Gathering detailed insights and metrics for saml2-js-fork
Gathering detailed insights and metrics for saml2-js-fork
Node module to abstract away the complexities of the SAML protocol behind an easy to use interface.
3.0.2
Apache-2.0
CoffeeScript
236.05 kB
Installations
npm install saml2-js-forkDeveloper Guide
BETA
Typescript
No
Module System
CommonJS
Min. Node Version
>=10.x
Node Version
16.13.0
NPM Version
8.1.0
Releases
Unable to fetch releases
Languages
2
CoffeeScript
JavaScript
CoffeeScript (99.95%)
JavaScript (0.05%)
Developer
zygmuntowskipawel
Download Statistics
Total Downloads
0
Last Day
0
Last Week
0
Last Month
0
Last Year
0
GitHub Statistics
Apache-2.0 License
342 Commits
3 Branches
1 Contributors
Updated on Mar 01, 2022
Maintainers
1
Package Meta Information
Latest Version
3.0.2
Package Id
saml2-js-fork@3.0.2
Unpacked Size
236.05 kB
Size
70.05 kB
File Count
49
NPM Version
8.1.0
Node Version
16.13.0
Total Downloads
Cumulative downloads
Total Downloads
NaN
Last Day
0%
NaN
Compared to previous day
Last Week
0%
NaN
Compared to previous week
Last Month
0%
NaN
Compared to previous month
Last Year
0%
NaN
Compared to previous year
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dev Dependencies
3
SAML2-js
saml2-js is a node module that abstracts away the complexities of the SAML protocol behind an easy to use interface.
Usage
Install with npm.
1 npm install saml2-js --save
Include the SAML library.
1 var saml2 = require('saml2-js');
Documentation
This library exports two constructors.
ServiceProvider- Represents a service provider that relies on a trustedIdentityProviderfor authentication and authorization in the SAML flow.IdentityProvider- Represents an online service that authenticates users in the SAML flow.
Note: Some options can be set on the SP, IdP, and/or on a per-method basis. For the options that are set in multiple places, they are overridden in the following order: per-method basis overrides IdP which overrides SP.
ServiceProvider(options)
Represents a service provider that relies on a trusted IdentityProvider for authentication and authorization in the SAML flow.
Options
An object that can contain the below options. All options are strings, unless specified otherwise. See note for more information on options.
entity_id- Required - Unique identifier for the service provider, often the URL of the metadata file.private_key- Required - (PEM format string) - Private key for the service provider.certificate- Required - (PEM format string) - Certificate for the service provider.assert_endpoint- Required - URL of service provider assert endpoint.alt_private_keys- (Array of PEM format strings) - Additional private keys to use when attempting to decrypt responses. Useful for adding backward-compatibility for old certificates after a rollover.alt_certs- (Array of PEM format strings) - Additional certificates to expose in the SAML metadata. Useful for staging new certificates for rollovers.audience- (String or RegExp) — If set, at least one of the<Audience>values within the<AudienceRestriction>condition of a SAML authentication response must match. Defaults toentity_id.notbefore_skew- (Number) – To account for clock skew between IdP and SP, accept responses with a NotBefore condition ahead of the current time (according to our clock) by this number of seconds. Defaults to 1. Set it to 0 for optimum security but no tolerance for clock skew.force_authn- (Boolean) - If true, forces re-authentication of users even if the user has a SSO session with the IdP. This can also be configured on the IdP or on a per-method basis.auth_context- SpecifiesAuthnContextClassRef. This can also be configured on a per-method basis.nameid_format- Format for Name ID. This can also be configured on a per-method basis.sign_get_request- (Boolean) - If true, signs the request. This can also be configured on the IdP or on a per-method basis.allow_unencrypted_assertion- (Boolean) - If true, allows unencrypted assertions. This can also be configured on the IdP or on a per-method basis.
Returns the following functions
create_login_request_url(IdP, options, cb)- Get a URL to initiate a login.redirect_assert(IdP, options, cb)- Gets a SAML response object if the login attempt is valid, used for redirect binding.post_assert(IdP, options, cb)- Gets a SAML response object if the login attempt is valid, used for post binding.create_logout_request_url(IdP, options, cb)- Creates a SAML Request URL to initiate a user logout.create_logout_response_url(IdP, options, cb)- Creates a SAML Response URL to confirm a successful IdP initiated logout.create_metadata()- Returns the XML metadata used during the initial SAML configuration.
