ADFS, and I would assume some other SAML providers output a SAML metadata file that can be used to configure an application. The XML contains the IDP URL as well as the signing and encryption certificates. This is nice to use because as certs expire and are changed by the SAML provider, the application does not need to be updated as long as it refreshes config from the XML.

I have written some code to read the XML metadata from an ADFS instance and configure a passport-wsfed-saml2 strategy. It works in my case and I would like to make it available via GitHub and NPM. Should I submit a PR for this project with this added as a feature, or should I create my own separate project with a passport strategy that reads the metadata and inherits the passport-wsfed-saml2 strategy?

It seems when using ws-fed with ADFS2.0 the ws-trust version is 1.2, but the wsfederation code is looking for a 1.3 token: 'http://docs.oasis-open.org/ws-sx/ws-trust/200512'

What do you think of changing the code to accept either?

extractToken: function(req) {
var doc = new xmldom.DOMParser().parseFromString(req.body['wresult']);
var token = doc.getElementsByTagNameNS('http://docs.oasis-open.org/ws-sx/ws-trust/200512', 'RequestedSecurityToken')[0] ||
doc.getElementsByTagNameNS('http://schemas.xmlsoap.org/ws/2005/02/trust', 'RequestedSecurityToken')[0];

return token && token.firstChild;

}

consider mapping the profile as other passport strategies, put the raw claims on _raw or _json.

http://passportjs.org/guide/profile/

While reading the SAMLResponse the library converts the base64 string to a Buffer, after that it converts whether to a string without considering if the XML defined a different encoding in the prolog:

<?xml version="1.0" encoding="UTF-8" ?> <== usually UTF-8 is used, in some cases it can contain a different encoding. We should read the rest of XML based on that encoding.

Hi! I'm try to auth user with ADFS with WS-Federation protocol, but when i try login in my app, happens CORS error... What I need to do to resolve it? Thanks

Hello,

I'm in primary maintainer for passport-saml, which this project was forked from.

I'm not certain of what changes or incompatibilities were as part of the fork, but wanted to see if there's interest in discussing merging the projects.

The passport-saml project has been rather active lately, with bug fixes and feature patches flowing in from a number of contributors. It also has the most projects that depend on it and is the most downloaded SAML project for Node.

There's the saying "with enough eyeballs, all bugs are shallow". I think by joining efforts, we could end up with a higher quality product that either project might achieve alone. AuthO could benefit from being associated with Node's most highly visible SAML library.

If a merge were to happen, I would suggest it be hosted under the "auth0" namespace, as the developer hosting the current repo is no longer actively involved with the project.

You are welcome to contact me privately to continue the discussion or respond directly here as well.

Thanks.

Get the following error:

TypeError: Cannot set property 'user' of undefined  
    at /src/node_modules/passport-wsfed-saml2/node_modules/passport/lib/passport/http/request.js:45:35
    at pass (/src/node_modules/passport/lib/authenticator.js:267:43)
    at serialized (/src/node_modules/passport/lib/authenticator.js:276:7)
    at strategies.ntuvpn.exports.serializeUser (/src/auth.js:54:3)
    at pass (/src/node_modules/passport/lib/authenticator.js:284:9)
    at Authenticator.serializeUser (/src/node_modules/passport/lib/authenticator.js:289:5)
    at IncomingMessage.req.login.req.logIn (/src/node_modules/passport-wsfed-saml2/node_modules/passport/lib/passport/http/request.js:43:29)
...

I think this is caused by the conflict between old passport (0.1.x) and the new one (0.3.x).
Can move the passport depenency to the new one? (0.3.x)

So what do I do when to install this package it tells me I need the .Net Framework 2.0 SDK that came out over 10 years ago and I'm on Windows 10 and it's 2019?

