⭐ feat: add RequestedAuthnContext Comparison Type parameter

test: add test for check the option comparisonType
node-saml · Mar 19, 2019 · 6aee893 · 6aee893
1 parent b384277
commit 6aee893
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 2 deletions.
diff --git a/docs/adfs/README.md b/docs/adfs/README.md
@@ -56,7 +56,8 @@ passport.use(new SamlStrategy(
     acceptedClockSkewMs: -1,
     identifierFormat: null,
   // this is configured under the Advanced tab in AD FS relying party
-    signatureAlgorithm: 'sha256'
+    signatureAlgorithm: 'sha256',
+    comparisonType: 'exact', // default to exact RequestedAuthnContext Comparison Type
   },
   function(profile, done) {
     return done(null,

diff --git a/lib/passport-saml/saml.js b/lib/passport-saml/saml.js
@@ -80,6 +80,17 @@ SAML.prototype.initialize = function (options) {
     options.signatureAlgorithm = 'sha1';
   }
 
+  /**
+   * List of possible values:
+   * - exact : Assertion context must exactly match a context in the list
+   * - minimum:  Assertion context must be at least as strong as a context in the list
+   * - maximum:  Assertion context must be no stronger than a context in the list
+   * - better:  Assertion context must be stronger than all contexts in the list
+   */
+  if (!options.comparisonType || ['exact','minimum','maximum','better'].indexOf(options.comparisonType) === -1){
+    options.comparisonType = 'exact';
+  }
+
   return options;
 };
 
@@ -202,7 +213,7 @@ SAML.prototype.generateAuthorizeRequest = function (req, isPassive, callback) {
 
       request['samlp:AuthnRequest']['samlp:RequestedAuthnContext'] = {
         '@xmlns:samlp': 'urn:oasis:names:tc:SAML:2.0:protocol',
-        '@Comparison': 'exact',
+        '@Comparison': self.options.comparisonType,
         'saml:AuthnContextClassRef': authnContextClassRefs
       };
     }

diff --git a/test/tests.js b/test/tests.js