Strict specs enforcement

tvdijen · web-flow · commit 8aabf03c078b · 2026-02-28T12:10:19.000+01:00
E14: AllowCreate
diff --git a/src/XML/samlp/NameIDPolicy.php b/src/XML/samlp/NameIDPolicy.php
@@ -6,7 +6,9 @@
 
 use DOMElement;
 use SimpleSAML\SAML2\Assert\Assert;
+use SimpleSAML\SAML2\Constants as C;
 use SimpleSAML\SAML2\Exception\ArrayValidationException;
+use SimpleSAML\SAML2\Exception\ProtocolViolationException;
 use SimpleSAML\SAML2\Type\SAMLAnyURIValue;
 use SimpleSAML\SAML2\Type\SAMLStringValue;
 use SimpleSAML\XML\ArrayizableElementInterface;
@@ -45,6 +47,15 @@ public function __construct(
         protected ?SAMLStringValue $SPNameQualifier = null,
         protected ?BooleanValue $AllowCreate = null,
     ) {
+        if ($AllowCreate->equals(BooleanValue::fromBoolean(true)) {
+            // Per Errata E14: AllowCreate
+            Assert::notSame(
+                $Format->getValue(),
+                C::NAMEID_TRANSIENT,
+                ProtocolViolationException::class,
+                "AllowCreate=true MUST NOT be used in conjunction with the urn:oasis:names:tc:SAML:2.0:nameidformat:transient <NameID> Format.",
+            );
+        }
     }
 
 