C:\Users\dp966eu\jsworkspace\src\ald-auth>npm install passport-wsfed-saml2 --save
npm WARN deprecated [email protected]: The major version is no longer supported. Please update to 4.x or newer
npm WARN deprecated [email protected]: Please update to the latest object-keys

[email protected] install C:\Users\dp966eu\jsworkspace\src\ald-auth\node_modules\x509
node-gyp rebuild

C:\Users\dp966eu\jsworkspace\src\ald-auth\node_modules\x509>if not defined npm_config_node_gyp (node "C:\Program Files\nodejs\node_modules\npm\node_modules\npm-lifecycle\node-gyp-bin\....\node_modules\node-gyp\bin\node-gyp.js" rebuild ) else (node "C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\bin\node-gyp.js" rebuild )
Warning: unrecognized setting VCCLCompilerTool/MultiProcessorCompilation
Warning: unrecognized setting VCCLCompilerTool/MultiProcessorCompilation
Building the projects in this solution one at a time. To enable parallel build, please add the "/m" switch.
MSBUILD : error MSB3428: Could not load the Visual C++ component "VCBuild.exe". To fix this, 1) install the .NET Framew
ork 2.0 SDK, 2) install Microsoft Visual Studio 2005 or 3) add the location of the component to the system path if it i
s installed elsewhere. [C:\Users\dp966eu\jsworkspace\src\ald-auth\node_modules\x509\build\binding.sln]
gyp ERR! build error
gyp ERR! stack Error: C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe failed with exit code: 1
gyp ERR! stack at ChildProcess.onExit (C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\lib\build.js:262:23)
gyp ERR! stack at ChildProcess.emit (events.js:182:13)
gyp ERR! stack at Process.ChildProcess._handle.onexit (internal/child_process.js:240:12)
gyp ERR! System Windows_NT 10.0.16299
gyp ERR! command "C:\Program Files\nodejs\node.exe" "C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\bin\node-gyp.js" "rebuild"
gyp ERR! cwd C:\Users\dp966eu\jsworkspace\src\ald-auth\node_modules\x509
gyp ERR! node -v v10.14.2
gyp ERR! node-gyp -v v3.8.0
gyp ERR! not ok
npm WARN [email protected] No description
npm WARN [email protected] No repository field.

npm ERR! code ELIFECYCLE
npm ERR! errno 1
npm ERR! [email protected] install: node-gyp rebuild
npm ERR! Exit status 1
npm ERR!
npm ERR! Failed at the [email protected] install script.
npm ERR! This is probably not a problem with npm. There is likely additional logging output above.

npm ERR! A complete log of this run can be found in:
npm ERR! C:\Users\dp966eu\AppData\Roaming\npm-cache_logs\2019-01-29T23_28_33_191Z-debug.log

There is some different behaviour between encrypted and non encrypted assertions. The following paths are unreachable when the assertion is encrypted:

• https://github.com/auth0/passport-wsfed-saml2/blob/master/lib/passport-wsfed-saml2/samlp.js#L243-L246
• https://github.com/auth0/passport-wsfed-saml2/blob/master/lib/passport-wsfed-saml2/samlp.js#L394-L406

Hi,
We are using passport-wsfed-saml2 in our project and Yarn as the package manager.
We have an error related to the xmldom dependency.
Actually, this dependency is referenced with a path to the project's master branch.

As a consequence, we can have errors when the master branch changes while
we did NOT change our packages.json.

Can you update your dependencies to use a specific version ?

I see you are using forked versions for some dependencies.

Currently that fails npm install in our containers (No git binary found in $PATH). We have no plans of adding git to our containers.

Do you have a stable, secure version of this package that does not rely on private forks of other NPM packages?

x509 dependency is not compatible with a newer node.

It seems in master fix is done for node 10 version, but in npm there is still the previous version.

I have a SAML token which has a group claim coming from Azure AD which looks like this.

<Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups">
    <AttributeValue>bf4b36a2-5841-48d1-bd40-6d73b91950d4</AttributeValue>
    <AttributeValue>7f2b1172-2484-452f-bfd4-155021cf0a39</AttributeValue>
</Attribute>

The resulting profile object which is passed into the verify function has one claim listed, when I would expect an array of strings.

{
    ...
    "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups":"bf4b36a2-5841-48d1-bd40-6d73b91950d4",
    ...
}

Is there any way to make that SAML get parsed into an array like so?

{
    ...
    "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups": ["bf4b36a2-5841-48d1-bd40-6d73b91950d4", "7f2b1172-2484-452f-bfd4-155021cf0a39"],
    ...
}

I have an app that is authenticating just fine. It redirects me to a Token server, authenticates me and sends me back to my callback URL. The server, when it authenticates me sets a timeout for a hour. If I keep my browser session open for more than an hour the user session continues to work. Following your example, the ensureAuthenticated function always returns true:

function ensureAuthenticated(req, res, next) {
    if (req.isAuthenticated()) {
        return next();
    }
    res.redirect('/login');
}

When I write out the isAuthenticated` function to the console I see the following:

function () {
  var property = 'user';
  if (this._passport && this._passport.instance._userProperty) {
    property = this._passport.instance._userProperty;
  }

  return (this[property]) ? true : false;
}

which seems like it is just checking for the existence of a property. This will always be true unless something is checking the session and updating it.
Am I missing something? How can I make sure that the ensureAuthenticated function returns false or redirects me to my login page when my SAML token has expired?

In my production environment we have 3 servers. When I set a strategy in one of them, when the redirect comes it may go to a server where the strategy was not set causing the Unknown authenticate strategy error.
How can I solve this problem?

Hello, thanks for library, it works like a charm.

But there is one problem we are currently facing – we need to configurate strategy based on req data.

Currently:

new wsfedsaml2({
	// ADFS RP identifier
	realm: 'urn:node:wsfedapp',
	identityProviderUrl: 'https://my-adfs/adfs/ls',
	// ADFS token signing certificate
	thumbprint: '5D27....D27E'
	// or cert: fs.readFileSync("adfs_signing_key.cer")
}, function (profile, done) {
 // ...
}))

And we need:

const getParams = req => {
   return {
     .... req based params
   }
}

new wsfedsaml2(getParams, function (profile, done) {
 // ...
}))

How do we achieve that?

I run into the following error when I run my server:

passport.use(new wsfedsaml2(
             ^
TypeError: object is not a function
    at Object.<anonymous> (D:\Playground\nodeIdSrv\server.js:7:14)
    at Module._compile (module.js:456:26)
    at Object.Module._extensions..js (module.js:474:10)
    at Module.load (module.js:356:32)
    at Function.Module._load (module.js:312:12)
    at Function.Module.runMain (module.js:497:10)
    at startup (node.js:119:16)
    at node.js:906:3

Here is my simple server:

var express = require('express');
var passport = require('passport');
var wsfedsaml2 = require('passport-wsfed-saml2');
var app = express();

passport.use(new wsfedsaml2(
  {
    path: '/login/callback',
    realm: 'urn:node:app',
    homeRealm: '', // optionally specify an identity provider to avoid showing the idp selector
    identityProviderUrl: 'https://auth10-dev.accesscontrol.windows.net/v2/wsfederation',
    cert: 'MIIDFjCCAf6gAwIBAgIQDRRprj9lv5RBvaQdlFltDzANBgkqhkiG9w0BAQUFADAvMS0wKwYDVQQDEyRhdXRoMTAtZGV2LmFjY2Vzc2NvbnRyb2wud2luZG93cy5uZXQwHhcNMTEwOTIxMDMzMjMyWhcNMTIwOTIwMDkzMjMyWjAvMS0wKwYDVQQDEyRhdXRoMTAtZGV2LmFjY2Vzc2NvbnRyb2wud2luZG93cy5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCEIAEB/KKT3ehNMy2MQEyJIQ14CnZ8DC2FZgL5Gw3UBSdRb9JinK/gw7yOQtwKfJUqeoZaUSAAdcdbgqwVxOnMBfWiYX7DGlEznSfqYVnjOWjqqjpoe0h6RaOkdWovDtoidmqVV1tWRJFjkj895clPxkLpnqqcycfXtSdZen0SroGyirD2mhMc9ccLbJ3zRnBNjlvpo5zow1zYows09tNC2EhGROL/OS4JNRQnJRICZC+WkA7Igf3xb4btJOzIPYhFiqCGrd/81CHmAyEuNzyc60I5yomDQfZ91Eb5Uk3F7mlfAlYB2aZwDwldLSOlVE8G1E5xFexF/5KyPC4ShNodAgMBAAGjLjAsMAsGA1UdDwQEAwIE8DAdBgNVHQ4EFgQUyYfx/r0czsPgTzitqey+fGMQpkcwDQYJKoZIhvcNAQEFBQADggEBAB5dgQlM3tKS+/cjlvMCPjZH0Iqo/Wxecri3YWi2iVziZ/TQ3dSV+J/iTyduN7rJmFQzTsNERcsgyAwblwnEKXXvlWo8G/+VDIMh3zVPNQFKns5WPkfkhoSVlnZPTQ8zdXAcWgDXbCgvdqIPozdgL+4l0W0XVL1ugA4/hmMXh4TyNd9Qj7MWvlmwVjevpSqN4wG735jAZFHb/L/vvc91uKqP+JvLNj8tPFVxatzi56X1V8jBM61Hx1Z9D0RCDjtmcQVysVEylW9O6mNy6ZrhLm0q5yecWudfBbTKDqRoCHQRjrMU2c5q/ZFDtgjLim7FaNxFbgTyjeRCPclEhfemYVg='
  },
  function(profile, done) {
    findByEmail(profile.email, function(err, user) {
      if (err) {
        return done(err);
      }
      return done(null, user);
    });
  })
);

var port = process.env.PORT || 3000;

app.get('', function(req, res) {
    res.send("Welcome!");
});

app.post('/login/callback',
  passport.authenticate('wsfed-saml2', { failureRedirect: '/', failureFlash: true }),
  function(req, res) {
    console.log(req);
    res.redirect('/');
  }
);

app.listen(port);
console.log('Server started');

Hi,

I try to update your SAML example to connect to my IDP and I cannot get it work.
I followed the doc https://auth0.com/docs/protocols/saml/samlsso-auth0-to-auth0
I have the following configuration :

{
    path: '/login/callback',
    realm: 'urn:node:app',
    homeRealm: '', // specify an identity provider to avoid showing the idp selector
    identityProviderUrl: 'https://tenant2idp.eu.auth0.com/samlp/hHtOhv1Gb1Jocaeh0zsaB8GSrhfKm0YI',
    // setup either a certificate base64 encoded (cer) or just the thumbprint of the certificate if public key is embedded in the signature

    //cert: 'MIIDFjCCAf6gAwIBAgIQDRRprj9lv5RBvaQdlFltDzANBgkqhkiG9w0BAQUFADAvMS0wKwYDVQQDEyRhdXRoMTAtZGV2LmFjY2Vzc2NvbnRyb2wud2luZG93cy5uZXQwHhcNMTEwOTIxMDMzMjMyWhcNMTIwOTIwMDkzMjMyWjAvMS0wKwYDVQQDEyRhdXRoMTAtZGV2LmFjY2Vzc2NvbnRyb2wud2luZG93cy5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCEIAEB/KKT3ehNMy2MQEyJIQ14CnZ8DC2FZgL5Gw3UBSdRb9JinK/gw7yOQtwKfJUqeoZaUSAAdcdbgqwVxOnMBfWiYX7DGlEznSfqYVnjOWjqqjpoe0h6RaOkdWovDtoidmqVV1tWRJFjkj895clPxkLpnqqcycfXtSdZen0SroGyirD2mhMc9ccLbJ3zRnBNjlvpo5zow1zYows09tNC2EhGROL/OS4JNRQnJRICZC+WkA7Igf3xb4btJOzIPYhFiqCGrd/81CHmAyEuNzyc60I5yomDQfZ91Eb5Uk3F7mlfAlYB2aZwDwldLSOlVE8G1E5xFexF/5KyPC4ShNodAgMBAAGjLjAsMAsGA1UdDwQEAwIE8DAdBgNVHQ4EFgQUyYfx/r0czsPgTzitqey+fGMQpkcwDQYJKoZIhvcNAQEFBQADggEBAB5dgQlM3tKS+/cjlvMCPjZH0Iqo/Wxecri3YWi2iVziZ/TQ3dSV+J/iTyduN7rJmFQzTsNERcsgyAwblwnEKXXvlWo8G/+VDIMh3zVPNQFKns5WPkfkhoSVlnZPTQ8zdXAcWgDXbCgvdqIPozdgL+4l0W0XVL1ugA4/hmMXh4TyNd9Qj7MWvlmwVjevpSqN4wG735jAZFHb/L/vvc91uKqP+JvLNj8tPFVxatzi56X1V8jBM61Hx1Z9D0RCDjtmcQVysVEylW9O6mNy6ZrhLm0q5yecWudfBbTKDqRoCHQRjrMU2c5q/ZFDtgjLim7FaNxFbgTyjeRCPclEhfemYVg='
    thumbprints: ['a3cff17cbf7e793a97861390eb698d00e9598537']
  },

