From 8205c1f24356ee2e050b9d7e05ca293e87b5044d Mon Sep 17 00:00:00 2001
From: Nicolas Giard <github@ngpixel.com>
Date: Mon, 2 May 2022 00:18:19 -0400
Subject: [PATCH] fix: update saml strategy to use new config options

---
 .../authentication/saml/authentication.js     | 14 ++--
 .../authentication/saml/definition.yml        | 67 ++++++++++++++-----
 2 files changed, 59 insertions(+), 22 deletions(-)

diff --git a/server/modules/authentication/saml/authentication.js b/server/modules/authentication/saml/authentication.js
index 1eb8e2c2..aa518196 100644
--- a/server/modules/authentication/saml/authentication.js
+++ b/server/modules/authentication/saml/authentication.js
@@ -10,16 +10,21 @@ const SAMLStrategy = require('passport-saml').Strategy
 
 module.exports = {
   init (passport, conf) {
-    let samlConfig = {
+    const samlConfig = {
       callbackUrl: conf.callbackURL,
       entryPoint: conf.entryPoint,
       issuer: conf.issuer,
+      cert = _.split(conf.cert, '|'),
       signatureAlgorithm: conf.signatureAlgorithm,
+      digestAlgorithm: conf.digestAlgorithm,
       identifierFormat: conf.identifierFormat,
+      wantAssertionsSigned: conf.wantAssertionsSigned,
       acceptedClockSkewMs: _.toSafeInteger(conf.acceptedClockSkewMs),
       disableRequestedAuthnContext: conf.disableRequestedAuthnContext,
       authnContext: conf.authnContext,
+      racComparison: conf.racComparison,
       forceAuthn: conf.forceAuthn,
+      passive: conf.passive,
       providerName: conf.providerName,
       skipRequestCompression: conf.skipRequestCompression,
       authnRequestBinding: conf.authnRequestBinding,
@@ -28,11 +33,8 @@ module.exports = {
     if (!_.isEmpty(conf.audience)) {
       samlConfig.audience = conf.audience
     }
-    if (!_.isEmpty(conf.cert)) {
-      samlConfig.cert = _.split(conf.cert, '|')
-    }
-    if (!_.isEmpty(conf.privateCert)) {
-      samlConfig.privateCert = conf.privateCert
+    if (!_.isEmpty(conf.privateKey)) {
+      samlConfig.privateKey = conf.privateKey
     }
     if (!_.isEmpty(conf.decryptionPvk)) {
       samlConfig.decryptionPvk = conf.decryptionPvk
diff --git a/server/modules/authentication/saml/definition.yml b/server/modules/authentication/saml/definition.yml
index 69916256..1e458488 100644
--- a/server/modules/authentication/saml/definition.yml
+++ b/server/modules/authentication/saml/definition.yml
@@ -29,10 +29,10 @@ props:
     hint: Public PEM-encoded X.509 signing certificate. If the provider has multiple certificates that are valid, join them together using the | pipe symbol.
     multiline: true
     order: 4
-  privateCert:
+  privateKey:
     type: String
-    title: Private Certificate
-    hint: (Optional) - PEM formatted key used to sign the certificate.
+    title: Private Key
+    hint: PEM formatted key used to sign the certificate.
     multiline: true
     order: 5
   decryptionPvk:
@@ -52,53 +52,88 @@ props:
       - sha1
       - sha256
       - sha512
+  digestAlgorithm:
+    type: String
+    title: Digest Algorithm
+    hint: Digest algorithm used to provide a digest for the signed data object
+    maxWidth: 400
+    order: 8
+    default: sha1
+    enum:
+      - sha1
+      - sha256
+      - sha512
   identifierFormat:
     type: String
     title: Name Identifier format
     default: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'
-    order: 8
+    order: 20
+  wantAssertionsSigned:
+    type: Boolean
+    title: Always sign assertions
+    hint: If enabled, add WantAssertionsSigned="true" to the metadata, to specify that the IdP should always sign the assertions.
+    default: false
+    order: 21
   acceptedClockSkewMs:
     type: Number
     title: Accepted Clock Skew Milleseconds
     hint: Time in milliseconds of skew that is acceptable between client and server when checking OnBefore and NotOnOrAfter assertion condition validity timestamps. Setting to -1 will disable checking these conditions entirely.
-    default: -1
-    order: 9
+    default: 0
+    order: 22
   disableRequestedAuthnContext:
     type: Boolean
     title: Disable Requested Auth Context
     hint: If enabled, do not request a specific authentication context. This is known to help when authenticating against Active Directory (AD FS) servers.
     default: false
-    order: 10
+    order: 23
   authnContext:
     type: String
     title: Auth Context
     hint: Name identifier format to request auth context.
     default: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
-    order: 11
+    order: 24
+  racComparison:
+    type: String
+    title: RAC Comparison Type
+    hint: Requested Authentication Context comparison type.
+    maxWidth: 400
+    order: 25
+    default: exact
+    enum:
+      - exact
+      - minimum
+      - maximum
+      - better
   forceAuthn:
     type: Boolean
     title: Force Initial Re-authentication
     hint: If enabled, the initial SAML request from the service provider specifies that the IdP should force re-authentication of the user, even if they possess a valid session.
     default: false
-    order: 12
+    order: 26
+  passive:
+    type: Boolean
+    title: Passive
+    hint: If enabled, the initial SAML request from the service provider specifies that the IdP should prevent visible user interaction.
+    default: false
+    order: 27
   providerName:
     type: String
     title: Provider Name
     hint: Optional human-readable name of the requester for use by the presenter's user agent or the identity provider.
     default: wiki.js
-    order: 13
+    order: 28
   skipRequestCompression:
     type: Boolean
     title: Skip Request Compression
     hint: If enabled, the SAML request from the service provider won't be compressed.
     default: false
-    order: 14
+    order: 29
   authnRequestBinding:
     type: String
     title: Request Binding
     hint: Binding used for request authentication from IDP.
     maxWidth: 400
-    order: 15
+    order: 30
     default: 'HTTP-POST'
     enum:
       - HTTP-Redirect
@@ -108,22 +143,22 @@ props:
     type: String
     default: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier'
     hint: The field storing the user unique identifier. Can be a variable name or a URI-formatted string.
-    order: 16
+    order: 40
   mappingEmail:
     title: Email Field Mapping
     type: String
     default: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'
     hint: The field storing the user email. Can be a variable name or a URI-formatted string.
-    order: 17
+    order: 41
   mappingDisplayName:
     title: Display Name Field Mapping
     type: String
     default: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'
     hint: The field storing the user display name. Can be a variable name or a URI-formatted string.
-    order: 18
+    order: 42
   mappingPicture:
     title: Avatar Picture Field Mapping
     type: String
     default: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/picture'
     hint: The field storing the user avatar picture. Can be a variable name or a URI-formatted string.
-    order: 19
+    order: 43