Skip to content

Commit

Permalink
Redeclare the namespace on NameID
Browse files Browse the repository at this point in the history
Workaround for a change in the CBS behaviour
where CBS could no longer parse the encrypted
NameID in logout requests.
  • Loading branch information
Doug M. Harris committed Nov 12, 2020
1 parent 89a4c07 commit fab4a85
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 10 deletions.
19 changes: 10 additions & 9 deletions lib/passport-saml/saml.js
Original file line number Diff line number Diff line change
Expand Up @@ -185,7 +185,7 @@ SAML.prototype.generateAuthorizeRequest = function (req, isPassive, isHttpPostBi
isPassive = true;
allowCreate = false;
}

if (isPassive)
request['samlp:AuthnRequest']['@IsPassive'] = true;

Expand Down Expand Up @@ -260,18 +260,19 @@ SAML.prototype.generateLogoutRequest = function (req) {
};

var nameId = {
'saml:NameID' : {
'NameID' : {
'@xmlns': 'urn:oasis:names:tc:SAML:2.0:assertion',
'@Format': req.user.nameIDFormat,
'#text': req.user.nameID
}
};

if (req.user.nameQualifier != null) {
nameId['saml:NameID']['@NameQualifier'] = req.user.nameQualifier;
nameId['NameID']['@NameQualifier'] = req.user.nameQualifier;
}

if (req.user.spNameQualifier != null) {
nameId['saml:NameID']['@SPNameQualifier'] = req.user.spNameQualifier;
nameId['NameID']['@SPNameQualifier'] = req.user.spNameQualifier;
}

if (this.options.encryptionCert) {
Expand All @@ -294,7 +295,7 @@ SAML.prototype.generateLogoutRequest = function (req) {
'#text': req.user.sessionIndex
};
}

return Q.ninvoke(this.cacheProvider, 'save', id, instant)
.then(function() {
return xmlbuilder.create(request).end();
Expand All @@ -308,12 +309,12 @@ SAML.prototype.generateLogoutRequest = function (req) {
'#text': req.user.sessionIndex
};
}

return Q.ninvoke(this.cacheProvider, 'save', id, instant)
.then(function() {
return xmlbuilder.create(request).end();
});

}
};

Expand All @@ -322,7 +323,7 @@ SAML.prototype.generateLogoutResponse = function (req, logoutRequest) {
var instant = this.generateInstant();

let status = logoutRequest.status || 'urn:oasis:names:tc:SAML:2.0:status:Success'

let request = {
'samlp:LogoutResponse' : {
'@xmlns:samlp': 'urn:oasis:names:tc:SAML:2.0:protocol',
Expand Down Expand Up @@ -906,7 +907,7 @@ SAML.prototype.verifyLogoutResponse = function (doc) {
if (secondLevelStatus && secondLevelStatus[0].$.Value === "urn:oasis:names:tc:SAML:2.0:status:PartialLogout") {
throw 'Bad status code: ' + secondLevelStatus[0].$.Value;
}

this.verifyIssuer(doc.LogoutResponse);
var inResponseTo = doc.LogoutResponse.$.InResponseTo;
if (inResponseTo) {
Expand Down
2 changes: 1 addition & 1 deletion package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@sic/passport-saml",
"version": "1.4.2",
"version": "1.4.3",
"license": "MIT",
"keywords": [
"saml",
Expand Down

0 comments on commit fab4a85

Please sign in to comment.