I was running into an issue where inResponseTo was getting cached. So if I initiate this flow and inResponse to was getting passed, the next request that came in (without an inresponse to) it would use the previous one.

I fixed this by instantiating idpHandler inside of the post.

I have a use case where one of the multivalue values I'm trying to test has a comma in it. Specifically, I'm following some Shibboleth spec for affiliations where the affiliation attribute value looks like this: eduPersonAffiliation=student,eduPersonOrgDN=org
And there can be multiple values in that format. Any thoughts on how that can be supported? I'd be fine with it if all I need to do is encode the comma in some way that can still be seen as a comma on the receiving end. So If I need to encodeURIComponent or something, I would be fine with that.

Is there a Docker image available for this repo on an image repository? Using this for integration testing our SAML functionality and would be nice if I could just pull in a reliable image for use with docker-compose.

I found a few in Docker Hub (https://hub.docker.com/search?q=saml-idp&type=image), but they appear to come from forks so I'm unsure if they are up to date or are safe to use.

it would be great, if the sp options could be read from xml,

Nice project by the way!

Hello, first of all thanks for this amazing library. I'm using it in automated tests to test my SSO service provider implementation and it helped me a lot.

I have one issue though. As I'm starting the server for each automated test I'd like to kill the server at the end of each test. This is currently not possible as the runServer function does not return the httpServer object.

I already have this implemented on my machine and can submit PR. Would it be possible to add this to the library?

Bower's been deprecated apparently. Would you mind if I posted a PR replacing it with Yarn?

Thanks for the fantastic library, it's really helping out with what I'm trying to build.

I'm having an issue implementing logout from my currently in development SP. I can log in successfully, but when I go to log out using the slo endpoint with redirect, I get the following error:

Error: Invalid Session Participant
    at c:\Users\jhubers\Documents\Code\saml-idp\node_modules\samlp\lib\logout.js:181:65
    at SessionParticipants.get (c:\Users\jhubers\Documents\Code\saml-idp\node_modules\samlp\lib\sessionParticipants\index.js:32:20)
    at c:\Users\jhubers\Documents\Code\saml-idp\node_modules\samlp\lib\logout.js:178:39
    at c:\Users\jhubers\Documents\Code\saml-idp\node_modules\samlp\lib\logout.js:295:5
    at c:\Users\jhubers\Documents\Code\saml-idp\node_modules\samlp\lib\utils.js:121:20
    at c:\Users\jhubers\Documents\Code\saml-idp\node_modules\samlp\lib\utils.js:76:16
    at c:\Users\jhubers\Documents\Code\saml-idp\node_modules\samlp\lib\logout.js:161:38
    at SessionParticipants.get (c:\Users\jhubers\Documents\Code\saml-idp\node_modules\samlp\lib\sessionParticipants\index.js:32:20)
    at Object.getCredentials (c:\Users\jhubers\Documents\Code\saml-idp\node_modules\samlp\lib\logout.js:159:41)
    at configureSigningCredentials (c:\Users\jhubers\Documents\Code\saml-idp\node_modules\samlp\lib\utils.js:74:13)

Looking at where the line is failing in the samlp library I see the following:

...
          options.sessionParticipants.get(requestData.issuer, requestData.sessionIndex, requestData.nameId, function (err, session) {
            if (err) { return next(err); }
            if (!session && !options.destination) { return next(new Error('Invalid Session Participant')); }
...

I have debugged'ed and looked at what values options.sessionParticipants has and what values requestData has.

The requestData.sessionIndex is misaligned with what is in options.sessionParticipants[...].sessionIndex so a user is never found.

I believe there is a missing or incorrect getParticipant in saml-idp with hashing the sessionIndex.

I say this because the samlp.sessionParticipants[...].sessionIndex is the hashed value of the requestData.sessionIndex that I am looking up.

