How to add signature on AuthnRequest

[whirp]

Hello,
I'm trying to add signature on my AuthnRequest.
I've tried to add some configuration to SamlStrategy but nothing appens on AuthnRequest XML.
Do i need to use another module like XML-Crypto ? If yes, how??

This is the configuration for Strategy :

passport: {
            strategy : 'saml',
            saml : {
                entryPoint : 'https://idp.idp.it/samlsso',
                issuer : 'http://111.111.11.111:8000',
                callbackUrl : 'http://111.111.11.111:8000/login/callback',
                identifierFormat: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
                decryptionPvk: fs.readFileSync('./config/saml.key'),
                cert:'MII....Q==',
                validateInResponseTo :true,
                authnContext : 'urn:oasis:names:tc:SAML:2.0:ac:classes:name1',
                protocol: 'http://',
                attributeConsumingServiceIndex:0
            }
        }

This how route the login request, but i don't know how to add signature on it

app.get("/login",
        passport.authenticate(config.passport.strategy,
        {
            successRedirect : "/",
            failureRedirect : "/login",
        })
    );

    app.post('/login/callback',
        passport.authenticate(config.passport.strategy,
            {
                failureRedirect: '/',
                failureFlash: true
            }),
        function(req, res) {
            res.redirect('/');
        }
    );

This is the SAML AuthnRequest xml :

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                    ID="_6eefdebac845aec3b311"
                    Version="2.0"
                    IssueInstant="2015-03-30T09:47:12.835Z"
                    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                    AssertionConsumerServiceURL="http://111.111.11.111:8000/login/callback"
                    Destination="https://idp.idp.it/samlsso"
                    >
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://111.111.11.111:8000</saml:Issuer>
    <samlp:NameIDPolicy xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                        Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
                        AllowCreate="true"
                        />
    <samlp:RequestedAuthnContext xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                                 Comparison="exact"
                                 >
        <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:name1</saml:AuthnContextClassRef>
    </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

[ploer]

It doesn't look like you provided a privateCert argument to your config, which would definitely explain why the requests aren't signed.

[matiasdecarli]

I'm usig the privateCert argument, but the signature is added on the parameters of the request, not on the assertion. Actually, looking at the code, I'm not seeing the signature being added to the assertion at all

[matiasdecarli]

So... I found a way to add the signature inside the assertion. Is there any interest for a Pull Request regarding this?

[nikhil-cdac]

So... I found a way to add the signature inside the assertion. Is there any interest for a Pull Request regarding this?

hi, I am also looking add signature to authn request rather than as query param. How did you solve it?

[matiasdecarli]

Sorry, man. This was 4 years ago, impossible to remember