Merge pull request #37 from vrk-kpa/update-readme-fork-status-update

Updated fork status into Readme.md

README.md

@@ -19,24 +19,25 @@ The code was originally based on Michael Bosworth's [express-saml](https://githu
 Passport-SAML has been tested to work with Onelogin, Okta, Shibboleth, [SimpleSAMLphp](http://simplesamlphp.org/) based Identity Providers, and with [Active Directory Federation Services](http://en.wikipedia.org/wiki/Active_Directory_Federation_Services).
 
 ## !! - Status of this fork - !!
-**DVV teams are planning to migrate away from this fork and start using upstream version(s) as soon as possible.**
 
-One of the biggest things that has been added into `@node-saml/node-saml 4.0.3` is support for SAML Extensions that was done in this pull request https://github.com/node-saml/node-saml/pull/11
+**Update 29.11.2023**
 
-One of the missing features in upstream versions is ability to pass used public key directly for the SAML client. Currently `@node-saml/passport-saml` and `@node-saml/node-saml` libraries are only allowing usage of certificate and SAML client is getting public key from certificate.
+**DVV teams are already migrating away from this fork and starting to use upstream versions. We are NOT maintaining this repository anymore. If your organization is using this fork, please migrate to upstream `@node-saml/passport-saml`**
 
-Currently Public Key support for `@node-saml/node-saml` is in PR phase https://github.com/node-saml/node-saml/pull/225 and we cannot give any estimate when it would be merged into master and released.
+The upstream packages, namely `@node-saml/passport-saml` and `@node-saml/node-saml`, currently include the major features that were absent at the time of the creation of the suomifi-passport-saml fork.
 
-Thereof we created also fork from `@node-saml/passport-saml` and it is using changes in that open pull request and it can be used to test upstream saml library with Suomi.fi Tunnistus using public key. Add following line in package.json file and run `npm i`.
+These features are:
+- Support for SAML Extensions that was done in this pull request https://github.com/node-saml/node-saml/pull/11
+- Support for public keys that was done in this pull request https://github.com/node-saml/node-saml/pull/225 This feature is not yet released officially, but can be used by pinning lates master in package.json
 
-```json
-"dependencies": {
-  "@node-saml/passport-saml": "git@github.com:RopoMen/passport-saml.git#d640479013e1c17e207f5c132c625976f314c4da"
- ```
+Security hardenings done to this library can be achieved by doing following configurations of [@node-saml/passport-saml](https://github.com/node-saml/passport-saml) and [@node-saml/node-saml](https://github.com/node-saml/node-saml).
 
-Then you should be able to start testing upstream version of `@node-saml/passport-saml` with public key support. Public key can be provided through `cert` configuration property in PEM format.
+- Hardening `Enforce audience checking`: Provide `audience` configuration parameter.
+- Hardening `Enforce validteInResponseTo checking`: Set `validateInResponseTo: true` in configuration parameters.
+- Hardening `Enforce assertion's signature validation`: Set `wantAssertionsSigned: true` in configuration parameters.
+- Hardening `Enforce (by default) encrypted assertion(s) only policy`: Set `wantAssertionsSigned: true` **and** provide private key using configuration parameter `decryptionPvk`.
+- Hardening `Enforce top level SAML response signature validation`: Set `wantAuthnResponseSigned: true` this is documented inside https://github.com/node-saml/node-saml
 
-In DVV, when public key support is added into upstream version of `@node-saml/passport-saml` our plan is to migragte away from this fork **and then no maintenance to this library is provided by us.**
 
 ## Issue / Contribution guidelines 
 The fork is maintained by DVV teams for internal use. Active support and long term commitment for maintaining the library cannot be promised.