diff options
author | Emmanuel Ormancey | 2018-12-12 10:40:24 +0100 |
---|---|---|
committer | Sheogorath | 2019-04-06 17:54:58 +0200 |
commit | df53f465c0238e9a6a306df21cd7e04731056dd6 (patch) | |
tree | bd7ed2541fd1f233ac74b4dbd7953e1bb975c73e | |
parent | 5379d65edc8edfb6135f43e4e021ee2d7907d957 (diff) |
Added a configuration option for passport-saml:
disableRequestedAuthnContext: true|false
By default only Password authmethod is accepted, this option allows any other method.
Issue and option described here:
https://github.com/bergie/passport-saml/issues/226
Signed-off-by: Emmanuel Ormancey <emmanuel.ormancey@cern.ch>
-rw-r--r-- | config.json.example | 1 | ||||
-rw-r--r-- | docs/configuration-env-vars.md | 1 | ||||
-rw-r--r-- | lib/config/default.js | 1 | ||||
-rw-r--r-- | lib/config/environment.js | 1 | ||||
-rw-r--r-- | lib/config/hackmdEnvironment.js | 1 | ||||
-rw-r--r-- | lib/web/auth/saml/index.js | 3 |
6 files changed, 7 insertions, 1 deletions
diff --git a/config.json.example b/config.json.example index cb2bf3a5..d1c1cc5c 100644 --- a/config.json.example +++ b/config.json.example @@ -93,6 +93,7 @@ "idpCert": "change: certificate file path of IdP in PEM format", "issuer": "change or delete: identity of the service provider (default: serverurl)", "identifierFormat": "change or delete: name identifier format (default: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress')", + "disableRequestedAuthnContext": "change or delete: true to allow any authentication method, false restricts to password authentication method (default: false)", "groupAttribute": "change or delete: attribute name for group list (ex: memberOf)", "requiredGroups": [ "change or delete: group names that allowed" ], "externalGroups": [ "change or delete: group names that not allowed" ], diff --git a/docs/configuration-env-vars.md b/docs/configuration-env-vars.md index c81deab9..b512f485 100644 --- a/docs/configuration-env-vars.md +++ b/docs/configuration-env-vars.md @@ -183,6 +183,7 @@ defaultNotePath can't be set from env-vars | `CMD_SAML_IDPSSOURL` | `https://idp.example.com/sso` | authentication endpoint of IdP. for details, see [guide](guides/auth/saml-onelogin.md). | | `CMD_SAML_IDPCERT` | `/path/to/cert.pem` | certificate file path of IdP in PEM format | | `CMD_SAML_ISSUER` | no example | identity of the service provider (optional, default: serverurl)" | +| `CMD_SAML_DISABLEREQUESTEDAUTHNCONTEXT` | `true` or `false` | true to allow any authentication method, false restricts to password authentication (PasswordProtectedTransport) method (default: false) | | `CMD_SAML_IDENTIFIERFORMAT` | no example | name identifier format (optional, default: `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress`) | | `CMD_SAML_GROUPATTRIBUTE` | `memberOf` | attribute name for group list (optional) | | `CMD_SAML_REQUIREDGROUPS` | `codimd-users` | group names that allowed (use vertical bar to separate) (optional) | diff --git a/lib/config/default.js b/lib/config/default.js index 9e401f38..98ccee91 100644 --- a/lib/config/default.js +++ b/lib/config/default.js @@ -138,6 +138,7 @@ module.exports = { idpCert: undefined, issuer: undefined, identifierFormat: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress', + disableRequestedAuthnContext: false, groupAttribute: undefined, externalGroups: [], requiredGroups: [], diff --git a/lib/config/environment.js b/lib/config/environment.js index fc757cf1..882df140 100644 --- a/lib/config/environment.js +++ b/lib/config/environment.js @@ -115,6 +115,7 @@ module.exports = { idpCert: process.env.CMD_SAML_IDPCERT, issuer: process.env.CMD_SAML_ISSUER, identifierFormat: process.env.CMD_SAML_IDENTIFIERFORMAT, + disableRequestedAuthnContext: toBooleanConfig(process.env.CMD_SAML_DISABLEREQUESTEDAUTHNCONTEXT), groupAttribute: process.env.CMD_SAML_GROUPATTRIBUTE, externalGroups: toArrayConfig(process.env.CMD_SAML_EXTERNALGROUPS, '|', []), requiredGroups: toArrayConfig(process.env.CMD_SAML_REQUIREDGROUPS, '|', []), diff --git a/lib/config/hackmdEnvironment.js b/lib/config/hackmdEnvironment.js index bc20e58a..e5ffeb8a 100644 --- a/lib/config/hackmdEnvironment.js +++ b/lib/config/hackmdEnvironment.js @@ -109,6 +109,7 @@ module.exports = { idpCert: process.env.HMD_SAML_IDPCERT, issuer: process.env.HMD_SAML_ISSUER, identifierFormat: process.env.HMD_SAML_IDENTIFIERFORMAT, + disableRequestedAuthnContext: toBooleanConfig(process.env.HMD_SAML_DISABLEREQUESTEDAUTHNCONTEXT), groupAttribute: process.env.HMD_SAML_GROUPATTRIBUTE, externalGroups: toArrayConfig(process.env.HMD_SAML_EXTERNALGROUPS, '|', []), requiredGroups: toArrayConfig(process.env.HMD_SAML_REQUIREDGROUPS, '|', []), diff --git a/lib/web/auth/saml/index.js b/lib/web/auth/saml/index.js index b8d98340..3cdb7fe2 100644 --- a/lib/web/auth/saml/index.js +++ b/lib/web/auth/saml/index.js @@ -17,7 +17,8 @@ passport.use(new SamlStrategy({ entryPoint: config.saml.idpSsoUrl, issuer: config.saml.issuer || config.serverURL, cert: fs.readFileSync(config.saml.idpCert, 'utf-8'), - identifierFormat: config.saml.identifierFormat + identifierFormat: config.saml.identifierFormat, + disableRequestedAuthnContext: config.saml.disableRequestedAuthnContext }, function (user, done) { // check authorization if needed if (config.saml.externalGroups && config.saml.groupAttribute) { |