Merge branch 'master' into master

README.md

@@ -1,5 +1,8 @@
 Passport-SAML
 =============
+[![Build Status](https://travis-ci.org/bergie/passport-saml.svg?branch=master)](https://travis-ci.org/bergie/passport-saml) [![GitHub version](https://badge.fury.io/gh/bergie%2Fpassport-saml.svg)](https://badge.fury.io/gh/bergie%2Fpassport-saml) [![npm version](https://badge.fury.io/js/passport-saml.svg)](http://badge.fury.io/js/passport-saml) [![dependencies](https://david-dm.org/bergie/passport-saml.svg)](https://david-dm.org/bergie/passport-saml.svg) [![devDependencies](https://david-dm.org/bergie/passport-saml/dev-status.svg)](https://david-dm.org/bergie/passport-saml/dev-status.svg) [![peerDependencies](https://david-dm.org/bergie/passport-saml/peer-status.svg)](https://david-dm.org/bergie/passport-saml/peer-status.svg)
+
+[![NPM](https://nodei.co/npm/passport-saml.png?downloads=true&downloadRank=true&stars=true)](https://nodei.co/npm/passport-saml/)
 
 This is a [SAML 2.0](http://en.wikipedia.org/wiki/SAML_2.0) authentication provider for [Passport](http://passportjs.org/), the Node.js authentication library.
 
@@ -40,40 +43,42 @@ passport.use(new SamlStrategy(
 );
 ```
 
-Config parameter details:
-* Core
- * `callbackUrl`: full callbackUrl (overrides path/protocol if supplied)
- * `path`: path to callback; will be combined with protocol and server host information to construct callback url if `callbackUrl` is not specified (default: `/saml/consume`)
- * `protocol`: protocol for callback; will be combined with path and server host information to construct callback url if `callbackUrl` is not specified (default: `http://`)
- * `host`: host for callback; will be combined with path and protocol to construct callback url if `callbackUrl` is not specified (default: `localhost`)
- * `entryPoint`: identity provider entrypoint
- * `issuer`: issuer string to supply to identity provider
- * `cert`: see 'security and signatures'
- * `privateCert`: see 'security and signatures'
- * `decryptionPvk`: optional private key that will be used to attempt to decrypt any encrypted assertions that are received
- * `signatureAlgorithm`: optionally set the signature algorithm for signing requests, valid values are 'sha1' (default), 'sha256', or 'sha512'
-* Additional SAML behaviors
- * `additionalParams`: dictionary of additional query params to add to all requests
- * `additionalAuthorizeParams`: dictionary of additional query params to add to 'authorize' requests
- * `identifierFormat`: if truthy, name identifier format to request from identity provider (default: `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress`)
- * `acceptedClockSkewMs`: Time in milliseconds of skew that is acceptable between client and server when checking `OnBefore` and `NotOnOrAfter` assertion condition validity timestamps.  Setting to `-1` will disable checking these conditions entirely.  Default is `0`.
- * `attributeConsumingServiceIndex`: optional `AttributeConsumingServiceIndex` attribute to add to AuthnRequest to instruct the IDP which attribute set to attach to the response ([link](http://blog.aniljohn.com/2014/01/data-minimization-front-channel-saml-attribute-requests.html))
- * `providerName`: optional human-readable name of the requester for use by the presenter's user agent or the identity provider
- * `disableRequestedAuthnContext`: if truthy, do not request a specific auth context
- * `authnContext`: if truthy, name identifier format to request auth context (default: `urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport`)
- * `forceAuthn`: if set to true, the initial SAML request from the service provider specifies that the IdP should force re-authentication of the user, even if they possess a valid session.
- * `skipRequestCompression`: if set to true, the SAML request from the service provider won't be compressed.
- * `authnRequestBinding`: if set to `HTTP-POST`, will request authentication from IDP via HTTP POST binding, otherwise defaults to HTTP Redirect
-* InResponseTo Validation
- * `validateInResponseTo`: if truthy, then InResponseTo will be validated from incoming SAML responses
- * `requestIdExpirationPeriodMs`: Defines the expiration time when a Request ID generated for a SAML request will not be valid if seen in a SAML response in the `InResponseTo` field.  Default is 8 hours.
- * `cacheProvider`: Defines the implementation for a cache provider used to store request Ids generated in SAML requests as part of `InResponseTo` validation.  Default is a built-in in-memory cache provider.  For details see the 'Cache Provider' section.
-* Passport
- * `passReqToCallback`: if truthy, `req` will be passed as the first argument to the verify callback (default: `false`)
-* Logout
- * `logoutUrl`: base address to call with logout requests (default: `entryPoint`)
- * `additionalLogoutParams`: dictionary of additional query params to add to 'logout' requests
- * `logoutCallbackUrl`: The value with which to populate the `Location` attribute in the `SingleLogoutService` elements in the generated service provider metadata.
+#### Config parameter details:
+
+ * **Core**
+  * `callbackUrl`: full callbackUrl (overrides path/protocol if supplied)
+  * `path`: path to callback; will be combined with protocol and server host information to construct callback url if `callbackUrl` is not specified (default: `/saml/consume`)
+  * `protocol`: protocol for callback; will be combined with path and server host information to construct callback url if `callbackUrl` is not specified (default: `http://`)
+  * `host`: host for callback; will be combined with path and protocol to construct callback url if `callbackUrl` is not specified (default: `localhost`)
+  * `entryPoint`: identity provider entrypoint
+  * `issuer`: issuer string to supply to identity provider
+  * `cert`: see [Security and signatures](#security-and-signatures)
+  * `privateCert`: see [Security and signatures](#security-and-signatures)
+  * `decryptionPvk`: optional private key that will be used to attempt to decrypt any encrypted assertions that are received
+  * `signatureAlgorithm`: optionally set the signature algorithm for signing requests, valid values are 'sha1' (default), 'sha256', or 'sha512'
+ * **Additional SAML behaviors**
+  * `additionalParams`: dictionary of additional query params to add to all requests
+  * `additionalAuthorizeParams`: dictionary of additional query params to add to 'authorize' requests
+  * `identifierFormat`: if truthy, name identifier format to request from identity provider (default: `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress`)
+  * `acceptedClockSkewMs`: Time in milliseconds of skew that is acceptable between client and server when checking `OnBefore` and `NotOnOrAfter` assertion condition validity timestamps.  Setting to `-1` will disable checking these conditions entirely.  Default is `0`.
+  * `attributeConsumingServiceIndex`: optional `AttributeConsumingServiceIndex` attribute to add to AuthnRequest to instruct the IDP which attribute set to attach to the response ([link](http://blog.aniljohn.com/2014/01/data-minimization-front-channel-saml-attribute-requests.html))
+  * `disableRequestedAuthnContext`: if truthy, do not request a specific auth context
+  * `authnContext`: if truthy, name identifier format to request auth context (default: `urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport`)
+  * `forceAuthn`: if set to true, the initial SAML request from the service provider specifies that the IdP should force re-authentication of the user, even if they possess a valid session.
+  * `providerName`: optional human-readable name of the requester for use by the presenter's user agent or the identity provider
+  * `skipRequestCompression`: if set to true, the SAML request from the service provider won't be compressed.
+  * `authnRequestBinding`: if set to `HTTP-POST`, will request authentication from IDP via HTTP POST binding, otherwise defaults to HTTP Redirect
+ * **InResponseTo Validation**
+  * `validateInResponseTo`: if truthy, then InResponseTo will be validated from incoming SAML responses
+  * `requestIdExpirationPeriodMs`: Defines the expiration time when a Request ID generated for a SAML request will not be valid if seen in a SAML response in the `InResponseTo` field.  Default is 8 hours.
+  * `cacheProvider`: Defines the implementation for a cache provider used to store request Ids generated in SAML requests as part of `InResponseTo` validation.  Default is a built-in in-memory cache provider.  For details see the 'Cache Provider' section.
+ * **Passport**
+  * `passReqToCallback`: if truthy, `req` will be passed as the first argument to the verify callback (default: `false`)
+ * **Logout**
+  * `logoutUrl`: base address to call with logout requests (default: `entryPoint`)
+  * `additionalLogoutParams`: dictionary of additional query params to add to 'logout' requests
+  * `logoutCallbackUrl`: The value with which to populate the `Location` attribute in the `SingleLogoutService` elements in the generated service provider metadata.
+
 
 ### Provide the authentication callback
 
@@ -105,7 +110,7 @@ app.get('/login',
 
 As a convenience, the strategy object exposes a `generateServiceProviderMetadata` method which will generate a service provider metadata document suitable for supplying to an identity provider.  This method will only work on strategies which are configured with a `callbackUrl` (since the relative path for the callback is not sufficient information to generate a complete metadata document).
 
-The `decryptionCert` argument should be a certificate matching the `decryptionPvk` and is required if the strategy is configured with a `decryptionPvk`.
+The `decryptionCert` argument should be a public certificate matching the `decryptionPvk` and is required if the strategy is configured with a `decryptionPvk`.
 
 
 ## Security and signatures
@@ -118,12 +123,19 @@ Authentication requests sent by Passport-SAML can be signed using RSA-SHA1. To s
     privateCert: fs.readFileSync('./cert.pem', 'utf-8')
 ```
 
