pythonthings
diff --git a/‎README.md‎
Lines changed: 13 additions & 3 deletions b/‎README.md‎
Lines changed: 13 additions & 3 deletions
diff --git a/‎demo-django/demo/views.py‎
Lines changed: 12 additions & 4 deletions b/‎demo-django/demo/views.py‎
Lines changed: 12 additions & 4 deletions
diff --git a/‎demo-flask/index.py‎
Lines changed: 12 additions & 5 deletions b/‎demo-flask/index.py‎
Lines changed: 12 additions & 5 deletions
diff --git a/‎src/onelogin/saml2/auth.py‎
Lines changed: 28 additions & 2 deletions b/‎src/onelogin/saml2/auth.py‎
Lines changed: 28 additions & 2 deletions
diff --git a/‎src/onelogin/saml2/logout_request.py‎
Lines changed: 15 additions & 8 deletions b/‎src/onelogin/saml2/logout_request.py‎
Lines changed: 15 additions & 8 deletions
diff --git a/‎src/onelogin/saml2/response.py‎
Lines changed: 26 additions & 0 deletions b/‎src/onelogin/saml2/response.py‎
Lines changed: 26 additions & 0 deletions
@@ -794,17 +794,17 @@ target_url = 'https://example.com'
 auth.logout(return_to=target_url)
 ```
 
-Also there are 4 optional parameters that can be set:
+Also there are another 5 optional parameters that can be set:
 
 * ``name_id``: That will be used to build the ``LogoutRequest``. If no ``name_id`` parameter is set and the auth object processed a
 SAML Response with a ``NameId``, then this ``NameId`` will be used.
 * ``session_index``: ``SessionIndex`` that identifies the session of the user.
 * ``nq``: IDP Name Qualifier.
 * ``name_id_format``: The ``NameID`` Format that will be set in the ``LogoutRequest``.
+* ``spnq``: The ``NameID SP NameQualifier`` will be set in the ``LogoutRequest``.
 
 If no ``name_id`` is provided, the ``LogoutRequest`` will contain a ``NameID`` with the entity Format.
 If ``name_id`` is provided and no ``name_id_format`` is provided, the ``NameIDFormat`` of the settings will be used.
-If ``nq`` is provided, the ``SPNameQualifier`` will be also attached to the ``NameId``.
 
 If a match on the ``LogoutResponse`` ID and the ``LogoutRequest`` ID to be sent is required, that ``LogoutRequest`` ID must to be extracted and stored for future validation, we can get that ID by:
 
@@ -830,7 +830,12 @@ elif 'sso2' in request.args:                       # Another SSO init action
     return_to = '%sattrs/' % request.host_url      # but set a custom RelayState URL
     return redirect(auth.login(return_to))
 elif 'slo' in request.args:                     # SLO action. Will sent a Logout Request to IdP
-    return redirect(auth.logout())
+    nameid = request.session['samlNameId']
+    nameid_format = request.session['samlNameIdFormat']
+    nameid_nq = request.session['samlNameIdNameQualifier']
+    nameid_spnq = request.session['samlNameIdSPNameQualifier']
+    session_index = request.session['samlSessionIndex']
+    return redirect(auth.logout(None, nameid, session_index, nameid_nq, nameid_format, nameid_spnq))
 elif 'acs' in request.args:                 # Assertion Consumer Service
     auth.process_response()                     # Process the Response of the IdP
     errors = auth.get_errors()              # This method receives an array with the errors
@@ -839,6 +844,11 @@ elif 'acs' in request.args:                 # Assertion Consumer Service
             msg = "Not authenticated"           # data retrieved or not (user authenticated)
         else:
             request.session['samlUserdata'] = auth.get_attributes()     # Retrieves user data
+            request.session['samlNameId'] = auth.get_nameid()
+            request.session['samlNameIdFormat'] = auth.get_nameid_format()
+            request.session['samlNameIdNameQualifier'] = auth.get_nameid_nq()
+            request.session['samlNameIdSPNameQualifier'] = auth.get_nameid_spnq()
+            request.session['samlSessionIndex'] = auth.get_session_index()
             self_url = OneLogin_Saml2_Utils.get_self_url(req)
             if 'RelayState' in request.form and self_url != request.form['RelayState']:
                 return redirect(auth.redirect_to(request.form['RelayState']))   # Redirect if there is a relayState
 
@@ -45,14 +45,19 @@ def index(request):
         return_to = OneLogin_Saml2_Utils.get_self_url(req) + reverse('attrs')
         return HttpResponseRedirect(auth.login(return_to))
     elif 'slo' in req['get_data']:
-        name_id = None
-        session_index = None
+        name_id = session_index = name_id_format = name_id_nq = name_id_spnq = None
         if 'samlNameId' in request.session:
             name_id = request.session['samlNameId']
         if 'samlSessionIndex' in request.session:
             session_index = request.session['samlSessionIndex']
-
-        return HttpResponseRedirect(auth.logout(name_id=name_id, session_index=session_index))
+        if 'samlNameIdFormat' in request.session:
+            name_id_format = request.session['samlNameIdFormat']
+        if 'samlNameIdNameQualifier' in request.session:
+            name_id_nq = request.session['samlNameIdNameQualifier']
+        if 'samlNameIdSPNameQualifier' in request.session:
+            name_id_spnq = request.session['samlNameIdSPNameQualifier']
+
+        return HttpResponseRedirect(auth.logout(name_id=name_id, session_index=session_index, nq=name_id_nq, name_id_format=name_id_format, spnq=name_id_spnq))
     elif 'acs' in req['get_data']:
         auth.process_response()
         errors = auth.get_errors()
@@ -61,6 +66,9 @@ def index(request):
         if not errors:
             request.session['samlUserdata'] = auth.get_attributes()
             request.session['samlNameId'] = auth.get_nameid()
+            request.session['samlNameIdFormat'] = auth.get_nameid_format()
+            request.session['samlNameIdNameQualifier'] = auth.get_nameid_nq()
+            request.session['samlNameIdSPNameQualifier'] = auth.get_nameid_spnq()
             request.session['samlSessionIndex'] = auth.get_session_index()
             if 'RelayState' in req['post_data'] and OneLogin_Saml2_Utils.get_self_url(req) != req['post_data']['RelayState']:
                 return HttpResponseRedirect(auth.redirect_to(req['post_data']['RelayState']))
 
@@ -50,21 +50,28 @@ def index():
         return_to = '%sattrs/' % request.host_url
         return redirect(auth.login(return_to))
     elif 'slo' in request.args:
-        name_id = None
-        session_index = None
+        name_id = session_index = name_id_format = name_id_nq = name_id_spnq = None
         if 'samlNameId' in session:
             name_id = session['samlNameId']
         if 'samlSessionIndex' in session:
             session_index = session['samlSessionIndex']
-
-        return redirect(auth.logout(name_id=name_id, session_index=session_index))
+        if 'samlNameIdFormat' in session:
+            name_id_format = session['samlNameIdFormat']
+        if 'samlNameIdNameQualifier' in session:
+            name_id_nq = session['samlNameIdNameQualifier']
+        if 'samlNameIdSPNameQualifier' in session:
+            name_id_spnq = session['samlNameIdSPNameQualifier']
+
+        return redirect(auth.logout(name_id=name_id, session_index=session_index, nq=name_id_nq, name_id_format=name_id_format, spnq=name_id_spnq))
     elif 'acs' in request.args:
         auth.process_response()
         errors = auth.get_errors()
         not_auth_warn = not auth.is_authenticated()
         if len(errors) == 0:
-            session['samlUserdata'] = auth.get_attributes()
             session['samlNameId'] = auth.get_nameid()
+            session['samlNameIdFormat'] = auth.get_nameid_format()
+            session['samlNameIdNameQualifier'] = auth.get_nameid_nq()
+            session['samlNameIdSPNameQualifier'] = auth.get_nameid_spnq()
             session['samlSessionIndex'] = auth.get_session_index()
             self_url = OneLogin_Saml2_Utils.get_self_url(req)
             if 'RelayState' in request.form and self_url != request.form['RelayState']:
 
@@ -55,6 +55,8 @@ def __init__(self, request_data, old_settings=None, custom_base_path=None):
         self.__attributes = dict()
         self.__nameid = None
         self.__nameid_format = None
+        self.__nameid_nq = None
+        self.__nameid_spnq = None
         self.__session_index = None
         self.__session_expiration = None
         self.__authenticated = False
@@ -107,6 +109,8 @@ def process_response(self, request_id=None):
                 self.__attributes = response.get_attributes()
                 self.__nameid = response.get_nameid()
                 self.__nameid_format = response.get_nameid_format()
+                self.__nameid_nq = response.get_nameid_nq()
+                self.__nameid_spnq = response.get_nameid_spnq()
                 self.__session_index = response.get_session_index()
                 self.__session_expiration = response.get_session_not_on_or_after()
                 self.__last_message_id = response.get_id()
@@ -245,6 +249,24 @@ def get_nameid_format(self):
         """
         return self.__nameid_format
 
+    def get_nameid_nq(self):
+        """
+        Returns the nameID NameQualifier of the Assertion.
+
+        :returns: NameID NameQualifier
+        :rtype: string|None
+        """
+        return self.__nameid_nq
+
+    def get_nameid_spnq(self):
+        """
+        Returns the nameID SP NameQualifier of the Assertion.