I can connect to auth0 site, but after connection I have this page :

What am I doing wrong ?

In the current version of Passport, Cryptiles version 0.2.2 is used. This version of Cryptiles contains a security issue mentioned here:
hapijs/cryptiles#34

In my project we use the tool "Black Duck Scan" which flaggs this as a critical issue.

This issue is fixed in version 4.1.2 of Cryptiles according to this page:
https://nvd.nist.gov/vuln/detail/CVE-2018-1000620

OWASP Security check fails on this passport-wsfed-saml2 module as there is a deep dependency hoek v0.9.1 that's vulnerable to a Prototype pollution attack - https://nodesecurity.io/advisories/566. The issue was however patched in the later versions but it still exists in passport-wsfed-saml2 because of old cryptiles module. The dependency breakdown is - (cryptiles -> boom -> hoek). Cryptiles is dependent on boom which in turn is dependent on hoek. The boom package has upgraded hoek and also the cryptiles package has upgraded boom in turn but passport-wsfed-saml2 is dependent on old cryptiles version. Please upgrade the cryptiles module version so that the vulnerability is resolved. Thanks.

should these match:

• https://github.com/auth0/passport-wsfed-saml2/blob/v2.11.6/lib/passport-wsfed-saml2/wsfederation.js#L10
• https://github.com/auth0/passport-wsfed-saml2/blob/v2.11.6/lib/passport-wsfed-saml2/wsfederation.js#L106

I quickly tried an npm install for the login example, but seem to lack a source for passport-azure-acs
https://github.com/auth0/passport-wsfed-saml2/blob/master/examples/login/package.json#L8

Heads up:
passport-azure-ad may also be having problems
AzureAD/passport-azure-ad#25
AzureAD/passport-azure-ad#25 (comment)

The version of passport-wsfed-saml2 on NPM does not include: #41.

Hi. I would like to clear the usage of the callback used in your examples in 2 places:

path: '/login/callback'... (used in the wsfedsaml2 constructor)

app.post('/login/callback'... (used in the express router)

I have a working example that is the copy of your example minus the 2 occurrences of the callback. Is there a reason for its presence when the example is clearly working without it? Or is there something fundamentally wrong after removing those pieces?

I simply have:

path: '/login'...

app.post('/login'...

Thanks for your clearance.

The install is failing on the x509 dependency build with Node@12 and [email protected]. Relates to: #128.

When trying to initiate a HTTP-POST binding with a signed authentication request, it builds the request incorrectly. The signature should be added after the "Issuer", but it adds it before.

The current version of the lib "xml-crypto" SignedXml.prototype.computeSignature function inserts the elements before the node it finds.

I have updated passport-wsfed-saml2 to version 3.0.17 from 2.12.0 which breaks the login feature in my application. The profile in callback comes as false (with one login IDP https://www.onelogin.com/).

Configuration for strategy use is as below:

passport.use(config.name, new wsfedsaml2({ protocol: 'samlp', path: '/auth/login/saml/callback', realm: config.issuer ? config.issuer : 'Demo' , homeRealm: '', identityProviderUrl: config.url, cert: config.certificate }, function (profile, done) { logger.debug(profile); return done(null, profile); }));

With the above configuration, things work fine in 2.12.0.
Please provide feedback ASAP if something has changed in the protocol as there is no migration doc available.