For example,

I log in with the following information:

id:"identifier_1"
issuer:"https://myapp.org"
nameId:"[email protected]"
nameIdFormat:"urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
sessionIndex:"1"

When I go to log out, I see that samlp sessionParticipants has the following participants:

nameId:"[email protected]"
nameIdFormat:"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
serviceProviderId:"https://www.okta.com/saml2/service-provider/spf5aFRRXFGIMAYXQPNV"
serviceProviderLogoutURL:"/saml/slo"
sessionIndex:"1652171193"

And the requestData.sessionIndex is 1

start the idp server:

npm install -g saml-idp
saml-idp --audience https://samltest.id/saml/sp --acsUrl  https://samltest.id/Shibboleth.sso/SAML2/POST 

upload metadata

go to test, https://samltest.id/

get the result

I'm submitting an authn request and the only hidden input values of any form the response is the _authnRequest. I was expecting to see SAMLResponse and RelayState, as described in the Web Browser SSO Profile example on the Wikipedia page. I think a short example of using this test service would help a lot.

Yarn audit throws violations about a debug package with vulnerabilities, see: GHSA-gxpj-cx7g-858c

First of all, great repo. I've been using this for a few months, and it saved me a lot of time on testing SSO based on SAML.

parseSamlRequest does not do any work for IDP-initiated flow, as there is no SAMLRequest, so kind of not making sense to have that as a handler for IDP-initiated endpoint, which is GET /, /idp, /saml/sso.

Looking at the output from /metadata indicates that the logout URL is /logout, but it is in fact hard-coded to /signout in app.js. This is in a freshly cloned and built instance, no customization whatsoever. Where is the metadata coming from, by the way? I can't even see how to fix it.

I got an error when using the Single Logout. If I log in and wait more than a minute, then log out, the SAML server displays the Invalid Session Participant error message. I traced the error to the maxAge setting of the cookie, it is set to 60000 milliseconds. If I change the value to something like 24h I can logout during that time without error.

I could be misunderstanding the disableRequestAcsUrl feature, or I could be testing it wrong, but it seems like it does not work as advertised.

Here is my server file:

const { runServer } = require('saml-idp')
const path = require('path')

runServer({
  disableRequestAcsUrl: true,
  audience: 'test',
  acsUrl: 'i am so invalid',
  cert: path.join(__dirname, 'idp-public-cert.pem'),
  key: path.join(__dirname, 'idp-private-key.pem')
})

It seems like the SAMLResponse is posted back to the requested ACS URL, even though the disableRequestAcsUrl flag is set. I would expect it to post to the invalid acsUrl.

Looking at the code, it seems like the getPostURL function that is passed to samlp does not take into account whether this flag is set, so the postUrl is always the requested ACS URL.

I'm happy to open a PR if this is a bug. And thanks for the library!

Hi.
I used "saml-idp" and "saml-sp" projects, together.
When I click on “force sign-in” button, then an error appear (in profile page):

/home/user/saml-idp-master/views/user.hbs: (((intermediate value)(intermediate value) && stack1.forceAuthn) || helpers.helperMissing).call is not a function

TypeError: /home/user/saml-idp-master/views/user.hbs: (((intermediate value)(intermediate value) && stack1.forceAuthn) || helpers.helperMissing).call is not a function
at eval (eval at createFunctionContext (/home/user/saml-idp-master/node_modules/handlebars/dist/cjs/handlebars/compiler/javascript-compiler.js:254:23), :6:127)
at Object.prog as fn
at Object. (/home/user/saml-idp-master/node_modules/handlebars/dist/cjs/handlebars/helpers/if.js:19:22)
at eval (eval at createFunctionContext (/home/user/saml-idp-master/node_modules/handlebars/dist/cjs/handlebars/compiler/javascript-compiler.js:254:23), :14:32)
at Object.prog as fn
at Object. (/home/user/saml-idp-master/node_modules/handlebars/dist/cjs/handlebars/helpers/if.js:19:22)
at Object.eval (eval at createFunctionContext (/home/user/saml-idp-master/node_modules/handlebars/dist/cjs/handlebars/compiler/javascript-compiler.js:254:23), :6:32)
at main (/home/user/saml-idp-master/node_modules/handlebars/dist/cjs/handlebars/runtime.js:173:32)
at ret (/home/user/saml-idp-master/node_modules/handlebars/dist/cjs/handlebars/runtime.js:176:12)
at ret (/home/user/saml-idp-master/node_modules/handlebars/dist/cjs/handlebars/compiler/compiler.js:525:21)

I'm getting next() is not a function in response to a SAML auth

/me//git/saml-idp/node_modules/samlp/lib/samlp.js:146
        if (err) return next(err);
                        ^

TypeError: next is not a function
    at <redacted>/node_modules/samlp/lib/samlp.js:146:25
    at <redacted>/node_modules/samlp/lib/samlp.js:94:21
    at Immediate.<anonymous> (<redacted>/node_modules/saml/lib/utils.js:13:7)
    at process.processImmediate (node:internal/timers:471:21)

I'm on Node.js v18.3.0

I'm getting 304 redirects through the auth chain, but then at the end it's throwing the error. I see no indication in the output as to why. I saw a previous thread from several years ago about some decompression, but there was no solution indicated in that thread.

How do I troubleshoot/fix this?

Hello!

I'm interested in using the project for mock testing logins with Keycloak where IDP is used. Do you know if this should work with configuring in Keycloak to connect to the server started from this lib?

Thanks a lot!

Hello, just fired up a small app using your lib 1.2.1, server spins up but when I navigate to localhost://7000, I get a 403. Suspecting CORS, but I imagine that should be handled already? Any pointers are welcome.

Access to localhost was deniedYou don't have authorization to view this page.
HTTP ERROR 403

I tried to base64 decode /metadata out put but it doesn't decode properly. Generally /metadata will be a standard xml right? In this case is it encrypted?

I get this error when I parse the SAMLResponse in my ruby-saml based Service Provider application.

"Invalid SAML Response. Not match the saml-schema-protocol-2.0.xsd"

Any ideas?

BTW, awesome plugin. Quick and Simple!

Hello,

I've recently run into a problem utilizing this project due to what looks like a mismatch between the SHA1 hash defined in package-lock.json and what's retrieved from the 'version' url. Specifically, for the entry starting on line 1247 ( xmldom ), it looks like it's pulling the tarball from master but it includes a sha1 integrity hash. I do see this dependency specified elsewhere in the lock file but these other locations either indicate a specific version and include an integrity hash, or they indicate master w/ no integrity hash.

I'm not sure if anybody else is running into this issue but I figured it didn't hurt to toss it out there.

Thanks!

Ryan

Hi - no matter how I configure saml-idp, when I click on the sign-in button I get the following error:

/Users/nicford/Source/Ascential/shared/saml-idp/node_modules/samlp/lib/samlp.js:164
      if (err) return next(err);
                      ^

TypeError: next is not a function
    at /Users/nicford/Source/Ascential/shared/saml-idp/node_modules/samlp/lib/samlp.js:164:23
    at /Users/nicford/Source/Ascential/shared/saml-idp/node_modules/samlp/lib/utils.js:86:27
    at InflateRaw.onError (zlib.js:198:5)
    at emitOne (events.js:96:13)
    at InflateRaw.emit (events.js:191:7)
    at Zlib._handle.onerror (zlib.js:358:10)

It's probably just a configuration error at my end (relatively new to SAML) but if you have any insights I'd appreciate them.

Many thanks

Nic Ford

This is caused by an upstream issue in auth0/node-samlp. I created an issue and pull request there, but my real goal is to have that change being used in saml-idp so that my test setup validates correctly end-to-end. When/if that lands can we update mcguinness/node-samlp and mcguinness/saml-idp?

See

• auth0/node-samlp#91
• auth0/node-samlp#92

Hi,

Just fired this project up, was getting errors on the argument checks for the certificates due to the fact that some function(argv, aliases) { functions don't return true at the end. As soon as I put them in worked correctly.

