liz/wikijs-fork
liz/wikijs-fork
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix: update saml strategy to use new config options

Browse Source
This commit is contained in:
Nicolas Giard 2022-05-02 00:18:19 -04:00 committed by GitHub
parent fd274e49f8
commit 8205c1f243
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 59 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
server/modules/authentication/saml/authentication.js
View File

@ -10,16 +10,21 @@ const SAMLStrategy = require('passport-saml').Strategy
module.exports = { module.exports = {
init (passport, conf) { init (passport, conf) {
let samlConfig = { const samlConfig = {
callbackUrl: conf.callbackURL, callbackUrl: conf.callbackURL,
entryPoint: conf.entryPoint, entryPoint: conf.entryPoint,
issuer: conf.issuer, issuer: conf.issuer,
cert = _.split(conf.cert, '|'),
signatureAlgorithm: conf.signatureAlgorithm, signatureAlgorithm: conf.signatureAlgorithm,
digestAlgorithm: conf.digestAlgorithm,
identifierFormat: conf.identifierFormat, identifierFormat: conf.identifierFormat,
wantAssertionsSigned: conf.wantAssertionsSigned,
acceptedClockSkewMs: _.toSafeInteger(conf.acceptedClockSkewMs), acceptedClockSkewMs: _.toSafeInteger(conf.acceptedClockSkewMs),
disableRequestedAuthnContext: conf.disableRequestedAuthnContext, disableRequestedAuthnContext: conf.disableRequestedAuthnContext,
authnContext: conf.authnContext, authnContext: conf.authnContext,
racComparison: conf.racComparison,
forceAuthn: conf.forceAuthn, forceAuthn: conf.forceAuthn,
passive: conf.passive,
providerName: conf.providerName, providerName: conf.providerName,
skipRequestCompression: conf.skipRequestCompression, skipRequestCompression: conf.skipRequestCompression,
authnRequestBinding: conf.authnRequestBinding, authnRequestBinding: conf.authnRequestBinding,
@ -28,11 +33,8 @@ module.exports = {
if (!_.isEmpty(conf.audience)) { if (!_.isEmpty(conf.audience)) {
samlConfig.audience = conf.audience samlConfig.audience = conf.audience
} }
if (!_.isEmpty(conf.cert)) { if (!_.isEmpty(conf.privateKey)) {
samlConfig.cert = _.split(conf.cert, '|') samlConfig.privateKey = conf.privateKey
}
if (!_.isEmpty(conf.privateCert)) {
samlConfig.privateCert = conf.privateCert
} }
if (!_.isEmpty(conf.decryptionPvk)) { if (!_.isEmpty(conf.decryptionPvk)) {
samlConfig.decryptionPvk = conf.decryptionPvk samlConfig.decryptionPvk = conf.decryptionPvk

