Merge pull request #16 from auth0/non-embedded-signatures

Added support for SAML Responses with no embedded signatures
auth0 · May 28, 2015 · ae2a4ca · ae2a4ca
2 parents 716100f + e191a00
commit ae2a4ca
Show file tree

Hide file tree

Showing 2 changed files with 71 additions and 0 deletions.
diff --git a/lib/passport-wsfed-saml2/saml.js b/lib/passport-wsfed-saml2/saml.js
@@ -46,6 +46,14 @@ SAML.prototype.validateSignature = function (xml, options, callback) {
       return "<X509Data></X509Data>";
     },
     getKey: function (keyInfo) {
+
+      //If there's no embedded signing cert, use the configured cert through options
+      if(keyInfo.length===0){
+        if(!options.cert) throw new Error('options.cert must be specified for SAMLResponses with no embedded signing certificate');
+        return self.certToPEM(options.cert);
+      }
+
+      //If there's an embedded signature and thumprints are provided check that
       if (options.thumbprints && options.thumbprints.length > 0)  {
         var embeddedSignature = keyInfo[0].getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "X509Certificate");
         if (embeddedSignature.length > 0) {
@@ -59,6 +67,9 @@ SAML.prototype.validateSignature = function (xml, options, callback) {
         }
       }
 
+      // If there's an embedded signature, but no thumprints are supplied, use options.cert
+      // either options.cert or options.thumbprints must be specified so at this point there 
+      // must be an options.cert
       return self.certToPEM(options.cert);
     }
   };

diff --git a/test/interop.tests.js b/test/interop.tests.js