-
Notifications
You must be signed in to change notification settings - Fork 475
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Question] Support for <AssertionConsumerServiceIndex> in AuthnContext #380
Comments
Worst case scenario, can I interrupt passport-saml flow somehow to modify the SAML request before it is sent to IDP? |
tl;dr After you instantiate the strategy, you can output the service provider metadata to see exactly what is sent, like this const myPublicCertificate = ...;
const strategy = new SamlStrategy(opts, callbackFn);
// This will output XML
strategy.generateServiceProviderMetadata(myPublicCertificate [, optionalEncryptionCertificate]); If you check the metadata, you'll see <AssertionConsumerService
index="1"
isDefault="true"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://your-service.sp/callbackRoute"
/> |
I am also running into a need for the ability to control the I'm interfacing with an Okta SAML endpoint which allows multiple requestable endpoints which are specified with the Looking over the source code there's nowhere where this property is can be externally specified. It is given a default value of If I extend passport-saml to have a if (this.options.attributeConsumingServiceIndex != null) {
request['samlp:AuthnRequest']['@AssertionConsumingServiceIndex'] = this.options.assertionConsumingServiceIndex;
} metadata.EntityDescriptor.SPSSODescriptor.AssertionConsumerService = {
'@index': this.options.assertionConsumingServiceIndex || '1',
'@isDefault': 'true',
'@Binding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'@Location': this.getCallbackUrl({})
}; Will these modifications cause issues for the integrity of the SAML request? |
At first glace, it doesn't seem that this would cause any problems. Would you be willing to make a PR that includes this new option, include tests, and references the part of the SAML spec that calls for this. That will likely get more eyes on this matter and help others down the road. |
Hi,
I am stuck in the situation where the IDP server (Siteminder) requires that the application needs to include and the IDP will use this index to look up the Assertion Consumer Service URL in case multiple SP servers are registered under one application name. This also means that AssertionConsumerServiceURL in the request will be ignored.
I have gone over passport-saml document but could not find anything. Does anyone know whether passport-saml supports this? If not, can anyone suggest a workaround?
Thanks!
The text was updated successfully, but these errors were encountered: