Redeclare the namespace on NameID

Workaround for a change in the CBS behaviour where CBS could no longer parse the encrypted NameID in logout requests.
sign-in-canada · Nov 12, 2020 · fab4a85 · fab4a85
1 parent 89a4c07
commit fab4a85
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 10 deletions.
diff --git a/lib/passport-saml/saml.js b/lib/passport-saml/saml.js
@@ -185,7 +185,7 @@ SAML.prototype.generateAuthorizeRequest = function (req, isPassive, isHttpPostBi
       isPassive = true;
       allowCreate = false;
     }
-    
+
     if (isPassive)
       request['samlp:AuthnRequest']['@IsPassive'] = true;
 
@@ -260,18 +260,19 @@ SAML.prototype.generateLogoutRequest = function (req) {
   };
 
   var nameId = {
-    'saml:NameID' : {
+    'NameID' : {
+      '@xmlns': 'urn:oasis:names:tc:SAML:2.0:assertion',
       '@Format': req.user.nameIDFormat,
       '#text': req.user.nameID
     }
   };
 
   if (req.user.nameQualifier != null) {
-    nameId['saml:NameID']['@NameQualifier'] = req.user.nameQualifier;
+    nameId['NameID']['@NameQualifier'] = req.user.nameQualifier;
   }
 
   if (req.user.spNameQualifier != null) {
-    nameId['saml:NameID']['@SPNameQualifier'] = req.user.spNameQualifier;
+    nameId['NameID']['@SPNameQualifier'] = req.user.spNameQualifier;
   }
 
   if (this.options.encryptionCert) {
@@ -294,7 +295,7 @@ SAML.prototype.generateLogoutRequest = function (req) {
             '#text': req.user.sessionIndex
           };
         }
-      
+
         return Q.ninvoke(this.cacheProvider, 'save', id, instant)
           .then(function() {
             return xmlbuilder.create(request).end();
@@ -308,12 +309,12 @@ SAML.prototype.generateLogoutRequest = function (req) {
         '#text': req.user.sessionIndex
       };
     }
-  
+
     return Q.ninvoke(this.cacheProvider, 'save', id, instant)
       .then(function() {
         return xmlbuilder.create(request).end();
       });
-  
+
   }
 };
 
@@ -322,7 +323,7 @@ SAML.prototype.generateLogoutResponse = function (req, logoutRequest) {
   var instant = this.generateInstant();
 
   let status = logoutRequest.status || 'urn:oasis:names:tc:SAML:2.0:status:Success'
-  
+
   let request = {
     'samlp:LogoutResponse' : {
       '@xmlns:samlp': 'urn:oasis:names:tc:SAML:2.0:protocol',
@@ -906,7 +907,7 @@ SAML.prototype.verifyLogoutResponse = function (doc) {
     if (secondLevelStatus && secondLevelStatus[0].$.Value === "urn:oasis:names:tc:SAML:2.0:status:PartialLogout") {
       throw 'Bad status code: ' + secondLevelStatus[0].$.Value;
     }
-      
+
     this.verifyIssuer(doc.LogoutResponse);
     var inResponseTo = doc.LogoutResponse.$.InResponseTo;
     if (inResponseTo) {

diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@sic/passport-saml",
-  "version": "1.4.2",
+  "version": "1.4.3",
   "license": "MIT",
   "keywords": [
     "saml",