Feature: add facility in config to add <Extensions> element in SAML request
#11
Conversation
|
I think @cjbarth we can start discussion from here node-saml/passport-saml#607 (comment) |
|
What do you think about taking the object as JSON or XML literal and then, in the ctor, making sure it can be converted to an |
|
Thank you @cjbarth for quick response. Currently user can pass json which is directly accepted by So could you please describe, instead of above one what json/xml format you like to pass? |
|
I'm not suggesting a different format. I'm suggesting that you adjust the ctor so that we validate the incoming data and throw if it doesn't conform to some basic checks. I'd really prefer not to blindly take whatever is put there and just add it to the outgoing SAML document. |
|
If I remember correctly extensions type in schema is ”sequence of any” so there isn’t much to check except that provided xml elements are valid. When those two example xml elements provided by @kdhttps would be added/injected to authn request generated by
In fact validation of SAML messages against SAML schema is proposed by OWASP (although following cheat sheet seems to be written from receiver point of view): https://cheatsheetseries.owasp.org/cheatsheets/SAML_Security_Cheat_Sheet.html FWIW: Here is also example of European Union’s eIDAS specification which also uses extensions (in service metadata and authn request): BTW. @kdhttps if I interpreted current content of this PR correctly |
No sure Mate, Currently I have a requirement to keep it fixed. But I can see in suomi.fi docs that there are some other ways also to pass language element. About schema validation, I think we don't have a fixed schema to validate it with SAML Request XML, as you can see there are many So I guess, the application developer has to manually verify saml request. Please let me know if I missed something and Let me know your suggestions. Thank you, Team! |
|
@kdhttps as I said there isn’t any schema which could be used to validate content which is put to extensions block
I should have used word well-formed instead of valid in that particular paragraph. On third paragraph my proposal was to use validating XML parser to validate e.g. produced authnrequest. This would implicitly check that extensions element doesn’t contain something that would not pass authnrequest validation from XML document validation point of view (for example elements which use unbound namespace prefixes or malformed xml which are pretty much only validations that could be done to content of extensions element because it - the content of extensions - can be sequence of anything). SAML protocol schema is available e.g. from here https://docs.oasis-open.org/security/saml/v2.0/saml-schema-protocol-2.0.xsd About enabling different extensions element content per request. IMHO if authnrequest extensions content is meant to be used to provide different content per authnrequest then node-saml library should enable it instead of forcing developers to instantiate new SAML object per request (of course implementation could merge some values from stack configuration options but it should also allow real per request content). Not directly related to this case but passport-saml has already one ”half baked” per request thing see node-saml/passport-saml#541 (comment) btw. you can use e.g. this https://www.samltool.com/validate_xml.php to debug authnrequests produced by node-saml. It shall produce error if extensions contains elements which namespace prefix is unbound / undefined (I am referring to this pull request’s README.md content and specifically to md:RequestedAttribute stuff at that example). i.e. Validating Authnrequest with this extensions content <md:RequestedAttribute isRequired="true" Name="Lastname" />
<vetuma xmlns="urn:vetuma:SAML:2.0:extensions">
<LG>sv</LG>
</vetuma>Produces
In this particular case content should be <md:RequestedAttribute xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" isRequired="true" Name="Lastname" />
<vetuma xmlns="urn:vetuma:SAML:2.0:extensions">
<LG>sv</LG>
</vetuma> |
About, XML Schema validation, I found libxmljs which provide facility to validate xml again schema. I need your suggestion on this lib. May I use it for validation? I can see, node-saml is using Thank you! |
@kdhttps just in case this question was directed for me: if node ecosystem does not have native javascript xml library which understand xml schemas I would not introduce yet another xml library dependency (which needs native library). I would just let developers to make sure that they don't mess up with extensions and if they do then they just have to communicate with their IdP provider whats wrong with authnrequests syntax. For the record: I am not using passport-saml or node-saml and not going to use these. Checking out passport-saml every now and then is more like a hobby. So you should wait @cjbarth and @markstos etc. comments before proceeding with those content checks requested by @cjbarth |
Great 💯 @srd90
Sure, let's wait!!! |
|
I'm not a big fan of using libraries that require
I understand that rule 2 would be a little hard to determine without validating against some schema. I'm not opposed to a schema validation, in fact, I think that would yield some real long-term benefits to the system. However, I feel like there is an opportunity for some low-hanging fruit here, short of such a full validation system. If we simply check the incoming |
|
Thanks for working on this @kdhttps. I just had a customer ask if we supported this feature as well, so I'm also interested to see this get merged. |
|
About,
After some research I found that we can add one validation where element must have namespace like @srd90 maintained here. I am not finding any other validation check for About,
I found this XML Security Cheet sheet. Most problem should be handle by parser(at IDP side) and we are not parsing xml. we are just taking JSON from user and passes it to Please review code and let me know if you want me to add/change anything. Thank you!!! |
| @@ -376,13 +387,27 @@ class SAML { | |||
| "@xmlns:saml": "urn:oasis:names:tc:SAML:2.0:assertion", | |||
| "#text": this.options.issuer, | |||
| }, | |||
| "samlp:Extensions": {}, | |||
There was a problem hiding this comment.
Why do you add the empty value here and then delete it later when not needed? The pattern you used previously just adds the value if you need it and skips the extra logic to delete if not needed.
There was a problem hiding this comment.
it is because strick type of NameID here
Line 60 in 71d9fe5
and samlp:Extensions element should be placed before NameID. There is other way also but I choose and Like to keep this one for safe type.
There was a problem hiding this comment.
@cjbarth once you get time, please review it
|
@kdhttps Can you please clean up the merge conflicts before I review? |
|
@cjbarth done, please review it again |
Issue
close node-saml/passport-saml#602
Linked PR: node-saml/passport-saml#607
Description
Add support in
passport-samlwhere it will allow admin to configure fully customise<Extensions>element and add it into SAML Request.<Extensions>element are use to request custom attributes and setting. Its structure and values different as as IDP configurations and requests.Use cases
<Extensions>element to request attributes/data. More details, oasis-open.org SAML V2.0 Protocol Extension for Requesting Attributes per Request<Extensions>element to request with some custom config. For Example: In suomi.fi idp, its allows SP to request with custom language code by passing it<Extensions>element. More detailsChanges
src/node-saml/types.ts: addedextensionsoptional variable. The type isanyand it accept XMLBuilder type values because as per use cases and IDPs', there are many cases and each use cases have different request format/data. Please let me know what is your view on this.src/node-saml/saml.ts: added it inrequest. As it has already XMLBuilder values so no need to do any processing.Checklist: