From 5f9d84b85dd7127694258cf780fe7fd6d1b551f0 Mon Sep 17 00:00:00 2001 From: TheIceBreaker7 <5233503+TheIceBreaker7@users.noreply.github.com> Date: Fri, 28 Sep 2018 18:01:59 +0000 Subject: [PATCH 1/5] disable requested authentication context Passport saml sets a default authentication context of 'PasswordProtectedTransport'. There is some sort of bug with passport saml when trying to use this AuthnContext from a private internal network and authenticate with an external IDP. The proposed change her allows the developer to easily disable this authentication context and let the IDP determine the method of authentication. With this change, simply add the following line to your configuration for apostrophe-saml inside of your Apostrophe app.js: disableRequestedAuthnContext: true Example: 'apostrophe-saml': { issuer: 'mysite.com', callbackUrl: 'mysite.com/callback', disableRequestedAuthnContext: true } More details can be found here: https://github.com/bergie/passport-saml/issues/226 @boutell --- index.js | 2 ++ 1 file changed, 2 insertions(+) diff --git a/index.js b/index.js index d684b67..35e6b29 100644 --- a/index.js +++ b/index.js @@ -50,6 +50,8 @@ module.exports = { // passport-saml uses entryPoint, not identityProviderUrl config.entryPoint = config.identityProviderUrl; config.callbackUrl = options.callbackUrl || (options.apos.options.baseUrl + '/auth/saml/login/callback'); + // configure passport-saml to disable the default authentication context + config.disableRequestedAuthnContext = options.disableRequestedAuthnContext; var strategy = new passportSaml.Strategy( config, From 88602c08727b3d55014423c8e01acd064e03b232 Mon Sep 17 00:00:00 2001 From: TheIceBreaker7 <5233503+TheIceBreaker7@users.noreply.github.com> Date: Fri, 28 Sep 2018 15:53:19 -0400 Subject: [PATCH 2/5] allow extra passport-saml options Added the ability to use extra passport-saml options that were not previously defined in this wrapper. Previous configurations are untouched and should be backwards compatible. To pass extra options to apostrophe saml use the following syntax: ``` 'apostrophe-saml': { issuer: 'mysite.com', callbackUrl: 'mysite.com/callback', passportSamlOptions: { disableRequestedAuthnContext: true, logoutUrl: 'www.mysite.com/SLO', forceAuthn: true } } ``` --- index.js | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/index.js b/index.js index 35e6b29..22dc965 100644 --- a/index.js +++ b/index.js @@ -50,9 +50,10 @@ module.exports = { // passport-saml uses entryPoint, not identityProviderUrl config.entryPoint = config.identityProviderUrl; config.callbackUrl = options.callbackUrl || (options.apos.options.baseUrl + '/auth/saml/login/callback'); - // configure passport-saml to disable the default authentication context - config.disableRequestedAuthnContext = options.disableRequestedAuthnContext; + //Add our extra passportSamlOptions into our config object + config = self.addPassportSamlOptions(config); + var strategy = new passportSaml.Strategy( config, self.profileCallback @@ -87,6 +88,20 @@ module.exports = { return '/auth/saml/login/callback'; } }; + + self.addPassportSamlOptions = function(config) { + //merge the base configuration options into the passportSamlOptionsObject + //Note: if you have the same attribute in both objects, the base configuration option will overwrite the passportSamlOptions attribute { + for(var attr in options.passportSamlOptions){ + if(attr in config){ + continue; //Do not overwrite existing config attributes. + } + config[attr]=options.passportSamlOptions[attr]; //copy the optional attribute into our config object + } + + return config; + + }; self.addRoutes = function() { self.apos.app.get(self.getLoginPath(), From e470af286c723a5ea247e93822b12d1be51fc6a2 Mon Sep 17 00:00:00 2001 From: TheIceBreaker7 <5233503+TheIceBreaker7@users.noreply.github.com> Date: Fri, 28 Sep 2018 16:20:47 -0400 Subject: [PATCH 3/5] updated addPassportSamlOptions updated addPassportSamlOptions method to use Object.assign() --- index.js | 23 +++++++---------------- 1 file changed, 7 insertions(+), 16 deletions(-) diff --git a/index.js b/index.js index 22dc965..498d50e 100644 --- a/index.js +++ b/index.js @@ -50,9 +50,8 @@ module.exports = { // passport-saml uses entryPoint, not identityProviderUrl config.entryPoint = config.identityProviderUrl; config.callbackUrl = options.callbackUrl || (options.apos.options.baseUrl + '/auth/saml/login/callback'); - - //Add our extra passportSamlOptions into our config object - config = self.addPassportSamlOptions(config); + //Add our extra passportSamlOptions into our config object + config = self.addPassportSamlOptions(config); var strategy = new passportSaml.Strategy( config, @@ -89,19 +88,11 @@ module.exports = { } }; - self.addPassportSamlOptions = function(config) { - //merge the base configuration options into the passportSamlOptionsObject - //Note: if you have the same attribute in both objects, the base configuration option will overwrite the passportSamlOptions attribute { - for(var attr in options.passportSamlOptions){ - if(attr in config){ - continue; //Do not overwrite existing config attributes. - } - config[attr]=options.passportSamlOptions[attr]; //copy the optional attribute into our config object - } - - return config; - - }; + self.addPassportSamlOptions = function(config) { + //merge the base configuration options into the passportSamlOptionsObject + //Note: if you have the same attribute in both objects, the base configuration option will overwrite the passportSamlOptions attribute { + return Object.assign({}, options.passportSamlOptions, config); + }; self.addRoutes = function() { self.apos.app.get(self.getLoginPath(), From 06e7f9eb632dc4346e6b168b43605d146f76f393 Mon Sep 17 00:00:00 2001 From: TheIceBreaker7 <5233503+TheIceBreaker7@users.noreply.github.com> Date: Fri, 28 Sep 2018 16:23:17 -0400 Subject: [PATCH 4/5] Updated README for extra passport-saml options Readme updated to reflect new way of passing extra parameters to passport-saml through the passportSamlOptions object --- README.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/README.md b/README.md index b760876..8ce76a5 100644 --- a/README.md +++ b/README.md @@ -47,6 +47,20 @@ npm install apostrophe-saml // your identity provider may result in mysterious failed logins. // Make sure they are on board with what this URL has been set to callbackUrl: 'https://example.com/auth/saml/login/callback' + // + // OPTIONAL: Extra passport-saml options + // Configuring saml in your environment can be tricky, and most + // environments have unique aspects to them that aren't handled + // directly by this wrapper. To help with this problem, you can + // pass extra passport-saml options through the following object. + // More details about available options can be found here: + // https://github.com/bergie/passport-saml#config-parameter-details + // + // passportSamlOptions: { + // disableRequestedAuthnContext: true, + // logoutUrl: 'https://examples.com/auth/saml/SLO', + // forceAuthn: true + // } }, 'apostrophe-login': { // OPTIONAL: disable regular site logins completely From eb9c500dc81882701bd08a208b7326842a4f0096 Mon Sep 17 00:00:00 2001 From: TheIceBreaker7 <5233503+TheIceBreaker7@users.noreply.github.com> Date: Fri, 28 Sep 2018 16:23:52 -0400 Subject: [PATCH 5/5] Update README.md --- README.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 8ce76a5..87d75db 100644 --- a/README.md +++ b/README.md @@ -49,15 +49,15 @@ npm install apostrophe-saml callbackUrl: 'https://example.com/auth/saml/login/callback' // // OPTIONAL: Extra passport-saml options - // Configuring saml in your environment can be tricky, and most - // environments have unique aspects to them that aren't handled - // directly by this wrapper. To help with this problem, you can - // pass extra passport-saml options through the following object. - // More details about available options can be found here: - // https://github.com/bergie/passport-saml#config-parameter-details + // Configuring saml in your environment can be tricky, and most + // environments have unique aspects to them that aren't handled + // directly by this wrapper. To help with this problem, you can + // pass extra passport-saml options through the following object. + // More details about available options can be found here: + // https://github.com/bergie/passport-saml#config-parameter-details // - // passportSamlOptions: { - // disableRequestedAuthnContext: true, + // passportSamlOptions: { + // disableRequestedAuthnContext: true, // logoutUrl: 'https://examples.com/auth/saml/SLO', // forceAuthn: true // }