@zaptic-external/saml
Advanced tools
Comparing version 2.0.2 to 2.0.3
{ | ||
"name": "@zaptic-external/saml", | ||
"version": "2.0.2", | ||
"version": "2.0.3", | ||
"description": "Minimal saml service provider with support for sp-initiated redirect login only", | ||
@@ -40,3 +40,3 @@ "main": "dist/service-provider.js", | ||
"dependencies": { | ||
"libxmljs": "0.19.7", | ||
"libxmljs": "0.19.10", | ||
"xml-crypto": "0.10.1", | ||
@@ -43,0 +43,0 @@ "xml-encryption": "0.11.2", |
@@ -13,4 +13,4 @@ [![Known Vulnerabilities](https://snyk.io/test/github/Zaptic/saml/badge.svg?targetFile=package.json)](https://snyk.io/test/github/Zaptic/saml?targetFile=package.json) | ||
### The `sp` property | ||
It should contain all configuration tied to the service provider. | ||
@@ -22,3 +22,3 @@ These options will be used to generate the service provider metadata file and populate the login requests. | ||
It is often a URL as they make it easy to namespace things so long as you own the domain. | ||
If your id might contain numbers the saml spec says that the id should start with an "\_". | ||
If your id might contain numbers the saml spec says that the id should start with an "_". | ||
@@ -40,5 +40,4 @@ `sp.assertionUrl` | ||
### The `idp` property | ||
It should be either an object or string. | ||
If it's a string, it should be a string containing the identity provider's metadata xml. | ||
It should be either an object or string. | ||
If it's a string, it should be a string containing the identity provider's metadata xml. | ||
It is recommended that you use the metadata file as it's easier to maintain than the manually assigned properties. | ||
@@ -54,3 +53,3 @@ | ||
`idp.signature` | ||
This is the object that contains the certificates and signature algorithm that we should accept for signing the | ||
This is the object that contains the certificates and signature algorithm that we should accept for signing the | ||
identity provider's assertions | ||
@@ -63,8 +62,8 @@ | ||
`idp.signature.allowedCertificates` | ||
These are the public certificates that correspond to the private key the identity provider is using to sign the | ||
These are the public certificates that correspond to the private key the identity provider is using to sign the | ||
assertions. It must have at least one entry as we don't support unsigned requests at the moment. | ||
### The `signature` object | ||
It should contain everything needed to sign our request to the identity provider. | ||
### The `signature` object | ||
It should contain everything needed to sign our request to the identity provider. | ||
Because we are trying to be secure by default, this is not optional. | ||
@@ -77,6 +76,7 @@ | ||
The pem encoded public key used to sign your requests. | ||
`signature.key` | ||
The pem encoded public key used to sign your requests. | ||
### The `preferences` object | ||
@@ -91,3 +91,3 @@ | ||
When set to false it will not error if the identity provider does not send them but will still check that the assertion | ||
is in the interval if the dates are provided. | ||
is in the interval if the dates are provided. | ||
@@ -102,3 +102,3 @@ `preferences.nameIdFormat` default 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress' | ||
Request the identity provider to prompt the user with a challenge (e.g user name + password) even if they have a valid | ||
session when set to true. | ||
session when set to true. | ||
@@ -108,4 +108,3 @@ `preferences.attributeMapping` default '{}' | ||
unless you need extra claims from the identity provider. | ||
Example: | ||
Example: | ||
``` | ||
@@ -119,3 +118,2 @@ { | ||
Full example: | ||
```typescript | ||
@@ -127,9 +125,7 @@ const options = { | ||
singleLogoutUrl: 'http://localhost:7000/sp/logout', | ||
signature: [ | ||
{ | ||
algorithm: <'sha256'>'sha256', | ||
certificate: testCert, | ||
key: testKey | ||
} | ||
] | ||
signature: [{ | ||
algorithm: <'sha256'>'sha256', | ||
certificate: testCert, | ||
key: testKey | ||
}] | ||
}, | ||
@@ -157,1 +153,2 @@ idp: { | ||
``` | ||
Major refactor
Supply chain riskPackage has recently undergone a major refactor. It may be unstable or indicate significant internal changes. Use caution when updating to versions that include significant changes.
Found 1 instance in 1 package
Filesystem access
Supply chain riskAccesses the file system, and could potentially read sensitive data.
