Skip to content

boxyhq/saml20

This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
5 Branches61 Tags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

deepakprabhakaradeepakprabhakara
updated xml-crypto
Mar 14, 2025
1452ac8 · Mar 14, 2025

History

837 Commits
.github
.github
Aug 20, 2024
lib
lib
Mar 14, 2025
test
test
Jan 28, 2025
.editorconfig
.editorconfig
Dec 23, 2015
.gitattributes
.gitattributes
Oct 17, 2021
.gitignore
.gitignore
Apr 26, 2022
.prettierignore
.prettierignore
Apr 26, 2022
.prettierrc.js
.prettierrc.js
Feb 4, 2024
.release-it.json
.release-it.json
Feb 4, 2024
LICENSE
LICENSE
Feb 23, 2022
README.md
README.md
Feb 4, 2024
SECURITY.md
SECURITY.md
Feb 16, 2022
eslint.config.mjs
eslint.config.mjs
Aug 13, 2024
package-lock.json
package-lock.json
Mar 14, 2025
package.json
package.json
Mar 14, 2025
tsconfig.json
tsconfig.json
Feb 4, 2024

Repository files navigation

SAML 2.0 & 1.1 Assertion Parser & Validator

Build Status

=============

boxyhq/saml20 is a fork of a fork of saml20. It now has extended functionality and diverges from the original unmaintained library. The new package is published here - https://www.npmjs.com/package/@boxyhq/saml20

Installation

$ npm install @boxyhq/saml20

Usage

[DEPRECATED] saml.parse(rawAssertion, cb)

rawAssertion is the SAML Assertion in string format.

Parses the rawAssertion without validating signature, expiration and audience. It allows you to get information from the token like the Issuer name in order to obtain the right public key to validate the token in a multi-providers scenario.

var saml = require('@boxyhq/saml20').default;

saml.parse(rawAssertion, function (err, profile) {
  // err

  var claims = profile.claims; // Array of user attributes;
  var issuer = profile.issuer; // String Issuer name.
});

saml.parseIssuer(rawAssertion)

rawAssertion is the SAML Assertion in string format.

Parses the rawAssertion without validating signature, expiration and audience. It allows you to get information from the token like the Issuer name.

const issuer = saml.parseIssuer(rawResponse);

saml.validate(rawAssertion, options, cb)

rawAssertion is the SAML Assertion in string format.

options:

  • thumbprint is the thumbprint of the trusted public key (uses the public key that comes in the assertion).
  • publicKey is the trusted public key.
  • audience (optional). If it is included audience validation will take place.
  • bypassExpiration (optional). This flag indicates expiration validation bypass (useful for testing, not recommended in production environments);

You can use either thumbprint or publicKey but you should use at least one.

var saml = require('@boxyhq/saml20').default;

var options = {
  thumbprint: '1aeabdfa4473ecc7efc5947b18436c575574baf8',
  audience: 'http://myservice.com/',
};

saml.validate(rawAssertion, options, function (err, profile) {
  // err

  var claims = profile.claims; // Array of user attributes;
  var issuer = profile.issuer; // String Issuer name.
});

or using publicKey:

var saml = require('@boxyhq/saml20').default;

var options = {
  publicKey: 'MIICDzCCAXygAwIBAgIQVWXAvbbQyI5Bc...',
  audience: 'http://myservice.com/',
};

saml.validate(rawAssertion, options, function (err, profile) {
  // err

  var claims = profile.claims; // Array of user attributes;
  var issuer = profile.issuer; // String Issuer name.
});

Tests

Configure test/lib.index.js

In order to run the tests you must configure lib.index.js with these variables:

var issuerName = 'https://your-issuer.com';
var thumbprint = '1aeabdfa4473ecc7efc5947b19436c575574baf8';
var certificate = 'MIICDzCCAXygAwIBAgIQVWXAvbbQyI5BcFe0ssmeKTAJBgU...';
var audience = 'http://your-service.com/';

You also need to include a valid and an invalid SAML 2.0 token on test/assets/invalidToken.xml and test/assets/validToken.xml`

<Assertion ID="_1308c268-38e2-4849-9957-b7babd4a0659" IssueInstant="2014-03-01T04:04:52.919Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><Issuer>https://your-issuer.com/</Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><ds:Reference URI="#_1308c268-38e2-4849-9957-b7babd4a0659"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><ds:DigestValue>qJQjAuaj7adyLkl6m3T1oRhtYytu4bebq9JcQObZIu8=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>amPTOSqkEq5ppbCyUgGgm....</Assertion>

To run the tests use:

$ npm test

Contributing

Thanks for taking the time to contribute! Contributions are what make the open-source community such an amazing place to learn, inspire, and create. Any contributions you make will benefit everybody and are appreciated.

Please try to create bug reports that are:

  • Reproducible. Include steps to reproduce the problem.
  • Specific. Include as much detail as possible: which version, what environment, etc.
  • Unique. Do not duplicate existing opened issues.
  • Scoped to a Single Bug. One bug per report.

Community

  • Discord (For live discussion with the Community and BoxyHQ team)
  • Twitter (Get the news fast)

Reporting Security Issues

Responsible Disclosure

License

MIT

About

SAML 2.0 parser for Node.js

Topics

saml saml2 enterprise-software

Resources

Readme

License

MIT license

Security policy

Security policy
Activity
Custom properties

Stars

12 stars

Watchers

1 watching

Forks

9 forks
Report repository

Releases 59

Release v1.10.1 Latest
Mar 14, 2025
+ 58 releases

Packages

No packages published

Contributors 9

Languages