+
+        :returns: NameID SP NameQualifier
+        :rtype: string|None
+        """
+        return self.__nameid_spnq
+
     def get_session_index(self):
         """
         Returns the SessionIndex from the AuthnStatement.
@@ -366,7 +388,7 @@ def login(self, return_to=None, force_authn=False, is_passive=False, set_nameid_
             self.add_request_signature(parameters, security['signatureAlgorithm'])
         return self.redirect_to(self.get_sso_url(), parameters)
 
-    def logout(self, return_to=None, name_id=None, session_index=None, nq=None, name_id_format=None):
+    def logout(self, return_to=None, name_id=None, session_index=None, nq=None, name_id_format=None, spnq=None):
         """
         Initiates the SLO process.
 
@@ -385,6 +407,9 @@ def logout(self, return_to=None, name_id=None, session_index=None, nq=None, name
         :param name_id_format: The NameID Format that will be set in the LogoutRequest.
         :type: string
 
+        :param spnq: SP Name Qualifier
+        :type: string
+
         :returns: Redirection URL
         """
         slo_url = self.get_slo_url()
@@ -405,7 +430,8 @@ def logout(self, return_to=None, name_id=None, session_index=None, nq=None, name
             name_id=name_id,
             session_index=session_index,
             nq=nq,
-            name_id_format=name_id_format
+            name_id_format=name_id_format,
+            spnq=spnq
         )
         self.__last_request = logout_request.get_xml()
         self.__last_request_id = logout_request.id
 
@@ -25,7 +25,7 @@ class OneLogin_Saml2_Logout_Request(object):
 
     """
 
-    def __init__(self, settings, request=None, name_id=None, session_index=None, nq=None, name_id_format=None):
+    def __init__(self, settings, request=None, name_id=None, session_index=None, nq=None, name_id_format=None, spnq=None):
         """
         Constructs the Logout Request object.
 
@@ -46,6 +46,9 @@ def __init__(self, settings, request=None, name_id=None, session_index=None, nq=
 
         :param name_id_format: The NameID Format that will be set in the LogoutRequest.
         :type: string
+
+        :param spnq: SP Name Qualifier
+        :type: string
         """
         self.__settings = settings
         self.__error = None
@@ -75,19 +78,23 @@ def __init__(self, settings, request=None, name_id=None, session_index=None, nq=
                 if not name_id_format and sp_data['NameIDFormat'] != OneLogin_Saml2_Constants.NAMEID_UNSPECIFIED:
                     name_id_format = sp_data['NameIDFormat']
             else:
+                name_id = idp_data['entityId']
                 name_id_format = OneLogin_Saml2_Constants.NAMEID_ENTITY
 
-            sp_name_qualifier = None
-            if name_id_format == OneLogin_Saml2_Constants.NAMEID_ENTITY:
-                name_id = idp_data['entityId']
+            # From saml-core-2.0-os 8.3.6, when the entity Format is used:
+            # "The NameQualifier, SPNameQualifier, and SPProvidedID attributes
+            # MUST be omitted.
+            if name_id_format and name_id_format == OneLogin_Saml2_Constants.NAMEID_ENTITY:
                 nq = None
-            elif nq is not None:
-                # We only gonna include SPNameQualifier if NameQualifier is provided
-                sp_name_qualifier = sp_data['entityId']
+                spnq = None
+
+            # NameID Format UNSPECIFIED omitted
+            if name_id_format and name_id_format == OneLogin_Saml2_Constants.NAMEID_UNSPECIFIED:
+                name_id_format = None
 
             name_id_obj = OneLogin_Saml2_Utils.generate_name_id(
                 name_id,
-                sp_name_qualifier,
+                spnq,
                 name_id_format,
                 cert,
                 False,
 
@@ -506,6 +506,32 @@ def get_nameid_format(self):
             nameid_format = nameid_data['Format']
         return nameid_format
 
+    def get_nameid_nq(self):
+        """
+        Gets the NameID NameQualifier provided by the SAML Response from the IdP
+
+        :returns: NameID NameQualifier
+        :rtype: string|None
+        """
+        nameid_nq = None
+        nameid_data = self.get_nameid_data()
+        if nameid_data and 'NameQualifier' in nameid_data.keys():
+            nameid_nq = nameid_data['NameQualifier']
+        return nameid_nq
+
+    def get_nameid_spnq(self):
+        """
+        Gets the NameID SP NameQualifier provided by the SAML response from the IdP.
+
+        :returns: NameID SP NameQualifier
+        :rtype: string|None
+        """
+        nameid_spnq = None
+        nameid_data = self.get_nameid_data()
+        if nameid_data and 'SPNameQualifier' in nameid_data.keys():
+            nameid_spnq = nameid_data['SPNameQualifier']
+        return nameid_spnq
+
     def get_session_not_on_or_after(self):
         """
         Gets the SessionNotOnOrAfter from the AuthnStatement