Closed v0idmaster closed 1 year ago
Please edit your post to correctly format code blocks.
I Updated the post.
So it seems that you have a signed assertion and not a singed response. You should adjust your config to say so. By default it is assumed that you have both response and assertions signed, which is clearly not the case. If I'm misunderstanding, please post a reference to the SAML spec that indicates that passport-saml
is doing something wrong.
Root cause seems to be that changelog is not read prior/during/after migration to new major version.
This issue looks like exact duplicate of
First see the referenced issue's replys for background information and alter value of wantAuthnResponseSigned
configuration option.
Most up to date documentation of configuration options are available at @node-saml/node-saml because documentation updates at this side are not quite there yet.
Thanks for the response, How should I adjust a config? Is it configurable from the passport-saml configuration or is it the IDP that should be reconfigured, because the latter is a problem.
Root cause seems to be that changelog is not read prior/during/after migration to new major version.
This issue looks like exact duplicate of
First see the referenced issue's replys for background information and alter value of
wantAuthnResponseSigned
configuration option.Most up to date documentation of configuration options are available at @node-saml/node-saml because documentation updates at this side are not quite there yet.
Thank tou for the answer.
@srd90 @cjbarth I think it would help if in our Changelog we "rolled up" all the "Major Changes" from the 4.0.0 beta series so that they were all mentioned under the 4.0.0 Release heading in one place.
Also, the bullet point "Add option to require a document signature" could be clearer, because on it's face, adding an option is backwards compatible. A better phasing of this major change is:
Document signatures are now required by default. Setting wantAuthenResponseSigned=false
disables this feature and restores the prior, less secure behavior.
The other signature-related bullet point could also be more helpful as:
Require all assertions be signed; new option wantAssertionsSigned
can be set to false to enabled the older, less secure behavior.
Hey @markstos is the wantAuthenResponseSigned
even available? I didn't see it in the docs... Currently stuck on this issue as JumpCloud IdP doesn't seem to sign responses.
Hey @markstos is the wantAuthenResponseSigned even available? I didn't see it in the docs...
@dangtony98 as of now @node-saml/passport-saml
project's configuration options documentation is not up to date. You should consult also @node-saml/node-saml
project's documentation. passport-saml
was splitted at 4.0.0 so that @node-saml/node-saml
contains core SAML functionality and @node-saml/passport-saml
uses internally that library to implement passportjs module for SAML (big bigture is that @node-saml/node-saml
configuration options are used as via @node-saml/passport-saml
)
Hello, I upgraded from passport-saml to @node-saml/passport-saml and my logins stopped working diring assertion validation. I am using HTTP-POST binding and a PingFederate IDP. The error I am getting is:
After debugging the code, I found out that it fails because it searches for a ds:Signature element having a ds:Reference descendant with an URI attr that is equal to the ID of the samlp:Response node, which is not the case, and fails because it cannot find a signatue that way.
Here, currentNode is the samlp:Response element passed from the validatePostResponseAsync function. However, the Reference URL attr in my case is actually equal to the ID of the saml:Assertion element.
Example of the assertion message:
This is the xml that is generated by PingFederate. Please assist me with resolving that issue. Thanks!