-It is a good idea to validate the incoming SAML Responses. For this, you can provide the Identity Provider's public signing certificate using the `cert` configuration key:
+
+It is a good idea to validate the incoming SAML Responses. For this, you can provide the Identity Provider's public PEM-encoded X.509 certificate using the `cert` confguration key. The "BEGIN CERTIFICATE" and "END CERTIFICATE" lines should be stripped out and the certificate should be provided on a single line.
 
 ```javascript
     cert: 'MIICizCCAfQCCQCY8tKaMc0BMjANBgkqh ... W=='
 ```
 
+If you have a certificate in the binary DER encoding, you can convert it to the necessary PEM encoding like this:
+
+```bash
+     openssl x509 -inform der -in my_certificate.cer -out my_certificate.pem
+````
+
 ## Usage with Active Directory Federation Services
 
 Here is a configuration that has been proven to work with ADFS:

package.json

@@ -1,6 +1,6 @@
 {
   "name": "passport-saml",
-  "version": "0.15.0",
+  "version": "0.16.2",
   "licenses": [
     {
       "type": "MIT",
@@ -33,7 +33,7 @@
     "passport-strategy": "*",
     "q": "^1.5.0",
     "xml-crypto": "^0.9.0",
-    "xml-encryption": "~0.10",
+    "xml-encryption": "^0.11.0",
     "xml2js": "0.4.x",
     "xmlbuilder": "^8.2.2",
     "xmldom": "0.1.x"
@@ -49,7 +49,7 @@
     "sinon": "^2.1.0"
   },
   "engines": {
-    "node": ">= 0.8.0"
+    "node": ">= 0.10.0"
   },
   "scripts": {
     "test": "mocha",