From 159289b1aba88cb80a95446f9be881cc5c35173d Mon Sep 17 00:00:00 2001 From: Miguel Freitas Date: Thu, 13 Dec 2018 14:48:30 +0000 Subject: [PATCH 1/3] ability to define logout_endpoint and its binding (HTTP-POST or HTTP-Redirect, Default:HTTP-Redirect) to fix the generated metadata file --- README.md | 8 +++++++- lib/saml2.coffee | 12 +++++++----- 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index f764798..3770744 100644 --- a/README.md +++ b/README.md @@ -41,6 +41,8 @@ An object that can contain the below options. All options are strings, unless s - `private_key` - **Required** - (PEM format string) - Private key for the service provider. - `certificate` - **Required** - (PEM format string) - Certificate for the service provider. - `assert_endpoint` - **Required** - URL of service provider assert endpoint. +- `logout_endpoint` - URL of service provider logout endpoint. +- `logout_binding` - Binding of service provider logout endpoint ("HTTP-POST" or "HTTP-Redirect"). - `alt_private_keys` - (Array of PEM format strings) - Additional private keys to use when attempting to decrypt responses. Useful for adding backward-compatibility for old certificates after a rollover. - `alt_certs` - (Array of PEM format strings) - Additional certificates to expose in the SAML metadata. Useful for staging new certificates for rollovers. - `audience` - (String or RegExp) — If set, at least one of the `` values within the `` condition of a SAML authentication response must match. Defaults to `entity_id`. @@ -67,6 +69,8 @@ An object that can contain the below options. All options are strings, unless s private_key: fs.readFileSync("key-file.pem").toString(), certificate: fs.readFileSync("cert-file.crt").toString(), assert_endpoint: "https://sp.example.com/assert", + logout_endpoint: "https://sp.example.com/logout", + logout_binding: "HTTP-POST", force_authn: true, auth_context: { comparison: "exact", class_refs: ["urn:oasis:names:tc:SAML:1.0:am:password"] }, nameid_format: "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", @@ -204,6 +208,7 @@ An object that can contain the below options. All options are strings, unless s var idp_options = { sso_login_url: "https://idp.example.com/login", sso_logout_url: "https://idp.example.com/logout", + logout_binding: "HTTP-POST", certificates: [fs.readFileSync("cert-file1.crt").toString(), fs.readFileSync("cert-file2.crt").toString()], force_authn: true, sign_get_request: false, @@ -239,7 +244,8 @@ var sp_options = { entity_id: "https://sp.example.com/metadata.xml", private_key: fs.readFileSync("key-file.pem").toString(), certificate: fs.readFileSync("cert-file.crt").toString(), - assert_endpoint: "https://sp.example.com/assert" + assert_endpoint: "https://sp.example.com/assert", + logout_endpoint: "https://sp.example.com/logout" }; var sp = new saml2.ServiceProvider(sp_options); diff --git a/lib/saml2.coffee b/lib/saml2.coffee index defac31..433d26c 100644 --- a/lib/saml2.coffee +++ b/lib/saml2.coffee @@ -60,7 +60,7 @@ sign_authn_request = (xml, private_key, options) -> return signer.getSignedXml() # Creates metadata and returns it as a string of XML. The metadata has one POST assertion endpoint. -create_metadata = (entity_id, assert_endpoint, signing_certificates, encryption_certificates) -> +create_metadata = (entity_id, assert_endpoint, logout_endpoint, logout_binding, signing_certificates, encryption_certificates) -> signing_cert_descriptors = for signing_certificate in signing_certificates or [] {'md:KeyDescriptor': certificate_to_keyinfo('signing', signing_certificate)} @@ -79,8 +79,8 @@ create_metadata = (entity_id, assert_endpoint, signing_certificates, encryption_ .concat encryption_cert_descriptors .concat [ 'md:SingleLogoutService': - '@Binding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect' - '@Location': assert_endpoint + '@Binding': 