FYI: Passport version 0.4.0
I have tested the same with version 4.0.0 the issue is also there.

SAMLp configuration documentation looks as follows:

Configure strategy for ADFS (SAMLp)
This example utilizes a strategy using SAMLp and RP token encryption.

passport.use('wsfed-saml2', new wsfedsaml2({
// ADFS RP identifier
realm: 'urn:node:samlapp',
identityProviderUrl: 'https://my-adfs/adfs/ls',
// ADFS token signing certificate
thumbprint: '5D27...D27E',
// or options.cert: fs.readFileSync("adfs_signing_key.cer")
protocol: "samlp",
// This is the private key (use case where ADFS
// is configured for RP token encryption)
decryptionKey: fs.readFileSync("server.key")
}, function (profile, done) {
// ...
}));

However in this case options.cert is wrong. It should be just cert because options object is the argument of wsfedsaml2 function.

How can i logout the user from the ADFS?
req.logout just deletes the local session. If i go to /login the user is authenticated again.

Will i have to send a request to my adfs server=?

Best regards
Dominic

Can I use this library only for saml 2.0 related operations, or this this library coupled with the wsfed/asdf?

Wsfed-saml2 strategy fails to provide any valuable information when fails to handle response XML from ADFS server.

TypeError: req.flash is not a function
    at allFailed (C:\inetpub\wwwroot\webapi\node_modules\passport\lib\middleware\authenticate.js:131:15)
    at attempt (C:\inetpub\wwwroot\webapi\node_modules\passport\lib\middleware\authenticate.js:180:28)
    at WsFedSaml2Strategy.strategy.fail (C:\inetpub\wwwroot\webapi\node_modules\passport\lib\middleware\authenticate.js:297:9)
    at C:\inetpub\wwwroot\webapi\node_modules\passport-wsfed-saml2\lib\passport-wsfed-saml2\strategy.js:225:32
    at C:\inetpub\wwwroot\webapi\node_modules\passport-wsfed-saml2\lib\passport-wsfed-saml2\samlp.js:363:20
    at Samlp.ignoreValidationFunction (C:\inetpub\wwwroot\webapi\node_modules\passport-wsfed-saml2\lib\passport-wsfed-saml2\samlp.js:30:10)
    at C:\inetpub\wwwroot\webapi\node_modules\passport-wsfed-saml2\lib\passport-wsfed-saml2\samlp.js:343:12
    at Samlp.ignoreValidationFunction (C:\inetpub\wwwroot\webapi\node_modules\passport-wsfed-saml2\lib\passport-wsfed-saml2\samlp.js:30:10)
    at Samlp.validateSamlResponse (C:\inetpub\wwwroot\webapi\node_modules\passport-wsfed-saml2\lib\passport-wsfed-saml2\samlp.js:338:10)
    at loaded (C:\inetpub\wwwroot\webapi\node_modules\passport-wsfed-saml2\lib\passport-wsfed-saml2\strategy.js:224:21)
    at NullStore.verify (C:\inetpub\wwwroot\webapi\node_modules\passport-wsfed-saml2\lib\passport-wsfed-saml2\state\null.js:9:3)
    at verifyState (C:\inetpub\wwwroot\webapi\node_modules\passport-wsfed-saml2\lib\passport-wsfed-saml2\strategy.js:158:26)
    at executeSamlp (C:\inetpub\wwwroot\webapi\node_modules\passport-wsfed-saml2\lib\passport-wsfed-saml2\strategy.js:244:7)
    at WsFedSaml2Strategy.authenticate (C:\inetpub\wwwroot\webapi\node_modules\passport-wsfed-saml2\lib\passport-wsfed-saml2\strategy.js:289:5)
    at attempt (C:\inetpub\wwwroot\webapi\node_modules\passport\lib\middleware\authenticate.js:361:16)
    at authenticate (C:\inetpub\wwwroot\webapi\node_modules\passport\lib\middleware\authenticate.js:362:7)
    at Layer.handle [as handle_request] (C:\inetpub\wwwroot\webapi\node_modules\express\lib\router\layer.js:95:5)
    at next (C:\inetpub\wwwroot\webapi\node_modules\express\lib\router\route.js:137:13)
    at Route.dispatch (C:\inetpub\wwwroot\webapi\node_modules\express\lib\router\route.js:112:3)
    at Layer.handle [as handle_request] (C:\inetpub\wwwroot\webapi\node_modules\express\lib\router\layer.js:95:5)
    at C:\inetpub\wwwroot\webapi\node_modules\express\lib\router\index.js:281:22
    at Function.process_params (C:\inetpub\wwwroot\webapi\node_modules\express\lib\router\index.js:335:12)