Hi,

I'm using node v9.9.0 and npm v5.6.0. Running npm install fails with numerous issues:

• npm WARN tar ENOENT: no such file or directory, open 'saml-idp/node_modules/.staging/node-forge-1f943e2d/dist/forge.min.js'
• (repeat last ENOENT for dozens of other packages)
• npm ERR! code EINTEGRITY
• npm ERR! sha1-Yq9xD8gtQpVtjmkYvRus+FFjyzc= integrity checksum failed when using sha1: wanted sha1-Yq9xD8gtQpVtjmkYvRus+FFjyzc= but got sha1-7SlRb/DIDZxfF9ukd4CGgy70ink=. (98083 bytes)

Does this IDP supports SAML logout?

I noticed this disclaimer in your README.

This sample is not intended for use with production systems!

I was wondering if you could possibly explain why. What modifications would be needed in order to make this production ready? Are there any other libraries or examples that could be used in a production environment?

Running docker misses /css and /bower_components access. Browser get 404 for any resources in those two folders.

For an SP-initiated SSO, the SP can specify the required ACS endpoint in the AuthnRequest so I'm wondering why saml-idp needs to know this URL in advance (and requires the --acsUrl parameter to be provided).

I'm asking this in the context of using a single saml-idp instance for multiple SPs, each with their own unique ACS URL.

Thanks.

I am running node v14.8

To test assertion encryption, I created a key pair (btw.. without encryption everything works fine)

openssl genrsa -out assertion-enc-key.pem 2048 
openssl rsa -in assertion-enc-key.pem -outform PEM -pubout -out assertion-pub-key.pem <--extracted public key from above file

run the tool using below command line options.

node app.js --acsUrl http://cockerham.stratus.lk/Tenant/TestSsoAssertionConsumer 
--audience http://cockerham.stratus.com 
--encryptAssertion true 
--encryptionPublicKey ./assertion-pub-key.pem 
--encryptionCert ./assertion-enc-key.pem

Once I login; in the console it shows

Generating SAML Response using => { ... data to generate ... }

Then it gives below error and quits. I feel I may be using the options/keys wrong?

I'm using runServer to create a saml-idp server in a node project. When I try the idp login I see a lot of 404s for jquery, underscore, etc that are in the bower_components folder.

If I send a LogoutRequest via a client library such as python3-saml, I get a 500 response. It seems that without the original browser cookies, the code in samlp raises an error. I can't see why browser cookies are required to send a logout request from the SP. Is this a bug in saml-idp or some misunderstanding on my part regarding how SAML bindings work?

BTW: when i test this idp with saml-sp, i met this error ---- PEM_read_bio_PUBKEY failed, what's the problem?

Trying to troubleshoot some problems with Okta not being able to validate the response, how can I saw the complete raw SAML request & assertion?

Hello, I'm struggling to debug this issue. In short:

• In the SSO response from the IDP a sessionIndex is included in the XML

<saml:AuthnStatement AuthnInstant="2022-08-02T16:41:33.293Z" SessionIndex="475112335">

• In the SLO request the sessionIndex provided and logged is the same as in the auth response mentioned above

Processing SAML SLO request for participant => 
 {
  serviceProviderId: **redacted**,
  sessionIndex: '475112335',
  nameId: '[email protected]',
  nameIdFormat: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
  serviceProviderLogoutURL: 'http://localhost:3000/users/saml/idp_sign_out'
}

• SLO fails due to this issue

Any pointers as to what could be wrong would be greatly appreciated.

Hello there! First of all, thank you for writing this library/tool, it has been extremely valuable to me.

I have the need to use saml-idp in "library" mode, but I will need to be able to shut down the server, and restart with various different configurations.

The current latest release version on NPM is 1.2.1 has a bug where _runServer() doesn't actually return the server. I saw you fixed this in a later commit, but there hasn't been a new release to NPM so I can't easily use this fix.

