npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

suomifi-passport-saml

v1.3.3-sfi.13

Published

SAML 2.0 authentication strategy for Passport with Vetuma language selection extension

Downloads

2,743

Readme

Passport-SAML with Vetuma language selection extension

Build Status GitHub version npm version dependencies devDependencies peerDependencies

NPM

This is a SAML 2.0 authentication provider for Passport, the Node.js authentication library.

This suomifi-passport-saml fork contains extensions for Vetuma language selection and the following hardening:

  • Enforce audience checking
  • Enforce validteInResponseTo checking
  • Enforce assertion's signature validation
  • Enforce (by default) encrypted assertion(s) only policy
  • Enforce top level SAML response signature validation

The code was originally based on Michael Bosworth's express-saml library.

Passport-SAML has been tested to work with Onelogin, Okta, Shibboleth, SimpleSAMLphp based Identity Providers, and with Active Directory Federation Services.

!! - Status of this fork - !!

DVV teams are planning to migrate away from this fork and start using upstream version(s) as soon as possible.

One of the biggest things that has been added into @node-saml/node-saml 4.0.3 is support for SAML Extensions that was done in this pull request https://github.com/node-saml/node-saml/pull/11

One of the missing features in upstream versions is ability to pass used public key directly for the SAML client. Currently @node-saml/passport-saml and @node-saml/node-saml libraries are only allowing usage of certificate and SAML client is getting public key from certificate.

Currently Public Key support for @node-saml/node-saml is in PR phase https://github.com/node-saml/node-saml/pull/225 and we cannot give any estimate when it would be merged into master and released.

Thereof we created also fork from @node-saml/passport-saml and it is using changes in that open pull request and it can be used to test upstream saml library with Suomi.fi Tunnistus using public key. Add following line in package.json file and run npm i.

"dependencies": {
  "@node-saml/passport-saml": "[email protected]:RopoMen/passport-saml.git#d640479013e1c17e207f5c132c625976f314c4da"

Then you should be able to start testing upstream version of @node-saml/passport-saml with public key support. Public key can be provided through cert configuration property in PEM format.

In DVV, when public key support is added into upstream version of @node-saml/passport-saml our plan is to migragte away from this fork and then no maintenance to this library is provided by us.

Issue / Contribution guidelines

The fork is maintained by DVV teams for internal use. Active support and long term commitment for maintaining the library cannot be promised. All non-suomifi-passport-saml specific changes added by the team will be contributed to the upstream.

  • Anyone and everyone is welcome to open issues regarding suomifi-passport-saml specific functionality.
  • All non-fork-specific issues, support requests, improvements etc. should be contributed to the upstream passport-saml repository.

Installation

$ npm install suomifi-passport-saml

Usage

The examples utilize the Feide OpenIdp identity provider. You need an account there to log in with this. You also need to register your site as a service provider.

Configure strategy

The SAML identity provider will redirect you to the URL provided by the path configuration.

var SamlStrategy = require('suomifi-passport-saml').Strategy;
[...]

passport.use(new SamlStrategy(
  {
    path: '/login/callback',
    entryPoint: 'https://openidp.feide.no/simplesaml/saml2/idp/SSOService.php',
    issuer: 'passport-saml'
  },
  function(profile, done) {
    findByEmail(profile.email, function(err, user) {
      if (err) {
        return done(err);
      }
      return done(null, user);
    });
  })
);

Configure strategy for multiple providers

You can pass a getSamlOptions parameter to MultiSamlStrategy which will be called before the SAML flows. Passport-SAML will pass in the request object so you can decide which configuation is appropriate.

var MultiSamlStrategy = require('suomifi-passport-saml/multiSamlStrategy');
[...]

passport.use(new MultiSamlStrategy(
  {
    passReqToCallback: true, //makes req available in callback
    getSamlOptions: function(request, done) {
      findProvider(request, function(err, provider) {
        if (err) {
          return done(err);
        }
        return done(null, provider.configuration);
      });
    }
  },
  function(req, profile, done) {
    findByEmail(profile.email, function(err, user) {
      if (err) {
        return done(err);
      }
      return done(null, user);
    });
  })
);

The options passed when the MultiSamlStrategy is initialized are also passed as default values to each provider. e.g. If you provide an issuer on MultiSamlStrategy, this will be also a default value for every provider. You can override these defaults by passing a new value through the getSamlOptions function.

Using multiple providers supports validateInResponseTo, but all the InResponse values are stored on the same Cache. This means, if you're using the default InMemoryCache, that all providers have access to it and a provider might get its response validated against another's request. Issue Report. To amend this you should provide a different cache provider per SAML provider, through the getSamlOptions function.

The profile object:

The profile object referenced above contains the following:

type Profile = {
  issuer?: string;
  sessionIndex?: string;
  nameID?: string;
  nameIDFormat?: string;
  nameQualifier?: string;
  spNameQualifier?: string;
  mail?: string;  // InCommon Attribute urn:oid:0.9.2342.19200300.100.1.3
  email?: string;  // `mail` if not present in the assertion
  getAssertionXml(): string;  // get the raw assertion XML
  getAssertion(): object;  // get the assertion XML parsed as a JavaScript object
  getSamlResponseXml(): string; // get the raw SAML response XML
  ID?: string;
} & {
  [attributeName: string]: unknown;  // arbitrary `AttributeValue`s
}

Config parameter details:

  • Core

  • callbackUrl: full callbackUrl (overrides path/protocol if supplied)

  • path: path to callback; will be combined with protocol and server host information to construct callback url if callbackUrl is not specified (default: /saml/consume)

  • protocol: protocol for callback; will be combined with path and server host information to construct callback url if callbackUrl is not specified (default: http://)

  • host: host for callback; will be combined with path and protocol to construct callback url if callbackUrl is not specified (default: localhost)

  • entryPoint: identity provider entrypoint (is required to be spec-compliant when the request is signed)

  • issuer: issuer string to supply to identity provider

  • audience: expected saml response Audience (if not provided, Audience won't be verified)

  • cert: the IDP's public signing certificate used to validate the signatures of the incoming SAML Responses, see Security and signatures

  • privateCert: see Security and signatures

  • decryptionPvk: optional private key that will be used to attempt to decrypt any encrypted assertions that are received

  • signatureAlgorithm: optionally set the signature algorithm for signing requests, valid values are 'sha1' (default), 'sha256', or 'sha512'

  • digestAlgorithm: optionally set the digest algorithm used to provide a digest for the signed data object, valid values are 'sha1' (default), 'sha256', or 'sha512'

  • xmlSignatureTransforms: optionally set an array of signature transforms to be used in HTTP-POST signatures. By default this is [ 'http://www.w3.org/2000/09/xmldsig#enveloped-signature', 'http://www.w3.org/2001/10/xml-exc-c14n#' ]

  • Additional SAML behaviors

  • additionalParams: dictionary of additional query params to add to all requests; if an object with this key is passed to authenticate, the dictionary of additional query params will be appended to those present on the returned URL, overriding any specified by initialization options' additional parameters (additionalParams, additionalAuthorizeParams, and additionalLogoutParams)

  • additionalAuthorizeParams: dictionary of additional query params to add to 'authorize' requests

  • identifierFormat: if truthy, name identifier format to request from identity provider (default: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress)

  • acceptedClockSkewMs: Time in milliseconds of skew that is acceptable between client and server when checking OnBefore and NotOnOrAfter assertion condition validity timestamps. Setting to -1 will disable checking these conditions entirely. Default is 0.

  • attributeConsumingServiceIndex: optional AttributeConsumingServiceIndex attribute to add to AuthnRequest to instruct the IDP which attribute set to attach to the response (link)

  • disableRequestedAuthnContext: if truthy, do not request a specific authentication context. This is known to help when authenticating against Active Directory (AD FS) servers.

