Commit e7c77bb2 authored by Barth, Chris's avatar Barth, Chris
Browse files

Specify SingleLogoutService callback url

parent 8064dda4
......@@ -70,6 +70,7 @@ Config parameter details:
* Logout
* `logoutUrl`: base address to call with logout requests (default: `entryPoint`)
* `additionalLogoutParams`: dictionary of additional query params to add to 'logout' requests
* `logoutCallbackUrl`: The value with which to populate the `Location` attribute in the `SingleLogoutService` elements in the generated service provider metadata.
### Provide the authentication callback
......
......@@ -793,15 +793,9 @@ SAML.prototype.generateServiceProviderMetadata = function( decryptionCert ) {
'@xmlns': 'urn:oasis:names:tc:SAML:2.0:metadata',
'@xmlns:ds': 'http://www.w3.org/2000/09/xmldsig#',
'@entityID': this.options.issuer,
'@ID': this.options.issuer.replace(/\W/g, '_'),
'SPSSODescriptor' : {
'@protocolSupportEnumeration': 'urn:oasis:names:tc:SAML:2.0:protocol',
'NameIDFormat' : this.options.identifierFormat,
'AssertionConsumerService' : {
'@index': '1',
'@isDefault': 'true',
'@Binding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'@Location': this.getCallbackUrl({})
}
},
}
};
......@@ -833,6 +827,21 @@ SAML.prototype.generateServiceProviderMetadata = function( decryptionCert ) {
};
}
if (this.options.logoutCallbackUrl) {
metadata.EntityDescriptor.SPSSODescriptor.SingleLogoutService = {
'@Binding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'@Location': this.options.logoutCallbackUrl
};
}
metadata.EntityDescriptor.SPSSODescriptor.NameIDFormat = this.options.identifierFormat;
metadata.EntityDescriptor.SPSSODescriptor.AssertionConsumerService = {
'@index': '1',
'@isDefault': 'true',
'@Binding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'@Location': this.getCallbackUrl({})
};
return xmlbuilder.create(metadata).end({ pretty: true, indent: ' ', newline: '\n' });
};
......
......@@ -21,7 +21,7 @@ lHpOX1rt1R+UiTEIhTSXPNt/</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://acme_tools.com/adfs/postResponse/logout"/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://acme_tools.com/adfs/postResponse/logout"/>
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://acme_tools.com/adfs/postResponse/postResponse" index="0"/>
</SPSSODescriptor>
</EntityDescriptor>
<?xml version="1.0"?>
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="http://example.serviceprovider.com">
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="http://example.serviceprovider.com" ID="http___example_serviceprovider_com">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
<AssertionConsumerService index="1" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://example.serviceprovider.com/saml/callback"/>
......
<?xml version="1.0"?>
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="http://example.serviceprovider.com">
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="http://example.serviceprovider.com" ID="http___example_serviceprovider_com">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
<AssertionConsumerService index="1" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://example.serviceprovider.com/saml/callback"/>
<KeyDescriptor>
<ds:KeyInfo>
<ds:X509Data>
......@@ -39,5 +37,7 @@ nwtlCg==
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
</KeyDescriptor>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
<AssertionConsumerService index="1" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://example.serviceprovider.com/saml/callback"/>
</SPSSODescriptor>
</EntityDescriptor>
\ No newline at end of file
......@@ -579,6 +579,23 @@ describe( 'passport-saml /', function() {
});
});
it('generateServiceProviderMetadata contains logout callback url', function (done) {
var samlConfig = {
issuer: 'http://example.serviceprovider.com',
callbackUrl: 'http://example.serviceprovider.com/saml/callback',
identifierFormat: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
decryptionPvk: fs.readFileSync(__dirname + '/static/testshib encryption pvk.pem'),
logoutCallbackUrl: 'http://example.serviceprovider.com/logout'
};
var samlObj = new SAML(samlConfig);
var decryptionCert = fs.readFileSync(__dirname + '/static/testshib encryption cert.pem', 'utf-8');
var metadata = samlObj.generateServiceProviderMetadata(decryptionCert);
metadata.should.containEql('SingleLogoutService');
metadata.should.containEql(samlConfig.logoutCallbackUrl);
done();
});
it('#certToPEM should generate valid certificate', function(done){
var samlConfig = {
entryPoint: 'https://app.onelogin.com/trust/saml2/http-post/sso/371755',
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment