diff --git a/README.md b/README.md index f764798..284137f 100644 --- a/README.md +++ b/README.md @@ -41,6 +41,8 @@ An object that can contain the below options. All options are strings, unless s - `private_key` - **Required** - (PEM format string) - Private key for the service provider. - `certificate` - **Required** - (PEM format string) - Certificate for the service provider. - `assert_endpoint` - **Required** - URL of service provider assert endpoint. +- `logout_endpoint` - URL of service provider logout endpoint. Defaults to `assert_endpoint`. +- `logout_binding` - Binding of service provider logout endpoint ("HTTP-POST" or "HTTP-Redirect"). Defaults to `HTTP-Redirect`. - `alt_private_keys` - (Array of PEM format strings) - Additional private keys to use when attempting to decrypt responses. Useful for adding backward-compatibility for old certificates after a rollover. - `alt_certs` - (Array of PEM format strings) - Additional certificates to expose in the SAML metadata. Useful for staging new certificates for rollovers. - `audience` - (String or RegExp) — If set, at least one of the `` values within the `` condition of a SAML authentication response must match. Defaults to `entity_id`. @@ -67,6 +69,8 @@ An object that can contain the below options. All options are strings, unless s private_key: fs.readFileSync("key-file.pem").toString(), certificate: fs.readFileSync("cert-file.crt").toString(), assert_endpoint: "https://sp.example.com/assert", + logout_endpoint: "https://sp.example.com/logout", + logout_binding: "HTTP-POST", force_authn: true, auth_context: { comparison: "exact", class_refs: ["urn:oasis:names:tc:SAML:1.0:am:password"] }, nameid_format: "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", @@ -239,7 +243,9 @@ var sp_options = { entity_id: "https://sp.example.com/metadata.xml", private_key: fs.readFileSync("key-file.pem").toString(), certificate: fs.readFileSync("cert-file.crt").toString(), - assert_endpoint: "https://sp.example.com/assert" + assert_endpoint: "https://sp.example.com/assert", + logout_endpoint: "https://sp.example.com/logout", + logout_binding: "HTTP-POST" }; var sp = new saml2.ServiceProvider(sp_options); diff --git a/lib/saml2.coffee b/lib/saml2.coffee index defac31..433d26c 100644 --- a/lib/saml2.coffee +++ b/lib/saml2.coffee @@ -60,7 +60,7 @@ sign_authn_request = (xml, private_key, options) -> return signer.getSignedXml() # Creates metadata and returns it as a string of XML. The metadata has one POST assertion endpoint. -create_metadata = (entity_id, assert_endpoint, signing_certificates, encryption_certificates) -> +create_metadata = (entity_id, assert_endpoint, logout_endpoint, logout_binding, signing_certificates, encryption_certificates) -> signing_cert_descriptors = for signing_certificate in signing_certificates or [] {'md:KeyDescriptor': certificate_to_keyinfo('signing', signing_certificate)} @@ -79,8 +79,8 @@ create_metadata = (entity_id, assert_endpoint, signing_certificates, encryption_ .concat encryption_cert_descriptors .concat [ 'md:SingleLogoutService': - '@Binding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect' - '@Location': assert_endpoint + '@Binding': 'urn:oasis:names:tc:SAML:2.0:bindings:' + logout_binding + '@Location': logout_endpoint 'md:AssertionConsumerService': '@Binding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST' '@Location': assert_endpoint @@ -498,8 +498,10 @@ module.exports.ServiceProvider = # # Rest of options can be set/overwritten by the identity provider and/or at function call. constructor: (options) -> - {@entity_id, @private_key, @certificate, @assert_endpoint, @alt_private_keys, @alt_certs} = options + {@entity_id, @private_key, @certificate, @assert_endpoint, @logout_endpoint, @logout_binding, @alt_private_keys, @alt_certs} = options + @logout_endpoint ?= @assert_endpoint + @logout_binding ?= "HTTP-Redirect" options.audience ?= @entity_id options.notbefore_skew ?= 1 @@ -709,7 +711,7 @@ module.exports.ServiceProvider = # XML metadata, used during initial SAML configuration create_metadata: => certs = [@certificate].concat @alt_certs - create_metadata @entity_id, @assert_endpoint, certs, certs + create_metadata @entity_id, @assert_endpoint, @logout_endpoint, @logout_binding, certs, certs module.exports.IdentityProvider = class IdentityProvider