Gathering detailed insights and metrics for passport-saml-metadata
Gathering detailed insights and metrics for passport-saml-metadata
SAML 2.0 Metadata utilities for PassportJS
Installations
npm install passport-saml-metadataDeveloper Guide
BETA
Typescript
Yes
Module System
ESM
Min. Node Version
>= 18
Node Version
20.10.0
NPM Version
10.2.3
Score
86.9
Supply Chain
96.1
Quality
78.5
Maintenance
100
Vulnerability
99.3
License
Releases
Unable to fetch releases
Languages
2
JavaScript
Makefile
JavaScript (99.03%)
Makefile (0.97%)
Developer
Download Statistics
Total Downloads
3,642,246
Last Day
2,028
Last Week
12,588
Last Month
60,471
Last Year
853,958
GitHub Statistics
15 Stars
144 Commits
11 Forks
3 Watchers
2 Branches
1 Contributors
Updated on Mar 18, 2025
Bundle Size
786.04 kB
Minified
205.69 kB
Minified + Gzipped
Maintainers
1
Package Meta Information
Latest Version
5.0.0
Package Id
passport-saml-metadata@5.0.0
Unpacked Size
27.91 kB
Size
5.45 kB
File Count
7
NPM Version
10.2.3
Node Version
20.10.0
Published on
Mar 18, 2025
Total Downloads
Cumulative downloads
Total Downloads
3,642,246
Dev Dependencies
5
passport-saml-metadata
Utilities for reading configuration from SAML 2.0 Metadata XML files, such as those generated by Active Directory Federation Services (ADFS).
Installation
npm install passport-saml-metadata
Usage Example
1const os = require('os'); 2const fileCache = require('file-system-cache').default; 3const { fetch, toPassportConfig, claimsToCamelCase } = require('passport-saml-metadata'); 4const SamlStrategy = require('passport-wsfed-saml2').Strategy; 5 6const backupStore = fileCache({ basePath: os.tmpdir() }); 7const url = 'https://adfs.company.com/federationMetadata/2007-06/FederationMetadata.xml'; 8 9fetch({ url, backupStore }) 10 .then((reader) => { 11 const config = toPassportConfig(reader); 12 config.realm = 'urn:nodejs:passport-saml-metadata-example-app'; 13 config.protocol = 'saml2'; 14 15 passport.use('saml', new SamlStrategy(config, function(profile, done) { 16 profile = claimsToCamelCase(profile, reader.claimSchema); 17 done(null, profile); 18 })); 19 20 passport.serializeUser((user, done) => { 21 done(null, user); 22 }); 23 24 passport.deserializeUser((user, done) => { 25 done(null, user); 26 }); 27 });
See compwright/passport-saml-example for a complete reference implementation.
API
fetch(config = {})
When called, it will attempt to load the metadata XML from the supplied URL. If it fails due to a request timeout or other error, it will attempt to load from the backupStore cache.
Config:
clientAxios instanceurl(required) Metadata XML file URLtimeoutTime to wait before falling back to thebackupStore, in ms (default =2000)backupStoreAny persistent cache adapter object withget(key)andset(key, value)methods (default =new Map())
Additional configuration options supported: https://github.com/axios/axios#request-config
Returns a promise which resolves, if successful, to an instance of MetadataReader.
toPassportConfig(reader, options = { multipleCerts: false })
Transforms metadata extracts for use in Passport strategy configuration. The following strategies are currently supported:
Config:
multipleCerts(boolean): causes the full array of signing certificates to be passed to the passport config instead of assuming the last certificate is the most recent one. Note: this option is not compatible with passport-wsfed-saml2.
claimsToCamelCase(claims, claimSchema)
Translates the claim identifier URLs to human-friendly camelCase versions. Useful in Passport verifier functions.
claimSchema should be an object of the following format, such as from MetadataReader.claimSchema():
1{ 2 [claimURL]: { 3 name: claimUrl, 4 camelCase: 'claimIdentifierInCamelCase', 5 description: 'Some description' 6 }, 7 ... 8}
Example:
1function verifier(profile, done) { 2 profile = passportSamlMetadata.claimsToCamelCase(profile, reader.claimSchema); 3 done(null, profile); 4}
new MetadataReader(metadataXml, options)
Options parameter details:
authnRequestBinding: if set toHTTP-POST, will attempt to load identityProviderUrl/logoutUrl via HTTP-POST binding in metadata, otherwise defaults toHTTP-RedirectthrowExceptions: if set totrue, will throw upon exception
Parses metadata XML and extracts the following properties:
identifierFormat(e.g.urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress)identityProviderUrl(e.g. https://adfs.server.url/adfs/ls/)logoutUrl(e.g. https://adfs.server.url/adfs/ls/)signingCertencryptionCertclaimSchema- an object hash of claim identifiers that may be provided in the SAML assertion
Methods:
query(query)- queries themetadataXmlusing XPath.
metadata(app)(config = {})
Returns a function which sets up an Express application route to generate the metadata XML file for your application at /FederationMetadata/2007-06/FederationMetadata.xml. ADFS servers may import the resulting file to set up the relying party trust.
Config:
issuer(required) The unique application identifier, used to name the relying party trust; may be a URN or URLcallbackUrl(required) The absolute URL to redirect back to with the SAML assertion after logging in, usually https://hostname[:port]/login/callbacklogoutCallbackUrlThe absolute URL to redirect back to with the SAML assertion after logging out, usually https://hostname[:port]/logout
See compwright/passport-saml-example for a usage example.
No vulnerabilities found.
Reason
no binaries found in the repo
Reason
1 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-67mh-4wv8-2f99
Reason
4 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 4
Reason
Found 4/30 approved changesets -- score normalized to 1
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
security policy file not detected
Details
- Warn: no security policy file detected
- Warn: no security file to analyze
- Warn: no security file to analyze
- Warn: no security file to analyze
Reason
license file not detected
Details
- Warn: project does not have a license file
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
branch protection not enabled on development/release branches
Details
- Warn: branch protection not enabled for branch 'master'
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 4 are checked with a SAST tool
Score
3.1
/10
Last Scanned on 2025-04-28
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More