allow to set a saml client certificate

Signed-off-by: Simeon Keske <git@n0emis.eu>

3 files changed, 3 insertions, 0 deletions

diff --git a/lib/config/default.js b/lib/config/default.js
index 9b852d1e..9284882a 100644
--- a/lib/config/default.js
+++ b/lib/config/default.js
@@ -143,6 +143,7 @@ module.exports = {
   saml: {
     idpSsoUrl: undefined,
     idpCert: undefined,
+    clientCert: undefined,
     issuer: undefined,
     identifierFormat: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
     disableRequestedAuthnContext: false,
diff --git a/lib/config/environment.js b/lib/config/environment.js
index 87a7e3ee..2d76286f 100644
--- a/lib/config/environment.js
+++ b/lib/config/environment.js
@@ -120,6 +120,7 @@ module.exports = {
   saml: {
     idpSsoUrl: process.env.CMD_SAML_IDPSSOURL,
     idpCert: process.env.CMD_SAML_IDPCERT,
+    clientCert: process.env.CMD_SAML_CLIENTCERT,
     issuer: process.env.CMD_SAML_ISSUER,
     identifierFormat: process.env.CMD_SAML_IDENTIFIERFORMAT,
     disableRequestedAuthnContext: toBooleanConfig(process.env.CMD_SAML_DISABLEREQUESTEDAUTHNCONTEXT),
diff --git a/lib/web/auth/saml/index.js b/lib/web/auth/saml/index.js
index 40a6f8b3..4d0bfec5 100644
--- a/lib/web/auth/saml/index.js
+++ b/lib/web/auth/saml/index.js
@@ -17,6 +17,7 @@ passport.use(new SamlStrategy({
   entryPoint: config.saml.idpSsoUrl,
   issuer: config.saml.issuer || config.serverURL,
   cert: fs.readFileSync(config.saml.idpCert, 'utf-8'),
+  privateCert: config.saml.clientCert === undefined ? undefined : fs.readFileSync(config.saml.clientCert, 'utf-8'),
   identifierFormat: config.saml.identifierFormat,
   disableRequestedAuthnContext: config.saml.disableRequestedAuthnContext
 }, function (user, done) {