuthnRequestParams source) {
 		this.forceAuthn = source.isForceAuthn();
 		this.isPassive = source.isPassive();
 		this.setNameIdPolicy = source.isSetNameIdPolicy();
+		this.allowCreate = source.isAllowCreate();
 		this.nameIdValueReq = source.getNameIdValueReq();
 	}
 
 	/**
 	 * @return whether the <code>ForceAuthn</code> attribute should be set to
 	 *         <code>true</code>
 	 */
-	protected boolean isForceAuthn() {
+	public boolean isForceAuthn() {
 		return forceAuthn;
 	}
 
 	/**
-	 * @return whether the <code>isPassive</code> attribute should be set to
+	 * @return whether the <code>IsPassive</code> attribute should be set to
 	 *         <code>true</code>
 	 */
-	protected boolean isPassive() {
+	public boolean isPassive() {
 		return isPassive;
 	}
 
 	/**
 	 * @return whether a <code>NameIDPolicy</code> should be set
 	 */
-	protected boolean isSetNameIdPolicy() {
+	public boolean isSetNameIdPolicy() {
 		return setNameIdPolicy;
 	}
 
+	/**
+	 * @return whether the <code>AllowCreate</code> attribute should be set to
+	 *         <code>true</code> on the <code>NameIDPolicy</code> element (only
+	 *         meaningful if {@link #isSetNameIdPolicy()} is also <code>true</code>)
+	 */
+	public boolean isAllowCreate() {
+		return allowCreate;
+	}
+
 	/**
 	 * @return the subject that should be authenticated
 	 */

diff --git a/core/src/test/java/com/onelogin/saml2/test/authn/AuthnRequestTest.java b/core/src/test/java/com/onelogin/saml2/test/authn/AuthnRequestTest.java
@@ -242,6 +242,75 @@ public void testNameIDPolicy() throws Exception {
 		assertThat(authnRequestStr, containsString("Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified\""));
 	}
 
+	/**
+	 * Tests the AuthnRequest Constructor
+	 * The creation of a deflated SAML Request with NameIDPolicy with and without AllowCreate
+	 *
+	 * @throws Exception
+	 * 
+	 * @see com.onelogin.saml2.authn.AuthnRequest
+	 */
+	@Test
+	public void testAllowCreate() throws Exception {
+		Saml2Settings settings = new SettingsBuilder().fromFile("config/config.min.properties").build();
+
+		// by default setNameIdPolicy=true, allowCreate=true
+		AuthnRequest authnRequest = new AuthnRequest(settings);
+		String authnRequestStringBase64 = authnRequest.getEncodedAuthnRequest();
+		String authnRequestStr = Util.base64decodedInflated(authnRequestStringBase64);
+		assertThat(authnRequestStr, containsString("<samlp:AuthnRequest"));
+		assertThat(authnRequestStr, containsString("<samlp:NameIDPolicy"));
+		assertThat(authnRequestStr, containsString("AllowCreate=\"true\""));
+
+		// explicit setNameIdPolicy=true, by default allowCreate=true
+		authnRequest = new AuthnRequest(settings, new AuthnRequestParams(false, false, true));
+		authnRequestStringBase64 = authnRequest.getEncodedAuthnRequest();
+		authnRequestStr = Util.base64decodedInflated(authnRequestStringBase64);		
+		assertThat(authnRequestStr, containsString("<samlp:AuthnRequest"));
+		assertThat(authnRequestStr, containsString("<samlp:NameIDPolicy"));
+		assertThat(authnRequestStr, containsString("AllowCreate=\"true\""));
+
+		// explicit setNameIdPolicy=true, explicit allowCreate=true
+		authnRequest = new AuthnRequest(settings, new AuthnRequestParams(false, false, true, true));
+		authnRequestStringBase64 = authnRequest.getEncodedAuthnRequest();
+		authnRequestStr = Util.base64decodedInflated(authnRequestStringBase64);	
+		assertThat(authnRequestStr, containsString("<samlp:AuthnRequest"));
+		assertThat(authnRequestStr, containsString("<samlp:NameIDPolicy"));
+		assertThat(authnRequestStr, containsString("AllowCreate=\"true\""));
+
+		// explicit setNameIdPolicy=true, explicit allowCreate=false
+		authnRequest = new AuthnRequest(settings, new AuthnRequestParams(false, false, true, false));
+		authnRequestStringBase64 = authnRequest.getEncodedAuthnRequest();
+		authnRequestStr = Util.base64decodedInflated(authnRequestStringBase64);		
+		assertThat(authnRequestStr, containsString("<samlp:AuthnRequest"));
+		assertThat(authnRequestStr, containsString("<samlp:NameIDPolicy"));
+		assertThat(authnRequestStr, not(containsString("AllowCreate=\"true\"")));
+
+		// if setNameIdPolicy=false, by default AllowCreate missing
+		authnRequest = new AuthnRequest(settings, new AuthnRequestParams(false, false, false));
+		authnRequestStringBase64 = authnRequest.getEncodedAuthnRequest();
+		authnRequestStr = Util.base64decodedInflated(authnRequestStringBase64);		
+		assertThat(authnRequestStr, containsString("<samlp:AuthnRequest"));
+		assertThat(authnRequestStr, not(containsString("<samlp:NameIDPolicy")));
+		assertThat(authnRequestStr, not(containsString("AllowCreate=\"true\"")));
+
+		// if setNameIdPolicy=false explicitly, AllowCreate missing even if explicit allowCreate=true
+		authnRequest = new AuthnRequest(settings, new AuthnRequestParams(false, false, false, true));
+		authnRequestStringBase64 = authnRequest.getEncodedAuthnRequest();
+		authnRequestStr = Util.base64decodedInflated(authnRequestStringBase64);		
+		assertThat(authnRequestStr, containsString("<samlp:AuthnRequest"));
+		assertThat(authnRequestStr, not(containsString("<samlp:NameIDPolicy")));
+		assertThat(authnRequestStr, not(containsString("AllowCreate=\"true\"")));
+
+		// if both setNameIdPolicy=false and allowCreate=false explicitly, of course AllowCreate missing
+		authnRequest = new AuthnRequest(settings, new AuthnRequestParams(false, false, false, false));
+		authnRequestStringBase64 = authnRequest.getEncodedAuthnRequest();
+		authnRequestStr = Util.base64decodedInflated(authnRequestStringBase64);		
+		assertThat(authnRequestStr, containsString("<samlp:AuthnRequest"));
+		assertThat(authnRequestStr, not(containsString("<samlp:NameIDPolicy")));
+		assertThat(authnRequestStr, not(containsString("AllowCreate=\"true\"")));
+	}
+
 	/**
 	 * Tests the AuthnRequest Constructor
 	 * The creation of a deflated SAML Request with NameIDPolicy Encrypted