boxyhq / saml20

SAML 2.0 parser for Node.js
MIT License
12 stars 7 forks source link
enterprise-software saml saml2

SAML 2.0 & 1.1 Assertion Parser & Validator

Build Status


boxyhq/saml20 is a fork of a fork of saml20. It now has extended functionality and diverges from the original unmaintained library. The new package is published here -


$ npm install @boxyhq/saml20


[DEPRECATED] saml.parse(rawAssertion, cb)

rawAssertion is the SAML Assertion in string format.

Parses the rawAssertion without validating signature, expiration and audience. It allows you to get information from the token like the Issuer name in order to obtain the right public key to validate the token in a multi-providers scenario.

var saml = require('@boxyhq/saml20').default;

saml.parse(rawAssertion, function (err, profile) {
  // err

  var claims =; // Array of user attributes;
  var issuer = profile.issuer; // String Issuer name.


rawAssertion is the SAML Assertion in string format.

Parses the rawAssertion without validating signature, expiration and audience. It allows you to get information from the token like the Issuer name.

const issuer = saml.parseIssuer(rawResponse);

saml.validate(rawAssertion, options, cb)

rawAssertion is the SAML Assertion in string format.


You can use either thumbprint or publicKey but you should use at least one.

var saml = require('@boxyhq/saml20').default;

var options = {
  thumbprint: '1aeabdfa4473ecc7efc5947b18436c575574baf8',
  audience: '',

saml.validate(rawAssertion, options, function (err, profile) {
  // err

  var claims =; // Array of user attributes;
  var issuer = profile.issuer; // String Issuer name.

or using publicKey:

var saml = require('@boxyhq/saml20').default;

var options = {
  publicKey: 'MIICDzCCAXygAwIBAgIQVWXAvbbQyI5Bc...',
  audience: '',

saml.validate(rawAssertion, options, function (err, profile) {
  // err

  var claims =; // Array of user attributes;
  var issuer = profile.issuer; // String Issuer name.


Configure test/lib.index.js

In order to run the tests you must configure lib.index.js with these variables:

var issuerName = '';
var thumbprint = '1aeabdfa4473ecc7efc5947b19436c575574baf8';
var certificate = 'MIICDzCCAXygAwIBAgIQVWXAvbbQyI5BcFe0ssmeKTAJBgU...';
var audience = '';

You also need to include a valid and an invalid SAML 2.0 token on test/assets/invalidToken.xml and test/assets/validToken.xml`

<Assertion ID="_1308c268-38e2-4849-9957-b7babd4a0659" IssueInstant="2014-03-01T04:04:52.919Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><Issuer></Issuer><ds:Signature xmlns:ds=""><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="" /><ds:SignatureMethod Algorithm="" /><ds:Reference URI="#_1308c268-38e2-4849-9957-b7babd4a0659"><ds:Transforms><ds:Transform Algorithm="" /><ds:Transform Algorithm="" /></ds:Transforms><ds:DigestMethod Algorithm="" /><ds:DigestValue>qJQjAuaj7adyLkl6m3T1oRhtYytu4bebq9JcQObZIu8=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>amPTOSqkEq5ppbCyUgGgm....</Assertion>

To run the tests use:

$ npm test


Thanks for taking the time to contribute! Contributions are what make the open-source community such an amazing place to learn, inspire, and create. Any contributions you make will benefit everybody and are appreciated.

Please try to create bug reports that are:


Reporting Security Issues

Responsible Disclosure