In my current usage I was failing on server side validation due to saml.js validateAudience comparing realm not audience to xpath.
It's a simple fix but I thought I'd bring it to your attention.

Following the example of this repo, what is the proper way of keeping a reference to the original requested url? This information is available in the former request as req.originalUrl but it gets lost if the user is not authenticated and the redirection (from GET /login to POST /login etc.) and authentication take place. The example in this repo has a static /

I tried to relay a state. Something like:

req.query.RelayState = req.params.redirect_to;
passport.authenticate('saml')(req, res, next);

... but to no avail. The information still gets lost.

There is a parameter that we need to send to get this tag?

When I try to authenticate my application with an ADFS server, the module only sends the whr, wa and wtrealm.
There is no request token that is passed to the ADFS.
There is no username or other identifier passed.
Does it really work with ADFS?
If so, how should I configure it in order for it to work?

Thanks.

Version: 2.13.0 (passport-wsfed-saml2)

Description of Issue

In version 2.13.0, and the 2.x.x stream, an install of my application fails due to a branch specified for the xmldom dependency instead of a tag. I imagine that the master branch on that repo was updated recently, which is what is causing the install fails.

This was corrected here 009728a

I could upgrade to 3.0.0, but I couldn't find a changelog and there are applications in production using this version, so I don't have a way of reasonably knowing if it will break the application or not without regressing.

Is it possible to get a patch for the 2.x.x stream to update this dependency to a tag vs a branch?

I looked the source and it seems that this library doesn't support SAML 2.0 Attribute queries. Am I correct?

I'm trying to login using Samlp but the library is returning the following error:
"Assertion is encrypted. Please set options.decryptionKey with your decryption private key."
Where I get this decryptionKey?

tried it on 4 different computers and got the same error:
Error: [email protected] install: node-gyp rebuild,
error Failed at the [email protected] install script.

Description

The library throws an uncaught exception instead of passing an error to the callback when the signingKey "key" property is missing.

Reproduction

Configure the strategy with the "signingKey" property and specify the "cert" but not the "key". For example:

{
  signingKey: {
    cert: 'awebrewobuwebao'
  }
}

• https://www.samltool.com/generic_sso_req.php
• https://www.oasis-open.org/committees/download.php/35387/sstc-saml-bindings-errata-2.0-wd-05-diff.pdf (page 15)

The value of the homeRealm option is sent to the identity provider as a parameter with the name whr (&whr=value). If we omit the homeRealm option, we would expect that the whr parameter will not be sent. But in fact it is sent, with an empty value (&whr=). This empty-value parameter actually caused a bug, in an ADFS environment I was working at (that’s how I got to know about all this).

It turns out that only if we set the homeRealm strategy option explicitly to a empty string (homeRealm: ‘’) the whr parameter will not be sent to the provider.

I’m not sure whether this behavior of the homeRealm option is intended. If it is, it is not documented and is error-prone. If this behavior is not intended, it is a bug.

If this is a bug, I can send a PR to fix it.

What do you think?
TIA

It seems like the strategy is for ADFS and either SAML or WSFed.

I am just curious if there is some reason to have those combined here and more specifically, since it is based on passport-saml, is there some benefit or reason I would use this repo (besides the fact that it's on the auth0) repo?

passport-saml is able to handle configuration for many different SAML IDP (including Shibboleth and ADFS). That would be my primary concern in switching up my proof of concept to use this version of a saml 2 passport strategy.

Thanks in advance (I'll probably switch anyways) just was hoping to keep my dependencies from crossing over. Would rather have my wsfed strategy if needed separate from my saml.

