Support for AttributeConsumingService

node-saml / passport-saml

SAML 2.0 authentication with Passport

MIT License

862 stars 475 forks source link

Support for AttributeConsumingService #406

Open brandon-leapyear opened 4 years ago

brandon-leapyear commented 4 years ago

Hi, is there a way to configure <md:AttributeConsumingService> with this library? Or do attribute requirements have to be communicated out-of-band to the IdP?

https://en.wikipedia.org/wiki/SAML_Metadata#Service_Provider_Metadata

markstos commented 4 years ago

When I use Github search to search the code for "AttributeConsumingService", I get back no results, so I'm guessing the answer is "not currently". If it makes the project more spec-compliant, a pull request is welcome. It should include updating the documentation, adding test coverage, references to the part of the spec being implemented and ideally some peer review.

aeaton-overleaf commented 3 years ago

It does seem strange that passport-saml has an attributeConsumingServiceIndex option, but nothing in the generateServiceProviderMetadata function that builds the metadata to add an AttributeConsumingService block.

https://github.com/node-saml/passport-saml/blob/54a1e0457f8e59a9b6947894072f7f9fb2bf8387/src/node-saml/saml.ts#L1314-L1407

aeaton-overleaf commented 3 years ago

Maybe something like this, at the end of generateServiceProviderMetadata?

if (this.options.attributeConsumingServices) {
    this.options.attributeConsumingServices.forEach((attributeConsumingService, index) => {
      metadata.EntityDescriptor.SPSSODescriptor.AttributeConsumingService = {
        '@index': index,
        '@isDefault': attributeConsumingService.isDefault,
        ServiceName: attributeConsumingService.name,
        ServiceDescription: attributeConsumingService.description,
        RequestedAttribute: attributeConsumingService.requestedAttributes.map(requestedAttribute => ({
          '@isRequired': requestedAttribute.isRequired,
          '@FriendlyName': requestedAttribute.friendlyName,
          '@Name': requestedAttribute.name,
          '@NameFormat': requestedAttribute.nameFormat
        }))
      };
    })
  }

https://wiki.shibboleth.net/confluence/display/CONCEPT/MetadataForSP#MetadataForSP-DocumentingAttributes

cjbarth commented 3 years ago

@aeaton-overleaf , are you willing to put up a PR for this?

aeaton-overleaf commented 3 years ago

@cjbarth I'm not planning to work on this immediately, but a colleague may be able to write up a PR later this year (pending other priorities - let me know if there's a need for it sooner).

cjbarth commented 3 years ago

As this is a community-driven project, we look forward to, and depend upon, those that notice missing features putting up a PR to fill that need. The maintainers will be here to help the PR along.

omidraha commented 1 month ago

I think currently implemented by under lib: https://github.com/node-saml/node-saml/pull/337