'urn:oasis:names:tc:SAML:2.0:bindings:' + logout_binding + '@Location': logout_endpoint 'md:AssertionConsumerService': '@Binding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST' '@Location': assert_endpoint @@ -498,8 +498,10 @@ module.exports.ServiceProvider = # # Rest of options can be set/overwritten by the identity provider and/or at function call. constructor: (options) -> - {@entity_id, @private_key, @certificate, @assert_endpoint, @alt_private_keys, @alt_certs} = options + {@entity_id, @private_key, @certificate, @assert_endpoint, @logout_endpoint, @logout_binding, @alt_private_keys, @alt_certs} = options + @logout_endpoint ?= @assert_endpoint + @logout_binding ?= "HTTP-Redirect" options.audience ?= @entity_id options.notbefore_skew ?= 1 @@ -709,7 +711,7 @@ module.exports.ServiceProvider = # XML metadata, used during initial SAML configuration create_metadata: => certs = [@certificate].concat @alt_certs - create_metadata @entity_id, @assert_endpoint, certs, certs + create_metadata @entity_id, @assert_endpoint, @logout_endpoint, @logout_binding, certs, certs module.exports.IdentityProvider = class IdentityProvider From 6852f233b90fd1d60ae894fad8b4556115c6d2b8 Mon Sep 17 00:00:00 2001 From: Miguel Freitas Date: Thu, 13 Dec 2018 14:53:49 +0000 Subject: [PATCH 2/3] fix logout_binding from idp options to sp options in Readme --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 3770744..6b028c7 100644 --- a/README.md +++ b/README.md @@ -208,7 +208,6 @@ An object that can contain the below options. All options are strings, unless s var idp_options = { sso_login_url: "https://idp.example.com/login", sso_logout_url: "https://idp.example.com/logout", - logout_binding: "HTTP-POST", certificates: [fs.readFileSync("cert-file1.crt").toString(), fs.readFileSync("cert-file2.crt").toString()], force_authn: true, sign_get_request: false, @@ -245,7 +244,8 @@ var sp_options = { private_key: fs.readFileSync("key-file.pem").toString(), certificate: fs.readFileSync("cert-file.crt").toString(), assert_endpoint: "https://sp.example.com/assert", - logout_endpoint: "https://sp.example.com/logout" + logout_endpoint: "https://sp.example.com/logout", + logout_binding: "HTTP-POST" }; var sp = new saml2.ServiceProvider(sp_options); From edc1aab59695a927a0c798575d476e9b60dc4601 Mon Sep 17 00:00:00 2001 From: Miguel Freitas <13312380+miguelfreitas93@users.noreply.github.com> Date: Wed, 3 Feb 2021 19:34:13 +0000 Subject: [PATCH 3/3] Update README.md Co-authored-by: Mark Cabanero --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 6b028c7..284137f 100644 --- a/README.md +++ b/README.md @@ -41,8 +41,8 @@ An object that can contain the below options. All options are strings, unless s - `private_key` - **Required** - (PEM format string) - Private key for the service provider. - `certificate` - **Required** - (PEM format string) - Certificate for the service provider. - `assert_endpoint` - **Required** - URL of service provider assert endpoint. -- `logout_endpoint` - URL of service provider logout endpoint. -- `logout_binding` - Binding of service provider logout endpoint ("HTTP-POST" or "HTTP-Redirect"). +- `logout_endpoint` - URL of service provider logout endpoint. Defaults to `assert_endpoint`. +- `logout_binding` - Binding of service provider logout endpoint ("HTTP-POST" or "HTTP-Redirect"). Defaults to `HTTP-Redirect`. - `alt_private_keys` - (Array of PEM format strings) - Additional private keys to use when attempting to decrypt responses. Useful for adding backward-compatibility for old certificates after a rollover. - `alt_certs` - (Array of PEM format strings) - Additional certificates to expose in the SAML metadata. Useful for staging new certificates for rollovers. - `audience` - (String or RegExp) — If set, at least one of the `` values within the `` condition of a SAML authentication response must match. Defaults to `entity_id`.