Found 1 instance in 1 package
0
69167
12
36
143
1
+ Added@mapbox/node-pre-gyp@1.0.11(transitive)
+ Addedagent-base@6.0.2(transitive)
+ Addedansi-regex@5.0.1(transitive)
+ Addedaproba@2.0.0(transitive)
+ Addedare-we-there-yet@2.0.0(transitive)
+ Addedchownr@2.0.0(transitive)
+ Addedcolor-support@1.1.3(transitive)
+ Addeddebug@4.3.4(transitive)
+ Addeddetect-libc@2.0.3(transitive)
+ Addedemoji-regex@8.0.0(transitive)
+ Addedfs-minipass@2.1.0(transitive)
+ Addedgauge@3.0.2(transitive)
+ Addedhttps-proxy-agent@5.0.1(transitive)
+ Addedis-fullwidth-code-point@3.0.0(transitive)
+ Addedlibxmljs@0.19.10(transitive)
+ Addedlru-cache@6.0.0(transitive)
+ Addedmake-dir@3.1.0(transitive)
+ Addedminipass@3.3.65.0.0(transitive)
+ Addedminizlib@2.1.2(transitive)
+ Addedmkdirp@1.0.4(transitive)
+ Addedms@2.1.2(transitive)
+ Addednode-fetch@2.7.0(transitive)
+ Addednopt@5.0.0(transitive)
+ Addednpmlog@5.0.1(transitive)
+ Addedreadable-stream@3.6.2(transitive)
+ Addedrimraf@3.0.2(transitive)
+ Addedsemver@6.3.17.6.0(transitive)
+ Addedstring-width@4.2.3(transitive)
+ Addedstring_decoder@1.3.0(transitive)
+ Addedstrip-ansi@6.0.1(transitive)
+ Addedtar@6.2.1(transitive)
+ Addedtr46@0.0.3(transitive)
+ Addedwebidl-conversions@3.0.1(transitive)
+ Addedwhatwg-url@5.0.0(transitive)
+ Addedyallist@4.0.0(transitive)
- Removedansi-regex@2.1.1(transitive)
- Removedaproba@1.2.0(transitive)
- Removedare-we-there-yet@1.1.7(transitive)
- Removedchownr@1.1.4(transitive)
- Removedcode-point-at@1.1.0(transitive)
- Removedcore-util-is@1.0.3(transitive)
- Removeddebug@3.2.7(transitive)
- Removeddeep-extend@0.6.0(transitive)
- Removeddetect-libc@1.0.3(transitive)
- Removedfs-minipass@1.2.7(transitive)
- Removedgauge@2.7.4(transitive)
- Removediconv-lite@0.4.24(transitive)
- Removedignore-walk@3.0.4(transitive)
- Removedini@1.3.8(transitive)
- Removedis-fullwidth-code-point@1.0.0(transitive)
- Removedisarray@1.0.0(transitive)
- Removedlibxmljs@0.19.7(transitive)
- Removedminimist@1.2.8(transitive)
- Removedminipass@2.9.0(transitive)
- Removedminizlib@1.3.3(transitive)
- Removedmkdirp@0.5.6(transitive)
- Removedms@2.1.3(transitive)
- Removedneedle@2.9.1(transitive)
- Removednode-pre-gyp@0.11.0(transitive)
- Removednopt@4.0.3(transitive)
- Removednpm-bundled@1.1.2(transitive)
- Removednpm-normalize-package-bin@1.0.1(transitive)
- Removednpm-packlist@1.4.8(transitive)
- Removednpmlog@4.1.2(transitive)
- Removednumber-is-nan@1.0.1(transitive)
- Removedos-homedir@1.0.2(transitive)
- Removedos-tmpdir@1.0.2(transitive)
- Removedosenv@0.1.5(transitive)
- Removedprocess-nextick-args@2.0.1(transitive)
- Removedrc@1.2.8(transitive)
- Removedreadable-stream@2.3.8(transitive)
- Removedrimraf@2.7.1(transitive)
- Removedsafe-buffer@5.1.2(transitive)
- Removedsafer-buffer@2.1.2(transitive)
- Removedsemver@5.7.2(transitive)
- Removedstring-width@1.0.2(transitive)
- Removedstring_decoder@1.1.1(transitive)
- Removedstrip-ansi@3.0.1(transitive)
- Removedstrip-json-comments@2.0.1(transitive)
- Removedtar@4.4.19(transitive)
- Removedyallist@3.1.1(transitive)
Updatedlibxmljs@0.19.10