New Case Study:See how Anthropic automated 95% of dependency reviews with Socket.Learn More
Socket
Sign inDemoInstall
Socket

saml20-maintained

Package Overview
Dependencies
Maintainers
1
Versions
8
Alerts
File Explorer

Advanced tools

Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

saml20-maintained

SAML 2.0 and 1.1 token parser for Node.js

  • 0.1.15
  • Source
  • npm
  • Socket score

Version published
Maintainers
1
Created
Source

SAML 2.0 & 1.1 Assertion Parser & Validator

saml20-maintained is a fork of saml20. Is it the same library with updated versions of vulnerable dependencies.

Installation

$ npm install saml20-maintained

Usage

saml.parse(rawAssertion, cb)

rawAssertion is the SAML Assertion in string format.

Parses the rawAssertion without validating signature, expiration and audience. It allows you to get information from the token like the Issuer name in order to obtain the right public key to validate the token in a multi-providers scenario.


var saml = require('saml20-maintained');

saml.parse(rawAssertion, function(err, profile) {
	// err

	var claims = profile.claims; // Array of user attributes;
	var issuer = profile.issuer; // String Issuer name.
});

saml.validate(rawAssertion, options, cb)

rawAssertion is the SAML Assertion in string format.

options:

  • thumbprint is the thumbprint of the trusted public key (uses the public key that comes in the assertion).
  • publicKey is the trusted public key.
  • audience (optional). If it is included audience validation will take place.
  • bypassExpiration (optional). This flag indicates expiration validation bypass (useful for testing, not recommended in production environments);

You can use either thumbprint or publicKey but you should use at least one.


var saml = require('saml20-maintained');

var options = {
	thumbprint: '1aeabdfa4473ecc7efc5947b18436c575574baf8',
	audience: 'http://myservice.com/'
}

saml.validate(rawAssertion, options, function(err, profile) {
	// err

	var claims = profile.claims; // Array of user attributes;
	var issuer = profile.issuer; // String Issuer name.
});

or using publicKey:


var saml = require('saml20-maintained');

var options = {
	publicKey: 'MIICDzCCAXygAwIBAgIQVWXAvbbQyI5Bc...',
	audience: 'http://myservice.com/'
}

saml.validate(rawAssertion, options, function(err, profile) {
	// err

	var claims = profile.claims; // Array of user attributes;
	var issuer = profile.issuer; // String Issuer name.
});

Tests

Configure test/lib.index.js

In order to run the tests you must configure lib.index.js with these variables:


var issuerName = 'https://your-issuer.com';
var thumbprint = '1aeabdfa4473ecc7efc5947b19436c575574baf8';
var certificate = 'MIICDzCCAXygAwIBAgIQVWXAvbbQyI5BcFe0ssmeKTAJBgU...';
var audience = 'http://your-service.com/';

You also need to include a valid and an invalid SAML 2.0 token on test/assets/invalidToken.xml and test/assets/validToken.xml`


<Assertion ID="_1308c268-38e2-4849-9957-b7babd4a0659" IssueInstant="2014-03-01T04:04:52.919Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><Issuer>https://your-issuer.com/</Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><ds:Reference URI="#_1308c268-38e2-4849-9957-b7babd4a0659"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><ds:DigestValue>qJQjAuaj7adyLkl6m3T1oRhtYytu4bebq9JcQObZIu8=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>amPTOSqkEq5ppbCyUgGgm....</Assertion>

To run the tests use:

$ npm test

License

MIT

Keywords

FAQs

Package last updated on 08 Oct 2018

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

Packages

npm

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc