liz/wikijs-fork
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix: update saml strategy to use new config options

Browse Source
This commit is contained in:
Nicolas Giard
2022-05-02 00:18:19 -04:00
committed by GitHub
parent fd274e49f8
commit 8205c1f243
2 changed files with 59 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
server/modules/authentication/saml/authentication.js
View File

@@ -10,16 +10,21 @@ const SAMLStrategy = require('passport-saml').Strategy
module.exports = {
init (passport, conf) {
let samlConfig = {
const samlConfig = {
callbackUrl: conf.callbackURL,
entryPoint: conf.entryPoint,
issuer: conf.issuer,
cert = _.split(conf.cert, '|'),
signatureAlgorithm: conf.signatureAlgorithm,
digestAlgorithm: conf.digestAlgorithm,
identifierFormat: conf.identifierFormat,
wantAssertionsSigned: conf.wantAssertionsSigned,
acceptedClockSkewMs: _.toSafeInteger(conf.acceptedClockSkewMs),
disableRequestedAuthnContext: conf.disableRequestedAuthnContext,
authnContext: conf.authnContext,
racComparison: conf.racComparison,
forceAuthn: conf.forceAuthn,
passive: conf.passive,
providerName: conf.providerName,
skipRequestCompression: conf.skipRequestCompression,
authnRequestBinding: conf.authnRequestBinding,
@@ -28,11 +33,8 @@ module.exports = {
if (!_.isEmpty(conf.audience)) {
samlConfig.audience = conf.audience
}
if (!_.isEmpty(conf.cert)) {
samlConfig.cert = _.split(conf.cert, '|')
}
if (!_.isEmpty(conf.privateCert)) {
samlConfig.privateCert = conf.privateCert
if (!_.isEmpty(conf.privateKey)) {
samlConfig.privateKey = conf.privateKey
}
if (!_.isEmpty(conf.decryptionPvk)) {
samlConfig.decryptionPvk = conf.decryptionPvk

67
server/modules/authentication/saml/definition.yml
View File

@@ -29,10 +29,10 @@ props:
hint: Public PEM-encoded X.509 signing certificate. If the provider has multiple certificates that are valid, join them together using the | pipe symbol.
multiline: true
order: 4
privateCert:
privateKey:
type: String
title: Private Certificate
hint: (Optional) - PEM formatted key used to sign the certificate.
title: Private Key
hint: PEM formatted key used to sign the certificate.
multiline: true
order: 5
decryptionPvk:
@@ -52,53 +52,88 @@ props:
- sha1
- sha256
- sha512
digestAlgorithm:
type: String
title: Digest Algorithm
hint: Digest algorithm used to provide a digest for the signed data object
maxWidth: 400
order: 8
default: sha1
enum:
- sha1
- sha256
- sha512
identifierFormat:
type: String
title: Name Identifier format
default: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'
order: 8
order: 20
wantAssertionsSigned:
type: Boolean
title: Always sign assertions
hint: If enabled, add WantAssertionsSigned="true" to the metadata, to specify that the IdP should always sign the assertions.
default: false
order: 21
acceptedClockSkewMs:
type: Number
title: Accepted Clock Skew Milleseconds
hint: Time in milliseconds of skew that is acceptable between client and server when checking OnBefore and NotOnOrAfter assertion condition validity timestamps. Setting to -1 will disable checking these conditions entirely.
default: -1
order: 9
default: 0
order: 22
disableRequestedAuthnContext:
type: Boolean
title: Disable Requested Auth Context
hint: If enabled, do not request a specific authentication context. This is known to help when authenticating against Active Directory (AD FS) servers.
default: false
order: 10
order: 23
authnContext:
type: String
title: Auth Context
hint: Name identifier format to request auth context.
default: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
order: 11
order: 24
racComparison:
type: String
title: RAC Comparison Type
hint: Requested Authentication Context comparison type.
maxWidth: 400
order: 25
default: exact
enum:
- exact
- minimum
- maximum
- better
forceAuthn:
type: Boolean
title: Force Initial Re-authentication
hint: If enabled, the initial SAML request from the service provider specifies that the IdP should force re-authentication of the user, even if they possess a valid session.
default: false
order: 12
order: 26
passive:
type: Boolean
title: Passive
hint: If enabled, the initial SAML request from the service provider specifies that the IdP should prevent visible user interaction.
default: false
order: 27
providerName:
type: String
title: Provider Name
hint: Optional human-readable name of the requester for use by the presenter's user agent or the identity provider.
default: wiki.js
order: 13
order: 28
skipRequestCompression:
type: Boolean
title: Skip Request Compression
hint: If enabled, the SAML request from the service provider won't be compressed.
default: false
order: 14
order: 29
authnRequestBinding:
type: String
title: Request Binding
hint: Binding used for request authentication from IDP.
maxWidth: 400
order: 15
order: 30
default: 'HTTP-POST'
enum:
- HTTP-Redirect
@@ -108,22 +143,22 @@ props:
type: String
default: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier'
hint: The field storing the user unique identifier. Can be a variable name or a URI-formatted string.
order: 16
order: 40
mappingEmail:
title: Email Field Mapping
type: String
default: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'
hint: The field storing the user email. Can be a variable name or a URI-formatted string.
order: 17
order: 41
mappingDisplayName:
title: Display Name Field Mapping
type: String
default: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'
hint: The field storing the user display name. Can be a variable name or a URI-formatted string.
order: 18
order: 42
mappingPicture:
title: Avatar Picture Field Mapping
type: String
default: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/picture'
hint: The field storing the user avatar picture. Can be a variable name or a URI-formatted string.
order: 19
order: 43