Skip to content

Commit

Permalink
feat(scoping): add idp scoping support
Browse files Browse the repository at this point in the history
  • Loading branch information
Rob Gijsens committed Oct 30, 2020
1 parent 7b71596 commit dbf77d4
Show file tree
Hide file tree
Showing 3 changed files with 89 additions and 3 deletions.
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -134,6 +134,7 @@ type Profile = {
* `skipRequestCompression`: if set to true, the SAML request from the service provider won't be compressed.
* `authnRequestBinding`: if set to `HTTP-POST`, will request authentication from IDP via HTTP POST binding, otherwise defaults to HTTP Redirect
* `disableRequestACSUrl`: if truthy, SAML AuthnRequest from the service provider will not include the optional AssertionConsumerServiceURL. Default is falsy so it is automatically included.
* `idpScopingProviderId`: if set to a string, expects the IDP to be a proxying identity provider. The passed provider ID is the specific IDP the proxy idp should communicatie with. Useful for targeting a specific IDP from the application.
* **InResponseTo Validation**
* `validateInResponseTo`: if truthy, then InResponseTo will be validated from incoming SAML responses
* `requestIdExpirationPeriodMs`: Defines the expiration time when a Request ID generated for a SAML request will not be valid if seen in a SAML response in the `InResponseTo` field. Default is 8 hours.
Expand Down
13 changes: 13 additions & 0 deletions src/passport-saml/saml.ts
Original file line number Diff line number Diff line change
Expand Up @@ -305,6 +305,19 @@ class SAML {
request['samlp:AuthnRequest']['@ProviderName'] = this.options.providerName;
}

if (this.options.idpScopingProviderId) {
request['samlp:AuthnRequest']['samlp:Scoping'] = {
'@xmlns:samlp': 'urn:oasis:names:tc:SAML:2.0:protocol',
'samlp:IDPList': {
'@xmlns:samlp': 'urn:oasis:names:tc:SAML:2.0:protocol',
'samlp:IDPEntry': {
'@xmlns:samlp': 'urn:oasis:names:tc:SAML:2.0:protocol',
'@ProviderID': this.options.idpScopingProviderId,
}
}
};
}

let stringRequest = xmlbuilder.create(request).end();
if (isHttpPostBinding && this.options.privateCert) {
stringRequest = signAuthnRequestPost(stringRequest, this.options);
Expand Down
78 changes: 75 additions & 3 deletions test/tests.js
Original file line number Diff line number Diff line change
Expand Up @@ -524,7 +524,79 @@ describe( 'passport-saml /', function() {
'saml:Issuer':
[ { _: 'onelogin_saml',
'$': { 'xmlns:saml': 'urn:oasis:names:tc:SAML:2.0:assertion' } } ] } }
}
},
{ name: "Config with idpScopingProviderId",
config: {
issuer: 'http://exampleSp.com/saml',
identifierFormat: 'alternateIdentifier',
idpScopingProviderId: 'myScopingProviderId'
},
result: {
'samlp:AuthnRequest': {
'$': {
AssertionConsumerServiceURL: 'http://localhost:3033/login',
Destination: 'https://wwwexampleIdp.com/saml',
ProtocolBinding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
Version: '2.0',
'xmlns:samlp': 'urn:oasis:names:tc:SAML:2.0:protocol'
},
'saml:Issuer': [
{
'$': {
'xmlns:saml': 'urn:oasis:names:tc:SAML:2.0:assertion',
},
'_': 'http://exampleSp.com/saml',
}
],
'samlp:NameIDPolicy': [
{
'$': {
AllowCreate: 'true',
Format: 'alternateIdentifier',
'xmlns:samlp': 'urn:oasis:names:tc:SAML:2.0:protocol',
}
}
],
'samlp:RequestedAuthnContext': [
{
'$': {
Comparison: 'exact',
'xmlns:samlp': 'urn:oasis:names:tc:SAML:2.0:protocol'
},
'saml:AuthnContextClassRef': [
{
'$': {
'xmlns:saml': 'urn:oasis:names:tc:SAML:2.0:assertion'
},
'_': 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'
}
]
}
],
'samlp:Scoping': [
{
'$': {
'xmlns:samlp': 'urn:oasis:names:tc:SAML:2.0:protocol',
},
'samlp:IDPList': [
{
'$': {
'xmlns:samlp': 'urn:oasis:names:tc:SAML:2.0:protocol'
},
'samlp:IDPEntry': [
{
'$': {
ProviderID: 'myScopingProviderId',
'xmlns:samlp': 'urn:oasis:names:tc:SAML:2.0:protocol'
}
}
]
}
]
}
]
}
} }
];

var server;
Expand Down Expand Up @@ -1354,7 +1426,7 @@ describe( 'passport-saml /', function() {
const nameQualifier = 'https://idp.example.org/idp/saml'
const spNameQualifier = 'https://sp.example.org/sp/entity'
const format = 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'
const xml =
const xml =
'<Response>' +
'<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0">' +
'<saml2:AttributeStatement>' +
Expand Down Expand Up @@ -1385,7 +1457,7 @@ describe( 'passport-saml /', function() {
});

it( 'An undefined value given with an object should still be undefined', function( done ) {
const xml =
const xml =
'<Response>' +
'<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0">' +
'<saml2:AttributeStatement>' +
Expand Down

0 comments on commit dbf77d4

Please sign in to comment.