  • authnContext: if truthy, name identifier format to request auth context (default: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport); array of values is also supported

  • RACComparison: Requested Authentication Context comparison type. Possible values are 'exact','minimum','maximum','better'. Default is 'exact'.

  • forceAuthn: if set to true, the initial SAML request from the service provider specifies that the IdP should force re-authentication of the user, even if they possess a valid session.

  • providerName: optional human-readable name of the requester for use by the presenter's user agent or the identity provider

  • skipRequestCompression: if set to true, the SAML request from the service provider won't be compressed.

  • authnRequestBinding: if set to HTTP-POST, will request authentication from IDP via HTTP POST binding, otherwise defaults to HTTP Redirect

  • disableRequestACSUrl: if truthy, SAML AuthnRequest from the service provider will not include the optional AssertionConsumerServiceURL. Default is falsy so it is automatically included.

  • InResponseTo Validation

  • validateInResponseTo: if truthy, then InResponseTo will be validated from incoming SAML responses

  • requestIdExpirationPeriodMs: Defines the expiration time when a Request ID generated for a SAML request will not be valid if seen in a SAML response in the InResponseTo field. Default is 8 hours.

  • cacheProvider: Defines the implementation for a cache provider used to store request Ids generated in SAML requests as part of InResponseTo validation. Default is a built-in in-memory cache provider. For details see the 'Cache Provider' section.

  • Issuer Validation

  • idpIssuer: if provided, then the IdP issuer will be validated for incoming Logout Requests/Responses. For ADFS this looks like https://acme_tools.windows.net/deadbeef

  • Passport

  • passReqToCallback: if truthy, req will be passed as the first argument to the verify callback (default: false)

  • name: Optionally, provide a custom name. (default: saml). Useful If you want to instantiate the strategy multiple times with different configurations, allowing users to authenticate against multiple different SAML targets from the same site. You'll need to use a unique set of URLs for each target, and use this custom name when calling passport.authenticate() as well.

  • Logout

  • logoutUrl: base address to call with logout requests (default: entryPoint)

  • additionalLogoutParams: dictionary of additional query params to add to 'logout' requests

  • logoutCallbackUrl: The value with which to populate the Location attribute in the SingleLogoutService elements in the generated service provider metadata.

  • Suomi.fi Additions

  • suomifiAdditions: contains (debug) flags which can be used to turn off certain suomi.fi specific SAML (login) response checks / policy enforcements / configurations.

Suomi.fi Additions

Default values are (see lib/passport-saml/saml.js):

suomifiAdditions = {
  disableEncryptedAssertionsOnlyPolicyEnforcementForUnitTestPurposes: false,
  disableValidateInResponseEnforcementForUnitTestingPurposes:  false,
  disablePostResponseTopLevelSignatureValidationEnforcementForUnitTestPurposes: false,
  disableAssertionSignatureVerificationEnforcementForUnitTestPurposes: false,
  disableAudienceCheckEnforcementForUnitTestPurposes: false,
  usePublicKeyAsCertParamForSignatureValidation: false
}

i.e. these additional checks / policy enforcements are enabled by default

Provide the authentication callback

You need to provide a route corresponding to the path configuration parameter given to the strategy:

The authentication callback must be invoked after the body-parser middlerware.

const bodyParser = require('body-parser');

app.post('/login/callback',
  bodyParser.urlencoded({ extended: false }),
  passport.authenticate('saml', { failureRedirect: '/', failureFlash: true }),
  function(req, res) {
    res.redirect('/');
  }
);

Authenticate requests

Use passport.authenticate(), specifying saml as the strategy:

app.get('/login',
  passport.authenticate('saml', { failureRedirect: '/', failureFlash: true }),
  function(req, res) {
    res.redirect('/');
  }
);

...or, if you wish to add or override query string parameters:

app.get('/login',
  passport.authenticate('saml', { additionalParams: { 'username': '[email protected]' }}),
  function(req, res) {
    res.redirect('/');
  }
);

