summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
Diffstat (limited to 'lib')
-rw-r--r--lib/config/default.js1
-rw-r--r--lib/config/environment.js1
-rw-r--r--lib/web/auth/saml/index.js16
3 files changed, 17 insertions, 1 deletions
diff --git a/lib/config/default.js b/lib/config/default.js
index 9b852d1e..9284882a 100644
--- a/lib/config/default.js
+++ b/lib/config/default.js
@@ -143,6 +143,7 @@ module.exports = {
saml: {
idpSsoUrl: undefined,
idpCert: undefined,
+ clientCert: undefined,
issuer: undefined,
identifierFormat: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
disableRequestedAuthnContext: false,
diff --git a/lib/config/environment.js b/lib/config/environment.js
index 87a7e3ee..2d76286f 100644
--- a/lib/config/environment.js
+++ b/lib/config/environment.js
@@ -120,6 +120,7 @@ module.exports = {
saml: {
idpSsoUrl: process.env.CMD_SAML_IDPSSOURL,
idpCert: process.env.CMD_SAML_IDPCERT,
+ clientCert: process.env.CMD_SAML_CLIENTCERT,
issuer: process.env.CMD_SAML_ISSUER,
identifierFormat: process.env.CMD_SAML_IDENTIFIERFORMAT,
disableRequestedAuthnContext: toBooleanConfig(process.env.CMD_SAML_DISABLEREQUESTEDAUTHNCONTEXT),
diff --git a/lib/web/auth/saml/index.js b/lib/web/auth/saml/index.js
index 40a6f8b3..14f3966d 100644
--- a/lib/web/auth/saml/index.js
+++ b/lib/web/auth/saml/index.js
@@ -16,7 +16,21 @@ passport.use(new SamlStrategy({
callbackUrl: config.serverURL + '/auth/saml/callback',
entryPoint: config.saml.idpSsoUrl,
issuer: config.saml.issuer || config.serverURL,
- cert: fs.readFileSync(config.saml.idpCert, 'utf-8'),
+ privateCert: config.saml.clientCert === undefined ? undefined : (function () {
+ try {
+ return fs.readFileSync(config.saml.clientCert, 'utf-8')
+ } catch (e) {
+ logger.error(`SAML client certificate: ${e.message}`)
+ }
+ }()),
+ cert: (function () {
+ try {
+ return fs.readFileSync(config.saml.idpCert, 'utf-8')
+ } catch (e) {
+ logger.error(`SAML idp certificate: ${e.message}`)
+ process.exit(1)
+ }
+ }()),
identifierFormat: config.saml.identifierFormat,
disableRequestedAuthnContext: config.saml.disableRequestedAuthnContext
}, function (user, done) {