Exciting news!Announcing our $4.6M Series Seed. Learn more
Log in


Package Overview
File Explorer

Advanced tools


Minimal saml service provider with support for sp-initiated redirect login only


Version published
Yearly downloads
increased by133.49%

Weekly downloads



[2.0.0] - 2020/06/29

Breaking change

  • Support multiple certificates by allowing an array to be passed to the SP. This means that we now have to pass an array and an extra attribute to tell us when the cert expires



Known Vulnerabilities

Simple, secure SAML service provider

This library provides with a simple and secure SAML service provider.
At the moment it supports only service provider initiated login (using redirect binding) but more will come.


The options object has 4 top level components: sp, idp, preferences and getUUID

The sp property

It should contain all configuration tied to the service provider. These options will be used to generate the service provider metadata file and populate the login requests.

A globally unique identifier that identifies your service provider. This corresponds to the entityId saml field. It is often a URL as they make it easy to namespace things so long as you own the domain. If your id might contain numbers the saml spec says that the id should start with an "_".

URL that will receive a POST request containing an assertion - usually login response - from the identity provider.

URL that will receive single log out requests from the identity provider. At this time this library does not provide with a way to parse logout requests but it's an open issue.

The signature object see relevant section.

sp.encryption - optional
This is also a signature object but the certificates provided in this one are for encrypting the login responses.
When nothing is provided it defaults to the signing certificates under the sp.signature object.

The idp property

It should be either an object or string. If it's a string, it should be a string containing the identity provider's metadata xml. It is recommended that you use the metadata file as it's easier to maintain than the manually assigned properties.

A globally unique identifier that identifies the identity provider. This corresponds to the entityId saml field. Same restrictions as for the sp id apply.

The url that we should send auth requests to

This is the object that contains the certificates and signature algorithm that we should accept for signing the identity provider's assertions

Currently, supported are sha256 and sha512 this is the algorithm with which the identity provider will sign the assertions

These are the public certificates that correspond to the private key the identity provider is using to sign the assertions. It must have at least one entry as we don't support unsigned requests at the moment.

The signature object

It should contain everything needed to sign our request to the identity provider. Because we are trying to be secure by default, this is not optional.

The signing algorithm to use. Only sha256 and sha512 are supported at the moment.

The pem encoded public key used to sign your requests.

The pem encoded public key used to sign your requests.

The preferences object

preferences.signLoginRequests default true
Set to true to sign login requests (aka authnRequests). When set to false the login requests will not be signed

preferences.signLoginRequests default false
When set to true, it ensures that the identity provider sends notBefore and notOnOrAfter and that the assertion is received in the interval.
When set to false it will not error if the identity provider does not send them but will still check that the assertion is in the interval if the dates are provided.

preferences.nameIdFormat default 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'
The name id policy you want to use. For now only this one is supported so I would recommend not changing this

preferences.addNameIdPolicy default false
Set to true to not send the nameIdFormat along with login requests. This voids the previous parameter when set to true.

preferences.forceAuthenticationByDefault default false
Request the identity provider to prompt the user with a challenge (e.g user name + password) even if they have a valid session when set to true.

preferences.attributeMapping default '{}'
Mapping for the attributes given by the identity provider in the Attribute field. I would not worry about that too much unless you need extra claims from the identity provider. Example:

{ 'http://schemas.microsoft.com/identity/claims/objectidentifier': 'id', 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'email' }

Full example:

const options = { sp: { id: 'http://service-provider.zaptic', assertionUrl: 'http://localhost:7000/sp/login', singleLogoutUrl: 'http://localhost:7000/sp/logout', signature: [ { algorithm: <'sha256'>'sha256', certificate: testCert, key: testKey } ] }, idp: { id: 'test-idp', loginUrl: 'http://localhost:7000/idp/requestLogin', signature: { algorithm: <'sha256'>'sha256', allowedCertificates: [] } }, preferences: { forceAuthenticationByDefault: true, signLoginRequests: false, strictTimeCheck: true, addNameIdPolicy: true, attributeMapping: { 'http://schemas.microsoft.com/identity/claims/objectidentifier': 'id', 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'email' } }, getUUID: () => 'test-uuid' }



What is @zaptic-external&#x2F;saml?

Minimal saml service provider with support for sp-initiated redirect login only

Is @zaptic-external&#x2F;saml popular?

The npm package @zaptic-external&#x2F;saml receives a total of 192 weekly downloads. As such, @zaptic-external&#x2F;saml popularity was classified as not popular.

Is @zaptic-external&#x2F;saml well maintained?

We found that @zaptic-external&#x2F;saml demonstrated a not healthy version release cadence and project activity. It has 1 open source maintainer collaborating on the project.

Last updated on 29 Jun 2020


Subscribe to our newsletter

Get open source security insights delivered straight into your inbox. Be the first to learn about new features and product updates.

  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc