diff --git a/README.md b/README.md index cb60382e1..4144d4b7b 100644 --- a/README.md +++ b/README.md @@ -125,6 +125,8 @@ type Profile = { * `validateInResponseTo`: if truthy, then InResponseTo will be validated from incoming SAML responses * `requestIdExpirationPeriodMs`: Defines the expiration time when a Request ID generated for a SAML request will not be valid if seen in a SAML response in the `InResponseTo` field. Default is 8 hours. * `cacheProvider`: Defines the implementation for a cache provider used to store request Ids generated in SAML requests as part of `InResponseTo` validation. Default is a built-in in-memory cache provider. For details see the 'Cache Provider' section. + * **Issuer Validation** + * `samlIssuer`: if provided, then the IdP issuer will be validated for incoming Logout Requests/Responses * **Passport** * `passReqToCallback`: if truthy, `req` will be passed as the first argument to the verify callback (default: `false`) * `name`: Optionally, provide a custom name. (default: `saml`). Useful If you want to instantiate the strategy multiple times with different configurations, diff --git a/lib/passport-saml/saml.js b/lib/passport-saml/saml.js index ed1e56e0b..16625210d 100644 --- a/lib/passport-saml/saml.js +++ b/lib/passport-saml/saml.js @@ -845,12 +845,14 @@ SAML.prototype.verifyLogoutResponse = function (doc) { }; SAML.prototype.verifyIssuer = function (samlMessage) { - var issuer = samlMessage.Issuer; - if (issuer && this.options.samlIssuer) { - if (issuer[0] !== this.options.samlIssuer && issuer[0]._ !== this.options.samlIssuer) - throw 'Unknown SAML issuer. Expected: ' + this.options.samlIssuer + ' Received: ' + issuer[0]; - } else { - throw 'Missing SAML issuer'; + if(this.options.samlIssuer) { + var issuer = samlMessage.Issuer; + if (issuer) { + if (issuer[0] !== this.options.samlIssuer && issuer[0]._ !== this.options.samlIssuer) + throw 'Unknown SAML issuer. Expected: ' + this.options.samlIssuer + ' Received: ' + issuer[0]; + } else { + throw 'Missing SAML issuer'; + } } };