fix(SAML): check on empty nameID (#8714)

# Which Problems Are Solved If a SAML IdP did not send a `NameID` (even though required by the specification), ZITADEL would crash. # How the Problems Are Solved - Check specifically if the `Subject` and its `NameID` is passed # Additional Changes None # Additional Context - closes https://github.com/zitadel/zitadel/issues/8654 (cherry picked from commit 18499274dd)
2025-08-12 12:57:34 +00:00 · 2024-10-03 10:17:33 +02:00
parent b47f0f546f
commit 5215d98a30
2 changed files with 58 additions and 4 deletions
--- a/internal/idp/providers/saml/session.go
+++ b/internal/idp/providers/saml/session.go
@@ -70,6 +70,10 @@ func (s *Session) FetchUser(ctx context.Context) (user idp.User, err error) {
 		return nil, zerrors.ThrowInvalidArgument(err, "SAML-nuo0vphhh9", "Errors.Intent.ResponseInvalid")
 	}

+	// nameID is required, but at least in ADFS it will not be sent unless explicitly configured
+	if s.Assertion.Subject == nil || s.Assertion.Subject.NameID == nil {
+		return nil, zerrors.ThrowInvalidArgument(err, "SAML-EFG32", "Errors.Intent.ResponseInvalid")
+	}
 	nameID := s.Assertion.Subject.NameID
 	userMapper := NewUser()
 	// use the nameID as default mapping id
--- a/internal/idp/providers/saml/session_test.go
+++ b/internal/idp/providers/saml/session_test.go