Would it be possible to do a new version release on NPM? Is there anything I can do to aid you in that?
Thanks! 🙏

I have a saml SP and would like to test the authentication flow. Is that possible with this application? If so the documentation isn't really clear on how to setup test users and credentials.

The docker-compose build command in README.md did not work for me. I think root cause is Docker v20 includes newer Docker Compose v2, and docker-compose.yml is only compatible with Docker Compose v1.

I am running Ubuntu 22.04 x86_64 LTS. I used the install instructions on Docker's website for Ubuntu.

• https://docs.docker.com/engine/install/ubuntu/

I was able to update docker-compose.yml to make it work with Docker Compose v2. I am sharing in case anyone else runs into this issue.

Steps to reproduce:

Install Docker latest version. Check Docker and Docker Compose installed version on Ubuntu 22.04 x86_64 LTS.

$ docker --version
Docker version 20.10.18, build b40c2f6

$ docker compose version
Docker Compose version v2.10.2

Install saml-idp. When I get to the docker-compose build step, it fails because the docker-compose command is not found.

$ docker-compose build
Command 'docker-compose' not found, but can be installed with:
sudo snap install docker          # version 20.10.17, or
sudo apt  install docker-compose  # version 1.29.2-1
See 'snap info docker' for additional versions.

• Notice the latest available version of docker-compose is 1.29.2-1. That is older than docker compose version 2.10.2 which came with Docker v20.10.18. The new v2 command seems to have a space instead of a dash.

Try to build with Docker Compose v2. It fails with a cryptic error.

$ docker compose build
(root) Additional property saml-idp is not allowed

Update docker-compose.yml to make it compatible with Docker Compose v2 (insert service, replace net with network_mode)

$ cat <<EOF > ./docker-compose.yml
services:
  saml-idp:
    build: .
    ports:
      - "7000:7000"
    network_mode: "host"
EOF

Build with Docker Compose v2. It works.

$ docker compose build
[+] Building 9.1s (15/15) FINISHED

Build with Docker Compose v2. It works.

$ docker compose up
[+] Running 1/0
 ⠿ Container saml-idp-saml-idp-1  Created                                                       0.0s
Attaching to saml-idp-saml-idp-1

I am using runServer to start a IDP Server in the beforeAll setup of a JEST Integration test.

runServer({
  acsUrl: 'http://localhost:5602/_opendistro/_security/saml/acs',
  audience: 'https://localhost:9200',
});

Since, this method returns void there is no handle available to stop the server, this keeps the JEST ITs to remain hung with the message

This usually means that there are asynchronous operations that weren't stopped in your tests. Consider running Jest with --detectOpenHandles to troubleshoot this issue.

A simple workaround is to use the option --force-kill to stop the Jest server. Is there a graceful manner of shutting down the IDP Server ?

Hi,

currently default values for nameIdFormat are not reflected. For example with the following config:

userDefaults = {
 nameIdFormat: "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
}

I made some research and it seems like this issue is caused by the whitespaces in the select options in the markup. After I removed them, the default values were correctly applied.

I'm not sure if I'm doing something wrong but on Windows 10 and CentOS 7.8 when I perform the "docker-compose build" command, I'm getting a "Maximum call stack size exceeded" error.

Here's the full output on CentOS:

$ docker-compose build
Building saml-idp
Step 1/12 : FROM node:latest
 ---> 3509e57cfda1
Step 2/12 : ADD ./package.json package.json
 ---> Using cache
 ---> 813d22843647
Step 3/12 : RUN npm install --loglevel verbose
 ---> Running in 25cd0d1eb356
npm verb cli [
npm verb cli   '/usr/local/bin/node',
npm verb cli   '/usr/local/bin/npm',
npm verb cli   'install',
npm verb cli   '--loglevel',
npm verb cli   'verbose'
npm verb cli ]
npm info using [email protected]
npm info using [email protected]
npm timing config:load:defaults Completed in 2ms
npm timing config:load:file:/usr/local/lib/node_modules/npm/npmrc Completed in 1ms
npm timing config:load:builtin Completed in 1ms
npm timing config:load:cli Completed in 2ms
npm timing config:load:env Completed in 1ms
npm timing config:load:file:/.npmrc Completed in 1ms
npm timing config:load:project Completed in 1ms
npm timing config:load:file:/root/.npmrc Completed in 0ms
npm timing config:load:user Completed in 0ms
npm timing config:load:file:/usr/local/etc/npmrc Completed in 0ms
npm timing config:load:global Completed in 0ms
npm timing config:load:cafile Completed in 0ms
npm timing config:load:validate Completed in 1ms
npm timing config:load:setUserAgent Completed in 0ms
npm timing config:load:setEnvs Completed in 1ms
npm timing config:load Completed in 9ms
npm verb npm-session b4af5ee683f22558
npm timing npm:load Completed in 23ms
npm http fetch GET 200 https://registry.npmjs.org/npm 130ms
npm http fetch GET 200 https://registry.npmjs.org/npm 12ms (from cache)
npm timing arborist:ctor Completed in 1ms
npm timing idealTree Completed in 25ms
npm timing command:install Completed in 30ms
npm notice 
npm notice New patch version of npm available! 7.0.2 -> 7.0.3
npm notice Changelog: <https://github.com/npm/cli/releases/tag/v7.0.3>
npm notice Run `npm install -g [email protected]` to update!
npm notice 
npm verb stack RangeError: Maximum call stack size exceeded
npm verb stack     at Node.get parent [as parent] (/usr/local/lib/node_modules/npm/node_modules/@npmcli/arborist/lib/node.js:691:5)
npm verb stack     at Node.get resolveParent [as resolveParent] (/usr/local/lib/node_modules/npm/node_modules/@npmcli/arborist/lib/node.js:949:17)
npm verb stack     at Node.resolve (/usr/local/lib/node_modules/npm/node_modules/@npmcli/arborist/lib/node.js:956:32)
npm verb stack     at Node.resolve (/usr/local/lib/node_modules/npm/node_modules/@npmcli/arborist/lib/node.js:958:28)
npm verb stack     at Node.resolve (/usr/local/lib/node_modules/npm/node_modules/@npmcli/arborist/lib/node.js:958:28)
npm verb stack     at Node.resolve (/usr/local/lib/node_modules/npm/node_modules/@npmcli/arborist/lib/node.js:958:28)
npm verb stack     at Node.resolve (/usr/local/lib/node_modules/npm/node_modules/@npmcli/arborist/lib/node.js:958:28)
npm verb stack     at Node.resolve (/usr/local/lib/node_modules/npm/node_modules/@npmcli/arborist/lib/node.js:958:28)
npm verb stack     at Node.resolve (/usr/local/lib/node_modules/npm/node_modules/@npmcli/arborist/lib/node.js:958:28)
npm verb stack     at Node.resolve (/usr/local/lib/node_modules/npm/node_modules/@npmcli/arborist/lib/node.js:958:28)
npm verb cwd /
npm verb Linux 3.10.0-1127.19.1.el7.x86_64
npm verb argv "/usr/local/bin/node" "/usr/local/bin/npm" "install" "--loglevel" "verbose"
npm verb node v15.0.0
npm verb npm  v7.0.2
npm ERR! Maximum call stack size exceeded
npm verb exit 1
npm timing npm Completed in 504ms

Would it be possible to bump dependency https://github.com/auth0/node-samlp to get latest security fixes?

Using both expressjs/session and expressjs/cookie-parser means that the session management is actually not working. Since v1.5 session manages its own cookies, and having cookie-parser enabled as well causes a conflict. I tried having them share the same secret but it only make it worse. Removing cookie-parser completely at least gets the session working.

Hi,

is there a way how I can force the IDP to sign all my assertions. I am running into problems testing against an SP, which needs my assertions to be signed.

Best,
Pascal