[FR] Switch to node-saml?

[FossPrime]

Would you consider a PR to switch to https://github.com/node-saml/node-saml? It's now in use by passport and helix.

https://github.com/Clever/saml2 is written in CoffeeScript, making it hard to work on, test and read. More concerning is it's falling behind on security patches to xmldom. Which weakens the security features of SAML.

Both implementations stick fairly close the the SAML standard, unfortunately the translations of the XML properties are not compatible... so it would be a significant breaking change. We could add a compatibility layer for the simplest use cases... but I would simply make a new major release. An example of the issue is force_authn... in node-saml it's called forceAuthn.

This would also add support for tons of SAML2 features that are missing in Clever's implementation, like loginFailureUrl... node-saml is also working on logoutFailureUrl.

[rlunden]

Hey @FossPrime,

Sorry for the late reply, but that sounds good.