From df53f465c0238e9a6a306df21cd7e04731056dd6 Mon Sep 17 00:00:00 2001
From: Emmanuel Ormancey
Date: Wed, 12 Dec 2018 10:40:24 +0100
Subject: Added a configuration option for passport-saml:
 disableRequestedAuthnContext: true|false

By default only Password authmethod is accepted, this option allows any other method.

Issue and option described here:
https://github.com/bergie/passport-saml/issues/226

Signed-off-by: Emmanuel Ormancey <emmanuel.ormancey@cern.ch>
---
 lib/config/default.js           | 1 +
 lib/config/environment.js       | 1 +
 lib/config/hackmdEnvironment.js | 1 +
 lib/web/auth/saml/index.js      | 3 ++-
 4 files changed, 5 insertions(+), 1 deletion(-)

(limited to 'lib')

diff --git a/lib/config/default.js b/lib/config/default.js
index 9e401f38..98ccee91 100644
--- a/lib/config/default.js
+++ b/lib/config/default.js
@@ -138,6 +138,7 @@ module.exports = {
     idpCert: undefined,
     issuer: undefined,
     identifierFormat: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
+    disableRequestedAuthnContext: false,
     groupAttribute: undefined,
     externalGroups: [],
     requiredGroups: [],
diff --git a/lib/config/environment.js b/lib/config/environment.js
index fc757cf1..882df140 100644
--- a/lib/config/environment.js
+++ b/lib/config/environment.js
@@ -115,6 +115,7 @@ module.exports = {
     idpCert: process.env.CMD_SAML_IDPCERT,
     issuer: process.env.CMD_SAML_ISSUER,
     identifierFormat: process.env.CMD_SAML_IDENTIFIERFORMAT,
+    disableRequestedAuthnContext: toBooleanConfig(process.env.CMD_SAML_DISABLEREQUESTEDAUTHNCONTEXT),
     groupAttribute: process.env.CMD_SAML_GROUPATTRIBUTE,
     externalGroups: toArrayConfig(process.env.CMD_SAML_EXTERNALGROUPS, '|', []),
     requiredGroups: toArrayConfig(process.env.CMD_SAML_REQUIREDGROUPS, '|', []),
diff --git a/lib/config/hackmdEnvironment.js b/lib/config/hackmdEnvironment.js
index bc20e58a..e5ffeb8a 100644
--- a/lib/config/hackmdEnvironment.js
+++ b/lib/config/hackmdEnvironment.js
@@ -109,6 +109,7 @@ module.exports = {
     idpCert: process.env.HMD_SAML_IDPCERT,
     issuer: process.env.HMD_SAML_ISSUER,
     identifierFormat: process.env.HMD_SAML_IDENTIFIERFORMAT,
+    disableRequestedAuthnContext: toBooleanConfig(process.env.HMD_SAML_DISABLEREQUESTEDAUTHNCONTEXT),
     groupAttribute: process.env.HMD_SAML_GROUPATTRIBUTE,
     externalGroups: toArrayConfig(process.env.HMD_SAML_EXTERNALGROUPS, '|', []),
     requiredGroups: toArrayConfig(process.env.HMD_SAML_REQUIREDGROUPS, '|', []),
diff --git a/lib/web/auth/saml/index.js b/lib/web/auth/saml/index.js
index b8d98340..3cdb7fe2 100644
--- a/lib/web/auth/saml/index.js
+++ b/lib/web/auth/saml/index.js
@@ -17,7 +17,8 @@ passport.use(new SamlStrategy({
   entryPoint: config.saml.idpSsoUrl,
   issuer: config.saml.issuer || config.serverURL,
   cert: fs.readFileSync(config.saml.idpCert, 'utf-8'),
-  identifierFormat: config.saml.identifierFormat
+  identifierFormat: config.saml.identifierFormat,
+  disableRequestedAuthnContext: config.saml.disableRequestedAuthnContext
 }, function (user, done) {
   // check authorization if needed
   if (config.saml.externalGroups && config.saml.groupAttribute) {
-- 
cgit v1.2.3