Here is an example

https://dl.dropboxusercontent.com/u/21665105/saml-encrypted.xml

We already have support for decrypting on node-xml-encryption.

We would have to add an option that takes the decryption private key, grabs the innerxml of the element and decrypti it

https://github.com/auth0/node-xml-encryption#decrypt

Then the flow continue as usual (signature verification)

Is there a reason that the LogoutRequest code was removed?

It's in the original Henri Bergius's passport-saml library.

I see there is a auth0/samlp-logout repository. Is that the way to go?

Hello - First of all, thanks for nice and clean package to integrate with ADFS.

We are able to integrate/test with ADFS successfully, however, when encryption is enabled on Relying party trust using self-signed certificate, the wsfed library cert is unable to decrypt the XML. I could not find documentation what cert need to provided/generated.

I have looked through documentation and examples without luck. Can any share the details?

Error Message:

Error: Signature is missing (xpath: .//*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#'])
    at SAML.validateSignature (/Users/test/test/adfs_test2/node_modules/passport-wsfed-saml2/lib/passport-wsfed-saml2/saml.js:45:21)
    at SAML.validateSamlAssertion (/Users/test/test/adfs_test2/node_modules/passport-wsfed-saml2/lib/passport-wsfed-saml2/saml.js:300:8)
    at /Users/test/test/adfs_test2/node_modules/passport-wsfed-saml2/lib/passport-wsfed-saml2/strategy.js:71:16
    at Object.retrieveToken (/Users/test/test/adfs_test2/node_modules/passport-wsfed-saml2/lib/passport-wsfed-saml2/wsfederation.js:62:5)
    at WsFedSaml2Strategy._authenticate_saml (/Users/test/test/adfs_test2/node_modules/passport-wsfed-saml2/lib/passport-wsfed-saml2/strategy.js:66:15)
    at loaded (/Users/test/test/adfs_test2/node_modules/passport-wsfed-saml2/lib/passport-wsfed-saml2/strategy.js:175:16)
    at NullStore.verify (/Users/test/test/adfs_test2/node_modules/passport-wsfed-saml2/lib/passport-wsfed-saml2/state/null.js:9:3)
    at verifyState (/Users/test/test/adfs_test2/node_modules/passport-wsfed-saml2/lib/passport-wsfed-saml2/strategy.js:158:26)
    at executeWsfed (/Users/test/test/adfs_test2/node_modules/passport-wsfed-saml2/lib/passport-wsfed-saml2/strategy.js:179:7)
    at WsFedSaml2Strategy.authenticate (/Users/test/test/adfs_test2/node_modules/passport-wsfed-saml2/lib/passport-wsfed-saml2/strategy.js:286:5)
::1 - - [24/Dec/2017:16:01:18 +0000] "POST /login/callback HTTP/1.1"

Code setup:

passport.use(new wsfedsaml2(
  {
    path: 'https://domain.ngrok.io/login/callback',
    realm: 'urn:domain:dashboard',
    homeRealm: '', // specify an identity provider to avoid showing the idp selector
    identityProviderUrl: 'https:///server.domain.local/adfs/ls',
    // setup either a certificate base64 encoded (cer) or just the thumbprint of the certificate if public key is embedded in the signature
    cert: fs.readFileSync('./certs/key.pem').toString('base64')
    // thumbprints: ['A9D596B7A1C71EA3CF4B330DE']
  },

Self signed cert generation (on Mac):

 openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
openssl x509 -outform der -in certificate.pem -out certificate.cer

When my identityProviderUrl relies on having a query param in the url (e.g. https://idp.server/federation/saml20/login?RequestBinding=HTTPPost&PartnerId=ISSUER&NameIdFormat=Email), the SAML redirect to the IDP fails because getRequestSecurityTokenUrl() returns a URL with two ? in it.

It looks like samlp allows the configuration of a decryption key, which can then be used to decrypt a token using standard encrypted data formats. Please add support for this same configuration option and actions to the wsfed protocol so that ADFS encrypted tokens can be decrypted from a wresult form post.

License should be updated to the latest approved version, and the Readme should include the issue reporting, author and license info at the bottom.