Merge commit '966b97a54e7a4b25316716c20e1f524b64cf8a22' into multiple…

…-authn-context * commit '966b97a54e7a4b25316716c20e1f524b64cf8a22': internal: provide unique failure messages for invalid signatures. Fixes node-saml#146 package.json: bump version to 0.33.0 docs: mention that disableRequestAuthnContext helps with AD FS
cjbarth · Sep 11, 2018 · 14de3d9 · 14de3d9
2 parents baec1af + 966b97a
commit 14de3d9
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 13 deletions.
diff --git a/README.md b/README.md
@@ -63,7 +63,7 @@ passport.use(new SamlStrategy(
   * `identifierFormat`: if truthy, name identifier format to request from identity provider (default: `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress`)
   * `acceptedClockSkewMs`: Time in milliseconds of skew that is acceptable between client and server when checking `OnBefore` and `NotOnOrAfter` assertion condition validity timestamps.  Setting to `-1` will disable checking these conditions entirely.  Default is `0`.
   * `attributeConsumingServiceIndex`: optional `AttributeConsumingServiceIndex` attribute to add to AuthnRequest to instruct the IDP which attribute set to attach to the response ([link](http://blog.aniljohn.com/2014/01/data-minimization-front-channel-saml-attribute-requests.html))
-  * `disableRequestedAuthnContext`: if truthy, do not request a specific auth context
+  * `disableRequestedAuthnContext`: if truthy, do not request a specific authentication context. This is [known to help when authenticating against Active Directory](https://github.com/bergie/passport-saml/issues/226) (AD FS) servers.
   * `authnContext`: if truthy, name identifier format to request auth context (default: `urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport`)
   * `forceAuthn`: if set to true, the initial SAML request from the service provider specifies that the IdP should force re-authentication of the user, even if they possess a valid session.
   * `providerName`: optional human-readable name of the requester for use by the presenter's user agent or the identity provider
@@ -131,7 +131,7 @@ For example:
 ```
 
 
-It is a good idea to validate the incoming SAML Responses. For this, you can provide the Identity Provider's public PEM-encoded X.509 certificate using the `cert` confguration key. The "BEGIN CERTIFICATE" and "END CERTIFICATE" lines should be stripped out and the certificate should be provided on a single line.
+It is a good idea to validate the signatures of the incoming SAML Responses. For this, you can provide the Identity Provider's public PEM-encoded X.509 signing certificate using the `cert` confguration key. The "BEGIN CERTIFICATE" and "END CERTIFICATE" lines should be stripped out and the certificate should be provided on a single line.
 
 ```javascript
     cert: 'MIICizCCAfQCCQCY8tKaMc0BMjANBgkqh ... W=='

diff --git a/lib/passport-saml/saml.js b/lib/passport-saml/saml.js
@@ -588,7 +588,7 @@ SAML.prototype.validatePostResponse = function (container, callback) {
     if (assertions.length + encryptedAssertions.length > 1) {
       // There's no reason I know of that we want to handle multiple assertions, and it seems like a
       //   potential risk vector for signature scope issues, so treat this as an invalid signature
-      throw new Error('Invalid signature');
+      throw new Error('Invalid signature: multiple assertions');
     }
 
     if (assertions.length == 1) {
@@ -617,7 +617,7 @@ SAML.prototype.validatePostResponse = function (container, callback) {
           if (self.options.cert &&
               !validSignature &&
               !self.validateSignature(decryptedXml, decryptedAssertions[0], certs))
-            throw new Error('Invalid signature');
+            throw new Error('Invalid signature from encrypted assertion');
 
           self.processValidlySignedAssertion(decryptedAssertions[0].toString(), inResponseTo, callback);
         });
@@ -645,7 +645,7 @@ SAML.prototype.validatePostResponse = function (container, callback) {
                 var nestedStatusCode = statusCode[0].StatusCode;
                 if (nestedStatusCode && nestedStatusCode[0].$.Value === "urn:oasis:names:tc:SAML:2.0:status:NoPassive") {
                   if (self.options.cert && !validSignature) {
-                    throw new Error('Invalid signature');
+                    throw new Error('Invalid signature: NoPassive');
                   }
                   return callback(null, null, false);
                 }
@@ -677,7 +677,7 @@ SAML.prototype.validatePostResponse = function (container, callback) {
           }
         } else {
           if (self.options.cert && !validSignature) {
-            throw new Error('Invalid signature');
+            throw new Error('Invalid signature: No response found');
           }
           var logoutResponse = doc.LogoutResponse;
           if (logoutResponse){
@@ -921,7 +921,7 @@ SAML.prototype.validatePostRequest = function (container, callback) {
     .then(function(certs) {
       // Check if this document has a valid top-level signature
       if (self.options.cert && !self.validateSignature(xml, dom.documentElement, certs)) {
-        return callback(new Error('Invalid signature'));
+        return callback(new Error('Invalid signature on documentElement'));
       }
 
       processValidlySignedPostRequest(self, doc, callback);

diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "passport-saml",
-  "version": "0.32.1",
+  "version": "0.33.0",
   "license" : "MIT",
   "keywords": [
     "saml",

diff --git a/test/tests.js b/test/tests.js