Security News
PyPI Introduces Digital Attestations to Strengthen Python Package Security
PyPI now supports digital attestations, enhancing security and trust by allowing package maintainers to verify the authenticity of Python packages.
@elm-street-technology/passport-saml-metadata
Advanced tools
Utilities for reading configuration from SAML 2.0 Metadata XML files, such as those generated by Active Directory Federation Services (ADFS).
npm install passport-saml-metadata
const os = require('os');
const fileCache = require('file-system-cache').default;
const { fetch, toPassportConfig, claimsToCamelCase } = require('passport-saml-metadata');
const SamlStrategy = require('passport-wsfed-saml2').Strategy;
const backupStore = fileCache({ basePath: os.tmpdir() });
const url = 'https://adfs.company.com/federationMetadata/2007-06/FederationMetadata.xml';
fetch({ url, backupStore })
.then((reader) => {
const config = toPassportConfig(reader);
config.realm = 'urn:nodejs:passport-saml-metadata-example-app';
config.protocol = 'saml2';
passport.use('saml', new SamlStrategy(config, function(profile, done) {
profile = claimsToCamelCase(profile, reader.claimSchema);
done(null, profile);
}));
passport.serializeUser((user, done) => {
done(null, user);
});
passport.deserializeUser((user, done) => {
done(null, user);
});
});
See compwright/passport-saml-example for a complete reference implementation.
When called, it will attempt to load the metadata XML from the supplied URL. If it fails due to a request timeout or other error, it will attempt to load from the backupStore
cache.
Config:
url
(required) Metadata XML file URLtimeout
Time to wait before falling back to the backupStore
, in ms (default = 2000
)backupStore
Any persistent cache adapter object with get(key)
and set(key, value)
methods (default = new Map()
)Returns a promise which resolves, if successful, to an instance of MetadataReader
.
Transforms metadata extracts for use in Passport strategy configuration. The following strategies are currently supported:
Translates the claim identifier URLs to human-friendly camelCase versions. Useful in Passport verifier functions.
claimSchema
should be an object of the following format, such as from MetadataReader.claimSchema()
:
{
[claimURL]: {
name: claimUrl,
camelCase: 'claimIdentifierInCamelCase',
description: 'Some description'
},
...
}
Example:
function verifier(profile, done) {
profile = passportSamlMetadata.claimsToCamelCase(profile, reader.claimSchema);
done(null, profile);
}
authnRequestBinding
: if set to HTTP-POST
, will attempt to load identityProviderUrl/logoutUrl via HTTP-POST binding in metadata, otherwise defaults to HTTP-Redirect
throwExceptions
: if set to true
, will throw upon exceptionParses metadata XML and extracts the following properties:
identifierFormat
(e.g. urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
)identityProviderUrl
(e.g. https://adfs.server.url/adfs/ls/)logoutUrl
(e.g. https://adfs.server.url/adfs/ls/)signingCert
encryptionCert
claimSchema
- an object hash of claim identifiers that may be provided in the SAML assertionReturns a function which sets up an Express application route to generate the metadata XML file for your application at /FederationMetadata/2007-06/FederationMetadata.xml. ADFS servers may import the resulting file to set up the relying party trust.
Config:
issuer
(required) The unique application identifier, used to name the relying party trust; may be a URN or URLcallbackUrl
(required) The absolute URL to redirect back to with the SAML assertion after logging in, usually https://hostname[:port]/login/callbacklogoutCallbackUrl
The absolute URL to redirect back to with the SAML assertion after logging out, usually https://hostname[:port]/logoutSee compwright/passport-saml-example for a usage example.
FAQs
SAML2 metadata loader
We found that @elm-street-technology/passport-saml-metadata demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 7 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
PyPI now supports digital attestations, enhancing security and trust by allowing package maintainers to verify the authenticity of Python packages.
Security News
GitHub removed 27 malicious pull requests attempting to inject harmful code across multiple open source repositories, in another round of low-effort attacks.
Security News
RubyGems.org has added a new "maintainer" role that allows for publishing new versions of gems. This new permission type is aimed at improving security for gem owners and the service overall.