From 9820e32cfdde192b4cf2e674b52bccb978442473 Mon Sep 17 00:00:00 2001
From: Chris Barth <chrisjbarth@hotmail.com>
Date: Tue, 11 Sep 2018 12:20:24 -0400
Subject: [PATCH] support multiple authnContext

---
 lib/passport-saml/saml.js | 17 +++++++++++++----
 test/tests.js             | 36 ++++++++++++++++++++++++++++++++++++
 2 files changed, 49 insertions(+), 4 deletions(-)

diff --git a/lib/passport-saml/saml.js b/lib/passport-saml/saml.js
index 674b4c54b..9ffa31b7d 100644
--- a/lib/passport-saml/saml.js
+++ b/lib/passport-saml/saml.js
@@ -44,6 +44,10 @@ SAML.prototype.initialize = function (options) {
     options.authnContext = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport";
   }
 
+  if (!Array.isArray(options.authnContext)) {
+    options.authnContext = [options.authnContext];
+  }
+
   if (!options.acceptedClockSkewMs) {
     // default to no skew
     options.acceptedClockSkewMs = 0;
@@ -181,13 +185,18 @@ SAML.prototype.generateAuthorizeRequest = function (req, isPassive, callback) {
     }
 
     if (!self.options.disableRequestedAuthnContext) {
+      var authnContextClassRefs = [];
+      self.options.authnContext.forEach(function(value) {
+        authnContextClassRefs.push({
+            '@xmlns:saml': 'urn:oasis:names:tc:SAML:2.0:assertion',
+            '#text': value
+        });        
+      });
+        
       request['samlp:AuthnRequest']['samlp:RequestedAuthnContext'] = {
         '@xmlns:samlp': 'urn:oasis:names:tc:SAML:2.0:protocol',
         '@Comparison': 'exact',
-        'saml:AuthnContextClassRef': {
-          '@xmlns:saml': 'urn:oasis:names:tc:SAML:2.0:assertion',
-          '#text': self.options.authnContext
-        }
+        'saml:AuthnContextClassRef': authnContextClassRefs
       };
     }
 
diff --git a/test/tests.js b/test/tests.js
index ce7150875..bb0a0cc6b 100644
--- a/test/tests.js
+++ b/test/tests.js
@@ -392,6 +392,42 @@ describe( 'passport-saml /', function() {
                    [ { _: 'myAuthnContext',
                        '$': { 'xmlns:saml': 'urn:oasis:names:tc:SAML:2.0:assertion' } } ] } ] } }
       },
+      { name: "Config with multiple AuthnContext",
+        config: {
+          issuer: 'http://exampleSp.com/saml',
+          identifierFormat: 'alternateIdentifier',
+          passive: true,
+          attributeConsumingServiceIndex: 123,
+          authnContext: ['myAuthnContext', 'myAuthnContext2']
+        },
+        result: {
+          'samlp:AuthnRequest':
+           { '$':
+              { 'xmlns:samlp': 'urn:oasis:names:tc:SAML:2.0:protocol',
+                Version: '2.0',
+                ProtocolBinding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
+                AssertionConsumerServiceURL: 'http://localhost:3033/login',
+                AttributeConsumingServiceIndex: '123',
+                Destination: 'https://wwwexampleIdp.com/saml',
+                IsPassive: 'true'},
+             'saml:Issuer':
+              [ { _: 'http://exampleSp.com/saml',
+                  '$': { 'xmlns:saml': 'urn:oasis:names:tc:SAML:2.0:assertion' } } ],
+             'samlp:NameIDPolicy':
+              [ { '$':
+                   { 'xmlns:samlp': 'urn:oasis:names:tc:SAML:2.0:protocol',
+                     Format: 'alternateIdentifier',
+                     AllowCreate: 'true' } } ],
+             'samlp:RequestedAuthnContext':
+              [ { '$':
+                   { 'xmlns:samlp': 'urn:oasis:names:tc:SAML:2.0:protocol',
+                     Comparison: 'exact' },
+                  'saml:AuthnContextClassRef':
+                   [ { _: 'myAuthnContext',
+                       '$': { 'xmlns:saml': 'urn:oasis:names:tc:SAML:2.0:assertion' } },
+                     { _: 'myAuthnContext2',
+                       '$': { 'xmlns:saml': 'urn:oasis:names:tc:SAML:2.0:assertion' } } ] } ] } }
+      },
       { name: "Config with ProviderName",
         config: {
           issuer: 'http://exampleSp.com/saml',