Add option to disable SAML spec AuthnRequest optional value Assertion…

…ConsumerServiceURL. p49 - https://www.oasis-open.org/committees/download.php/35711/sstc-saml-core-errata-2.0-wd-06-diff.pdf options.disableRequestACSUrl - default to undefined falsy so it is automatically included.
stavros-wb · Jan 4, 2019 · e2154f2 · e2154f2
1 parent d2c8994
commit e2154f2
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -121,6 +121,7 @@ type Profile = {
   * `providerName`: optional human-readable name of the requester for use by the presenter's user agent or the identity provider
   * `skipRequestCompression`: if set to true, the SAML request from the service provider won't be compressed.
   * `authnRequestBinding`: if set to `HTTP-POST`, will request authentication from IDP via HTTP POST binding, otherwise defaults to HTTP Redirect
+  * `disableRequestACSUrl`: if truthy, SAML AuthnRequest from the service provider will not include the optional AssertionConsumerServiceURL. Default is falsy so it is automatically included.
  * **InResponseTo Validation**
   * `validateInResponseTo`: if truthy, then InResponseTo will be validated from incoming SAML responses
   * `requestIdExpirationPeriodMs`: Defines the expiration time when a Request ID generated for a SAML request will not be valid if seen in a SAML response in the `InResponseTo` field.  Default is 8 hours.

diff --git a/lib/passport-saml/saml.js b/lib/passport-saml/saml.js
@@ -164,7 +164,6 @@ SAML.prototype.generateAuthorizeRequest = function (req, isPassive, callback) {
         '@Version': '2.0',
         '@IssueInstant': instant,
         '@ProtocolBinding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
-        '@AssertionConsumerServiceURL': self.getCallbackUrl(req),
         '@Destination': self.options.entryPoint,
         'saml:Issuer' : {
           '@xmlns:saml' : 'urn:oasis:names:tc:SAML:2.0:assertion',
@@ -180,6 +179,10 @@ SAML.prototype.generateAuthorizeRequest = function (req, isPassive, callback) {
       request['samlp:AuthnRequest']['@ForceAuthn'] = true;
     }
 
+    if (!self.options.disableRequestACSUrl) {
+      request['samlp:AuthnRequest']['@AssertionConsumerServiceURL'] = self.getCallbackUrl(req);
+    }
+
     if (self.options.identifierFormat) {
       request['samlp:AuthnRequest']['samlp:NameIDPolicy'] = {
         '@xmlns:samlp': 'urn:oasis:names:tc:SAML:2.0:protocol',

diff --git a/test/tests.js b/test/tests.js