Authenticate the logout callback also:

app.get('logoutCallback', function(req, res, next) {
  if (req.session) {
    req.logout();
    req.session.destroy();
  }
  passport.authenticate('saml', { additionalParams: { 'username': '[email protected]' }}, function(err, data) {
    // this callback should only be entered on error situation in logout callback.
    if (err) {
      // error handling
    }
    next();
  })(req, res, next);
},
  function(req, res, next) {
    // callback for logout response
    return res.redirect('/');
  }
);

generateServiceProviderMetadata( decryptionCert, signingCert )

As a convenience, the strategy object exposes a generateServiceProviderMetadata method which will generate a service provider metadata document suitable for supplying to an identity provider. This method will only work on strategies which are configured with a callbackUrl (since the relative path for the callback is not sufficient information to generate a complete metadata document).

The decryptionCert argument should be a public certificate matching the decryptionPvk and is required if the strategy is configured with a decryptionPvk.

The signingCert argument should be a public certificate matching the privateCert and is required if the strategy is configured with a privateCert.

The generateServiceProviderMetadata method is also available on the MultiSamlStrategy, but needs an extra request and a callback argument (generateServiceProviderMetadata( req, decryptionCert, signingCert, next )), which are passed to the getSamlOptions to retrieve the correct configuration.

Security and signatures

Passport-SAML uses the HTTP Redirect Binding for its AuthnRequests (unless overridden with the authnRequestBinding parameter), and expects to receive the messages back via the HTTP POST binding.

Authentication requests sent by Passport-SAML can be signed using RSA signature with SHA1, SHA256 or SHA512 hashing algorithms.

To select hashing algorithm, use:

...
  signatureAlgorithm: 'sha1' // (default, but not recommended anymore these days)
  signatureAlgorithm: 'sha256', // (preffered - your IDP should support it, otherwise think about upgrading it)
  signatureAlgorithm: 'sha512' // (most secure - check if your IDP supports it)
...

To sign them you need to provide a private key in the PEM format via the privateCert configuration key.

Formats supported for privateCert field are,

  1. Well formatted PEM:
-----BEGIN PRIVATE KEY-----
<private key contents here delimited at 64 characters per row>
-----END PRIVATE KEY-----
-----BEGIN RSA PRIVATE KEY-----
<private key contents here delimited at 64 characters per row>
-----END RSA PRIVATE KEY-----

(both versions work) See example from tests of the first version of well formatted private key.

  1. Alternativelly a single line private key without start/end lines where all rows are joined into single line:

See example from tests of singleline private key.

Add it to strategy options like this:

    privateCert: fs.readFileSync('./privateCert.pem', 'utf-8')

It is a good idea to validate the signatures of the incoming SAML Responses. For this, you can provide the Identity Provider's public PEM-encoded X.509 signing certificate using the cert confguration key. The "BEGIN CERTIFICATE" and "END CERTIFICATE" lines should be stripped out and the certificate should be provided on a single line.

    cert: 'MIICizCCAfQCCQCY8tKaMc0BMjANBgkqh ... W=='

If you have a certificate in the binary DER encoding, you can convert it to the necessary PEM encoding like this:

     openssl x509 -inform der -in my_certificate.cer -out my_certificate.pem

If the Identity Provider has multiple signing certificates that are valid (such as during the rolling from an old key to a new key and responses signed with either key are valid) then the cert configuration key can be an array:

    cert: [ 'MIICizCCAfQCCQCY8tKaMc0BMjANBgkqh ... W==', 'MIIEOTCCAyGgAwIBAgIJAKZgJdKdCdL6M ... g=' ]

The cert configuration key can also be a function that receives a callback as argument calls back a possible error and a certificate or array of certificates. This allows the Identity Provider to be polled for valid certificates and the new certificate can be used if it is changed:

    cert: function(callback) { callback(null,polledCertificates); }

Usage with Active Directory Federation Services

Here is a configuration that has been proven to work with ADFS:

  {
    entryPoint: 'https://ad.example.net/adfs/ls/',
    issuer: 'https://your-app.example.net/login/callback',
    callbackUrl: 'https://your-app.example.net/login/callback',
    cert: 'MIICizCCAfQCCQCY8tKaMc0BMjANBgkqh ... W==',
    authnContext: 'http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/windows',
    identifierFormat: null
  }

Please note that ADFS needs to have a trust established to your service in order for this to work.

