allowCreate attribute not set correctly

D-32 commented 6 months ago

samlify.ServiceProvider({
    metadata: metadata,
    allowCreate: 'true',
})

If I don't set the allowCreate property the SAML request XML will have an empty attribute, which causes it to be invalid: <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate=""/>

If I set it to true (as a boolean) as specified in ServiceProviderSettings it crashes due to string.replace is not a function. Only if I set it to the string "true" does it work. So this is my workaround, but it's of course not ideal.

Thanks for all your work on this library @tngan 🙏

RJFelix commented 6 months ago

I'm having the same issue in samlify 2.8.11 but did not have it in 2.8.5, if that helps narrow down the cause.

suzmas commented 6 months ago

This issue started for us after upgrading from 2.8.10 to 2.8.11

It was introduced here: https://github.com/tngan/samlify/pull/523 with v2.8.11

In our case, this happens when we construct a ServiceProvider with allowCreate: true, and later call serviceProvider.createLoginRequest(idp, 'redirect')

serviceProvider.createLoginRequest(idp, 'redirect') eventually calls loginRequestRedirectURL function, which passes an object with various values to libsaml.replaceTagsByValue, including the value true for key AllowCreate
replaceTagsByValue calls escapeTag with value true (because that's the value of the AllowCreate tag)
escapeTag passes true into xmlEscape(...)
--> and that's what finally Throws with "TypeError string.replace is not a function"

tngan / samlify

allowCreate attribute not set correctly #538