Research
Security News
Threat Actor Exposes Playbook for Exploiting npm to Build Blockchain-Powered Botnets
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
@elm-street-technology/passport-saml-metadata
Advanced tools
Utilities for reading configuration from SAML 2.0 Metadata XML files, such as those generated by Active Directory Federation Services (ADFS).
npm install passport-saml-metadata
const os = require('os');
const fileCache = require('file-system-cache').default;
const { fetch, toPassportConfig, claimsToCamelCase } = require('passport-saml-metadata');
const SamlStrategy = require('passport-wsfed-saml2').Strategy;
const backupStore = fileCache({ basePath: os.tmpdir() });
const url = 'https://adfs.company.com/federationMetadata/2007-06/FederationMetadata.xml';
fetch({ url, backupStore })
.then((reader) => {
const config = toPassportConfig(reader);
config.realm = 'urn:nodejs:passport-saml-metadata-example-app';
config.protocol = 'saml2';
passport.use('saml', new SamlStrategy(config, function(profile, done) {
profile = claimsToCamelCase(profile, reader.claimSchema);
done(null, profile);
}));
passport.serializeUser((user, done) => {
done(null, user);
});
passport.deserializeUser((user, done) => {
done(null, user);
});
});
See compwright/passport-saml-example for a complete reference implementation.
When called, it will attempt to load the metadata XML from the supplied URL. If it fails due to a request timeout or other error, it will attempt to load from the backupStore
cache.
Config:
url
(required) Metadata XML file URLtimeout
Time to wait before falling back to the backupStore
, in ms (default = 2000
)backupStore
Any persistent cache adapter object with get(key)
and set(key, value)
methods (default = new Map()
)Returns a promise which resolves, if successful, to an instance of MetadataReader
.
Transforms metadata extracts for use in Passport strategy configuration. The following strategies are currently supported:
Translates the claim identifier URLs to human-friendly camelCase versions. Useful in Passport verifier functions.
claimSchema
should be an object of the following format, such as from MetadataReader.claimSchema()
:
{
[claimURL]: {
name: claimUrl,
camelCase: 'claimIdentifierInCamelCase',
description: 'Some description'
},
...
}
Example:
function verifier(profile, done) {
profile = passportSamlMetadata.claimsToCamelCase(profile, reader.claimSchema);
done(null, profile);
}
authnRequestBinding
: if set to HTTP-POST
, will attempt to load identityProviderUrl/logoutUrl via HTTP-POST binding in metadata, otherwise defaults to HTTP-Redirect
throwExceptions
: if set to true
, will throw upon exceptionParses metadata XML and extracts the following properties:
identifierFormat
(e.g. urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
)identityProviderUrl
(e.g. https://adfs.server.url/adfs/ls/)logoutUrl
(e.g. https://adfs.server.url/adfs/ls/)signingCert
encryptionCert
claimSchema
- an object hash of claim identifiers that may be provided in the SAML assertionReturns a function which sets up an Express application route to generate the metadata XML file for your application at /FederationMetadata/2007-06/FederationMetadata.xml. ADFS servers may import the resulting file to set up the relying party trust.
Config:
issuer
(required) The unique application identifier, used to name the relying party trust; may be a URN or URLcallbackUrl
(required) The absolute URL to redirect back to with the SAML assertion after logging in, usually https://hostname[:port]/login/callbacklogoutCallbackUrl
The absolute URL to redirect back to with the SAML assertion after logging out, usually https://hostname[:port]/logoutSee compwright/passport-saml-example for a usage example.
FAQs
SAML2 metadata loader
We found that @elm-street-technology/passport-saml-metadata demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 7 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
Security News
NVD’s backlog surpasses 20,000 CVEs as analysis slows and NIST announces new system updates to address ongoing delays.
Security News
Research
A malicious npm package disguised as a WhatsApp client is exploiting authentication flows with a remote kill switch to exfiltrate data and destroy files.