Example
1 2 var sp_options = { 3 entity_id: "https://sp.example.com/metadata.xml", 4 private_key: fs.readFileSync("key-file.pem").toString(), 5 certificate: fs.readFileSync("cert-file.crt").toString(), 6 assert_endpoint: "https://sp.example.com/assert", 7 force_authn: true, 8 auth_context: { comparison: "exact", class_refs: ["urn:oasis:names:tc:SAML:1.0:am:password"] }, 9 nameid_format: "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", 10 sign_get_request: false, 11 allow_unencrypted_assertion: true 12 } 13 14 // Call service provider constructor with options 15 var sp = new saml2.ServiceProvider(sp_options); 16 17 // Example use of service provider. 18 // Call metadata to get XML metatadata used in configuration. 19 var metadata = sp.create_metadata(); 20
Service provider function definitions
create_login_request_url(IdP, options, cb)
Get a URL to initiate a login.
Takes the following arguments:
IdP- IdPoptions- An object that can contain the below options. All options are strings, unless specified otherwise. See note for more information on options.relay_state- SAML relay state.auth_context- SpecifiesAuthnContextClassRef. This can also be configured on the SP.nameid_format- Format for Name ID. This can also be configured on the SP.force_authn- (Boolean) - If true, forces re-authentication of users even if the user has a SSO session with the IdP. This can also be configured on the IdP or SP.sign_get_request- (Boolean) - If true, signs the request. This can also be configured on the IdP or SP.
cb(error, login_url, request_id)- Callback called with the login URL and ID of the request.
redirect_assert(IdP, options, cb)
Gets a SAML response object if the login attempt is valid, used for redirect binding.
Takes the following arguments:
IdP- IdPoptions- An object that can contain the below options. All options are strings, unless specified otherwise. See note for more information on options.request_body- (Object) - An object containing the parsed query string parameters. This object should contain the value for either aSAMLResponseorSAMLRequest.allow_unencrypted_assertion- (Boolean) - If true, allows unencrypted assertions. This can also be configured on the IdP or SP.require_session_index- (Boolean) - If false, allow the assertion to be valid without aSessionIndexattribute on theAuthnStatementnode.
cb(error, response)- Callback called with the request response.
1{ response_header: 2 { id: '_abc-1', 3 destination: 'https://sp.example.com/assert', 4 in_response_to: '_abc-2' }, 5 type: 'authn_response', 6 user: 7 { name_id: 'nameid', 8 session_index: '_abc-3', 9 attributes: 10 { 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname': [ 'Test' ] } } }
post_assert(IdP, options, cb)
Gets a SAML response object if the login attempt is valid, used for post binding.
Takes the following arguments:
IdP- IdPoptions- An object that can contain the below options. All options are strings, unless specified otherwise. See note for more information on options.request_body- (Object) - An object containing the parsed query string parameters. This object should contain the value for either aSAMLResponseorSAMLRequest.allow_unencrypted_assertion- (Boolean) - If true, allows unencrypted assertions. This can also be configured on the IdP or SP.require_session_index- (Boolean) - If false, allow the assertion to be valid without aSessionIndexattribute on theAuthnStatementnode.audience- (String or RegExp) — If set, at least one of the<Audience>values within the<AudienceRestriction>condition of a SAML authentication response must match. Defaults toentity_id.notbefore_skew- (Number) – To account for clock skew between IdP and SP, accept responses with a NotBefore condition ahead of the current time (according to our clock) by this number of seconds. Defaults to 1. Set it to 0 for optimum security but no tolerance for clock skew.
cb(error, response)- Callback called with the request response.
create_logout_request_url(IdP, options, cb)
Creates a SAML Request URL to initiate a user logout.
Takes the following arguments:
IdP- IdP. Note: Can passsso_logout_urlinstead of IdP.options- An object that can contain the below options. All options are strings, unless specified otherwise. See note for more information on options.name_id- Format for Name ID. This can also be configured on a per-method basis.session_index- Session index to use for creating logout request.allow_unencrypted_assertion- (Boolean) - If true, allows unencrypted assertions. This can also be configured on the IdP or SP.sign_get_request- (Boolean) - If true, signs the request. This can also be configured on the IdP or SP.relay_state- SAML relay state.
cb(error, request_url)- Callback called with the logout request url.
create_logout_response_url(IdP, options, cb)
Creates a SAML Response URL to confirm a successful IdP initiated logout.
Takes the following arguments:
IdP- IdP. Note: Can passsso_logout_urlinstead of IdP.options- An object that can contain the below options. All options are strings, unless specified otherwise. See note for more information on options.cb(error, response_url)- Callback called with the logout response url.
create_metadata()
Returns the XML metadata used during the initial SAML configuration.
IdentityProvider(options)
Represents an online service that authenticates users in the SAML flow.
Returns no functions, exists solely to be passed to an SP function.
Options
An object that can contain the below options. All options are strings, unless specified otherwise. See note for more information on options.
sso_login_url- Required - Login url to use during a login request.sso_logout_url- Required - Logout url to use during a logout request.certificates- Required - (PEM format string or array of PEM format strings) - Certificate or certificates (array of certificate) for the identity provider.force_authn- (Boolean) - If true, forces re-authentication of users even if the user has a SSO session with the IdP. This can also be configured on the SP or on a per-method basis.sign_get_request- (Boolean) - If true, signs the request. This can also be configured on the [SP or on a per-method basis.allow_unencrypted_assertion- (Boolean) - If true, allows unencrypted assertions. This can also be configured on the SP or on a per-method basis.
Example
1 2 // Initialize options object 3 var idp_options = { 4 sso_login_url: "https://idp.example.com/login", 5 sso_logout_url: "https://idp.example.com/logout", 6 certificates: [fs.readFileSync("cert-file1.crt").toString(), fs.readFileSync("cert-file2.crt").toString()], 7 force_authn: true, 8 sign_get_request: false, 9 allow_unencrypted_assertion: false 10 }; 11 12 // Call identity provider constructor with options 13 var idp = new saml2.IdentityProvider(idp_options); 14 15 // Example usage of identity provider. 16 // Pass identity provider into a service provider function with options and a callback. 17 sp.post_assert(idp, {}, callback); 18
Example: Express implementation
Library users will need to implement a set of URL endpoints, here is an example of express endpoints.
1var saml2 = require('saml2-js'); 2var fs = require('fs'); 3var express = require('express'); 4var app = express(); 5var bodyParser = require('body-parser'); 6app.use(bodyParser.urlencoded({ 7 extended: true 8})); 9 10// Create service provider 11var sp_options = { 12 entity_id: "https://sp.example.com/metadata.xml", 13 private_key: fs.readFileSync("key-file.pem").toString(), 14 certificate: fs.readFileSync("cert-file.crt").toString(), 15 assert_endpoint: "https://sp.example.com/assert" 16}; 17var sp = new saml2.ServiceProvider(sp_options); 18 19// Create identity provider 20var idp_options = { 21 sso_login_url: "https://idp.example.com/login", 22 sso_logout_url: "https://idp.example.com/logout", 23 certificates: [fs.readFileSync("cert-file1.crt").toString(), fs.readFileSync("cert-file2.crt").toString()] 24}; 25var idp = new saml2.IdentityProvider(idp_options); 26 27// ------ Define express endpoints ------ 28 29// Endpoint to retrieve metadata 30app.get("/metadata.xml", function(req, res) { 31 res.type('application/xml'); 32 res.send(sp.create_metadata()); 33}); 34 35// Starting point for login 36app.get("/login", function(req, res) { 37 sp.create_login_request_url(idp, {}, function(err, login_url, request_id) { 38 if (err != null) 39 return res.send(500); 40 res.redirect(login_url); 41 }); 42}); 43 44// Assert endpoint for when login completes 45app.post("/assert", function(req, res) { 46 var options = {request_body: req.body}; 47 sp.post_assert(idp, options, function(err, saml_response) { 48 if (err != null) 49 return res.send(500); 50 51 // Save name_id and session_index for logout 52 // Note: In practice these should be saved in the user session, not globally. 53 name_id = saml_response.user.name_id; 54 session_index = saml_response.user.session_index; 55 56 res.send("Hello #{saml_response.user.name_id}!"); 57 }); 58}); 59 60// Starting point for logout 61app.get("/logout", function(req, res) { 62 var options = { 63 name_id: name_id, 64 session_index: session_index 65 }; 66 67 sp.create_logout_request_url(idp, options, function(err, logout_url) { 68 if (err != null) 69 return res.send(500); 70 res.redirect(logout_url); 71 }); 72}); 73 74app.listen(3000); 75
No vulnerabilities found.
No security vulnerabilities found.