support multiple authnContext

README.md

@@ -94,7 +94,7 @@ passport.use(new MultiSamlStrategy(
   * `acceptedClockSkewMs`: Time in milliseconds of skew that is acceptable between client and server when checking `OnBefore` and `NotOnOrAfter` assertion condition validity timestamps.  Setting to `-1` will disable checking these conditions entirely.  Default is `0`.
   * `attributeConsumingServiceIndex`: optional `AttributeConsumingServiceIndex` attribute to add to AuthnRequest to instruct the IDP which attribute set to attach to the response ([link](http://blog.aniljohn.com/2014/01/data-minimization-front-channel-saml-attribute-requests.html))
   * `disableRequestedAuthnContext`: if truthy, do not request a specific authentication context. This is [known to help when authenticating against Active Directory](https://github.com/bergie/passport-saml/issues/226) (AD FS) servers.
-  * `authnContext`: if truthy, name identifier format to request auth context (default: `urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport`)
+  * `authnContext`: if truthy, name identifier format to request auth context (default: `urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport`); array of values is also supported
   * `forceAuthn`: if set to true, the initial SAML request from the service provider specifies that the IdP should force re-authentication of the user, even if they possess a valid session.
   * `providerName`: optional human-readable name of the requester for use by the presenter's user agent or the identity provider
   * `skipRequestCompression`: if set to true, the SAML request from the service provider won't be compressed.

lib/passport-saml/saml.js

@@ -44,6 +44,10 @@ SAML.prototype.initialize = function (options) {
     options.authnContext = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport";
   }
 
+  if (!Array.isArray(options.authnContext)) {
+    options.authnContext = [options.authnContext];
+  }
+
   if (!options.acceptedClockSkewMs) {
     // default to no skew
     options.acceptedClockSkewMs = 0;
@@ -181,13 +185,18 @@ SAML.prototype.generateAuthorizeRequest = function (req, isPassive, callback) {
     }
 
     if (!self.options.disableRequestedAuthnContext) {
+      var authnContextClassRefs = [];
+      self.options.authnContext.forEach(function(value) {
+        authnContextClassRefs.push({
+            '@xmlns:saml': 'urn:oasis:names:tc:SAML:2.0:assertion',
+            '#text': value
+        });        
+      });
+
       request['samlp:AuthnRequest']['samlp:RequestedAuthnContext'] = {
         '@xmlns:samlp': 'urn:oasis:names:tc:SAML:2.0:protocol',
         '@Comparison': 'exact',
-        'saml:AuthnContextClassRef': {
-          '@xmlns:saml': 'urn:oasis:names:tc:SAML:2.0:assertion',
-          '#text': self.options.authnContext
-        }
+        'saml:AuthnContextClassRef': authnContextClassRefs
       };
     }