67
server/modules/authentication/saml/definition.yml
View File

@ -29,10 +29,10 @@ props:
hint: Public PEM-encoded X.509 signing certificate. If the provider has multiple certificates that are valid, join them together using the | pipe symbol. hint: Public PEM-encoded X.509 signing certificate. If the provider has multiple certificates that are valid, join them together using the | pipe symbol.
multiline: true multiline: true
order: 4 order: 4
privateCert: privateKey:
type: String type: String
title: Private Certificate title: Private Key
hint: (Optional) - PEM formatted key used to sign the certificate. hint: PEM formatted key used to sign the certificate.
multiline: true multiline: true
order: 5 order: 5
decryptionPvk: decryptionPvk:
@ -52,53 +52,88 @@ props:
- sha1 - sha1
- sha256 - sha256
- sha512 - sha512
digestAlgorithm:
type: String
title: Digest Algorithm
hint: Digest algorithm used to provide a digest for the signed data object
maxWidth: 400
order: 8
default: sha1
enum:
- sha1
- sha256
- sha512
identifierFormat: identifierFormat:
type: String type: String
title: Name Identifier format title: Name Identifier format
default: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress' default: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'
order: 8 order: 20
wantAssertionsSigned:
type: Boolean
title: Always sign assertions
hint: If enabled, add WantAssertionsSigned="true" to the metadata, to specify that the IdP should always sign the assertions.
default: false
order: 21
acceptedClockSkewMs: acceptedClockSkewMs:
type: Number type: Number
title: Accepted Clock Skew Milleseconds title: Accepted Clock Skew Milleseconds
hint: Time in milliseconds of skew that is acceptable between client and server when checking OnBefore and NotOnOrAfter assertion condition validity timestamps. Setting to -1 will disable checking these conditions entirely. hint: Time in milliseconds of skew that is acceptable between client and server when checking OnBefore and NotOnOrAfter assertion condition validity timestamps. Setting to -1 will disable checking these conditions entirely.
default: -1 default: 0
order: 9 order: 22
disableRequestedAuthnContext: disableRequestedAuthnContext:
type: Boolean type: Boolean
title: Disable Requested Auth Context title: Disable Requested Auth Context
hint: If enabled, do not request a specific authentication context. This is known to help when authenticating against Active Directory (AD FS) servers. hint: If enabled, do not request a specific authentication context. This is known to help when authenticating against Active Directory (AD FS) servers.
default: false default: false
order: 10 order: 23
authnContext: authnContext:
type: String type: String
title: Auth Context title: Auth Context
hint: Name identifier format to request auth context. hint: Name identifier format to request auth context.
default: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport default: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
order: 11 order: 24
racComparison:
type: String
title: RAC Comparison Type
hint: Requested Authentication Context comparison type.
maxWidth: 400
order: 25
default: exact
enum:
- exact
- minimum
- maximum
- better
forceAuthn: forceAuthn:
type: Boolean type: Boolean
title: Force Initial Re-authentication title: Force Initial Re-authentication
hint: If enabled, the initial SAML request from the service provider specifies that the IdP should force re-authentication of the user, even if they possess a valid session. hint: If enabled, the initial SAML request from the service provider specifies that the IdP should force re-authentication of the user, even if they possess a valid session.
default: false default: false
order: 12 order: 26
passive:
type: Boolean
title: Passive
hint: If enabled, the initial SAML request from the service provider specifies that the IdP should prevent visible user interaction.
default: false
order: 27
providerName: providerName:
type: String type: String
title: Provider Name title: Provider Name
hint: Optional human-readable name of the requester for use by the presenter's user agent or the identity provider. hint: Optional human-readable name of the requester for use by the presenter's user agent or the identity provider.
default: wiki.js default: wiki.js
order: 13 order: 28
skipRequestCompression: skipRequestCompression:
type: Boolean type: Boolean
title: Skip Request Compression title: Skip Request Compression
hint: If enabled, the SAML request from the service provider won't be compressed. hint: If enabled, the SAML request from the service provider won't be compressed.
default: false default: false
order: 14 order: 29
authnRequestBinding: authnRequestBinding:
type: String type: String
title: Request Binding title: Request Binding
hint: Binding used for request authentication from IDP. hint: Binding used for request authentication from IDP.
maxWidth: 400 maxWidth: 400
order: 15 order: 30
default: 'HTTP-POST' default: 'HTTP-POST'
enum: enum:
- HTTP-Redirect - HTTP-Redirect
@ -108,22 +143,22 @@ props:
type: String type: String
default: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier' default: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier'
hint: The field storing the user unique identifier. Can be a variable name or a URI-formatted string. hint: The field storing the user unique identifier. Can be a variable name or a URI-formatted string.
order: 16 order: 40
mappingEmail: mappingEmail:
title: Email Field Mapping title: Email Field Mapping
type: String type: String
default: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress' default: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'
hint: The field storing the user email. Can be a variable name or a URI-formatted string. hint: The field storing the user email. Can be a variable name or a URI-formatted string.
order: 17 order: 41
mappingDisplayName: mappingDisplayName:
title: Display Name Field Mapping title: Display Name Field Mapping
type: String type: String
default: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name' default: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'
hint: The field storing the user display name. Can be a variable name or a URI-formatted string. hint: The field storing the user display name. Can be a variable name or a URI-formatted string.
order: 18 order: 42
mappingPicture: mappingPicture:
title: Avatar Picture Field Mapping title: Avatar Picture Field Mapping
type: String type: String
default: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/picture' default: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/picture'
hint: The field storing the user avatar picture. Can be a variable name or a URI-formatted string. hint: The field storing the user avatar picture. Can be a variable name or a URI-formatted string.
order: 19 order: 43