For more detailed instructions, see ADFS documentation.

SAML Response Validation - NotBefore and NotOnOrAfter

If the NotBefore or the NotOnOrAfter attributes are returned in the SAML response, Passport-SAML will validate them against the current time +/- a configurable clock skew value. The default for the skew is 0s. This is to account for differences between the clock time on the client (Node server with Passport-SAML) and the server (Identity provider).

NotBefore and NotOnOrAfter can be part of either the SubjectConfirmation element, or within in the Assertion/Conditions element in the SAML response.

Subject confirmation validation

When configured (turn validateInResponseTo to true in the Passport-SAML config), the InResponseTo attribute will be validated. Validation will succeed if Passport-SAML previously generated a SAML request with an id that matches the value of InResponseTo.

Also note that InResponseTo is validated as an attribute of the top level Response element in the SAML response, as well as part of the SubjectConfirmation element.

Previous request id's generated for SAML requests will eventually expire. This is controlled with the requestIdExpirationPeriodMs option passed into the Passport-SAML config. The default is 28,800,000 ms (8 hours). Once expired, a subsequent SAML response received with an InResponseTo equal to the expired id will not validate and an error will be returned.

Cache Provider

When InResponseTo validation is turned on, Passport-SAML will store generated request ids used in SAML requests to the IdP. The implementation of how things are stored, checked to see if they exist, and eventually removed is from the Cache Provider used by Passport-SAML.

The default implementation is a simple in-memory cache provider. For multiple server/process scenarios, this will not be sufficient as the server/process that generated the request id and stored in memory could be different than the server/process handling the SAML response. The InResponseTo could fail in this case erroneously.

To support this scenario you can provide an implementation for a cache provider by providing an object with following functions:

{
    save: function(key, value, callback) {
      // save the key with the optional value, invokes the callback with the value saves
    },
    get: function(key, callback) {
      // invokes 'callback' and passes the value if found, null otherwise
    },
    remove: function(key, callback) {
      // removes the key from the cache, invokes `callback` with the
      // key removed, null if no key is removed
    }
}

The callback argument is a function in the style of normal Node callbacks:

function callback(err, result)
{

}

Provide an instance of an object which has these functions passed to the cacheProvider config option when using Passport-SAML.

SLO (single logout)

Passport-SAML has built in support for SLO including

  • Signature validation
  • IdP initiated and SP initiated logouts
  • Decryption of encrypted name identifiers in IdP initiated logout
  • Redirect and POST SAML Protocol Bindings

ChangeLog

See Releases to find the changes that go into each release.

FAQ

Is there an example I can look at?

Gerard Braad has provided an example app at https://github.com/gbraad/passport-saml-example/

Node Support Policy

We only support Long-Term Support versions of Node.

We specifically limit our support to LTS versions of Node, not because this package won't work on other versions, but because we have a limited amount of time, and supporting LTS offers the greatest return on that investment.

It's possible this package will work correctly on newer versions of Node. It may even be possible to use this package on older versions of Node, though that's more unlikely as we'll make every effort to take advantage of features available in the oldest LTS version we support.

As each Node LTS version reaches its end-of-life we will remove that version from the node engines property of our package's package.json file. Removing a Node version is considered a breaking change and will entail the publishing of a new major version of this package. We will not accept any requests to support an end-of-life version of Node. Any merge requests or issues supporting an end-of-life version of Node will be closed.

We will accept code that allows this package to run on newer, non-LTS, versions of Node.