Skip to content

Commit

Permalink
Merge commit '966b97a54e7a4b25316716c20e1f524b64cf8a22' into CB/query…
Browse files Browse the repository at this point in the history
…-string-signing

* commit '966b97a54e7a4b25316716c20e1f524b64cf8a22':
  internal: provide unique failure messages for invalid signatures. Fixes node-saml#146
  package.json: bump version to 0.33.0
  docs: mention that disableRequestAuthnContext helps with AD FS
  • Loading branch information
cjbarth committed Sep 10, 2018
2 parents 5921f77 + 966b97a commit bcb3447
Show file tree
Hide file tree
Showing 4 changed files with 13 additions and 13 deletions.
4 changes: 2 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ passport.use(new SamlStrategy(
* `identifierFormat`: if truthy, name identifier format to request from identity provider (default: `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress`)
* `acceptedClockSkewMs`: Time in milliseconds of skew that is acceptable between client and server when checking `OnBefore` and `NotOnOrAfter` assertion condition validity timestamps. Setting to `-1` will disable checking these conditions entirely. Default is `0`.
* `attributeConsumingServiceIndex`: optional `AttributeConsumingServiceIndex` attribute to add to AuthnRequest to instruct the IDP which attribute set to attach to the response ([link](http://blog.aniljohn.com/2014/01/data-minimization-front-channel-saml-attribute-requests.html))
* `disableRequestedAuthnContext`: if truthy, do not request a specific auth context
* `disableRequestedAuthnContext`: if truthy, do not request a specific authentication context. This is [known to help when authenticating against Active Directory](https://github.com/bergie/passport-saml/issues/226) (AD FS) servers.
* `authnContext`: if truthy, name identifier format to request auth context (default: `urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport`)
* `forceAuthn`: if set to true, the initial SAML request from the service provider specifies that the IdP should force re-authentication of the user, even if they possess a valid session.
* `providerName`: optional human-readable name of the requester for use by the presenter's user agent or the identity provider
Expand Down Expand Up @@ -131,7 +131,7 @@ For example:
```


It is a good idea to validate the incoming SAML Responses. For this, you can provide the Identity Provider's public PEM-encoded X.509 certificate using the `cert` confguration key. The "BEGIN CERTIFICATE" and "END CERTIFICATE" lines should be stripped out and the certificate should be provided on a single line.
It is a good idea to validate the signatures of the incoming SAML Responses. For this, you can provide the Identity Provider's public PEM-encoded X.509 signing certificate using the `cert` confguration key. The "BEGIN CERTIFICATE" and "END CERTIFICATE" lines should be stripped out and the certificate should be provided on a single line.

```javascript
cert: 'MIICizCCAfQCCQCY8tKaMc0BMjANBgkqh ... W=='
Expand Down
10 changes: 5 additions & 5 deletions lib/passport-saml/saml.js
Original file line number Diff line number Diff line change
Expand Up @@ -583,7 +583,7 @@ SAML.prototype.validatePostResponse = function (container, callback) {
if (assertions.length + encryptedAssertions.length > 1) {
// There's no reason I know of that we want to handle multiple assertions, and it seems like a
// potential risk vector for signature scope issues, so treat this as an invalid signature
throw new Error('Invalid signature');
throw new Error('Invalid signature: multiple assertions');
}

if (assertions.length == 1) {
Expand Down Expand Up @@ -612,7 +612,7 @@ SAML.prototype.validatePostResponse = function (container, callback) {
if (self.options.cert &&
!validSignature &&
!self.validateSignature(decryptedXml, decryptedAssertions[0], certs))
throw new Error('Invalid signature');
throw new Error('Invalid signature from encrypted assertion');

self.processValidlySignedAssertion(decryptedAssertions[0].toString(), inResponseTo, callback);
});
Expand Down Expand Up @@ -640,7 +640,7 @@ SAML.prototype.validatePostResponse = function (container, callback) {
var nestedStatusCode = statusCode[0].StatusCode;
if (nestedStatusCode && nestedStatusCode[0].$.Value === "urn:oasis:names:tc:SAML:2.0:status:NoPassive") {
if (self.options.cert && !validSignature) {
throw new Error('Invalid signature');
throw new Error('Invalid signature: NoPassive');
}
return callback(null, null, false);
}
Expand Down Expand Up @@ -672,7 +672,7 @@ SAML.prototype.validatePostResponse = function (container, callback) {
}
} else {
if (self.options.cert && !validSignature) {
throw new Error('Invalid signature');
throw new Error('Invalid signature: No response found');
}
var logoutResponse = doc.LogoutResponse;
if (logoutResponse){
Expand Down Expand Up @@ -916,7 +916,7 @@ SAML.prototype.validatePostRequest = function (container, callback) {
.then(function(certs) {
// Check if this document has a valid top-level signature
if (self.options.cert && !self.validateSignature(xml, dom.documentElement, certs)) {
return callback(new Error('Invalid signature'));
return callback(new Error('Invalid signature on documentElement'));
}

processValidlySignedPostRequest(self, doc, callback);
Expand Down
2 changes: 1 addition & 1 deletion package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "passport-saml",
"version": "0.32.1",
"version": "0.33.0",
"license" : "MIT",
"keywords": [
"saml",
Expand Down
10 changes: 5 additions & 5 deletions test/tests.js

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit bcb3447

Please sign in to comment.