Audience validation

node-saml · Jan 3, 2018 · c2ce79d · c2ce79d
1 parent b54e0f2
commit c2ce79d
Show file tree

Hide file tree

Showing 3 changed files with 94 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -52,6 +52,7 @@ passport.use(new SamlStrategy(
   * `host`: host for callback; will be combined with path and protocol to construct callback url if `callbackUrl` is not specified (default: `localhost`)
   * `entryPoint`: identity provider entrypoint
   * `issuer`: issuer string to supply to identity provider
+  * `audience`: expected saml response Audience (if not provided, Audience won't be verified)
   * `cert`: see [Security and signatures](#security-and-signatures)
   * `privateCert`: see [Security and signatures](#security-and-signatures)
   * `decryptionPvk`: optional private key that will be used to attempt to decrypt any encrypted assertions that are received

diff --git a/lib/passport-saml/saml.js b/lib/passport-saml/saml.js
@@ -802,6 +802,13 @@ SAML.prototype.processValidlySignedAssertion = function(xml, inResponseTo, callb
       if(conErr)
         throw conErr;
     }
+
+    if (self.options.audience) {
+      var audienceErr = self.checkAudienceValidityError(
+                    self.options.audience, conditions.AudienceRestriction);
+      if(audienceErr)
+        throw audienceErr;
+    }
 
     var attributeStatement = assertion.AttributeStatement;
     if (attributeStatement) {
@@ -869,6 +876,28 @@ SAML.prototype.checkTimestampsValidityError = function(nowMs, notBefore, notOnOr
   return null;
 };
 
+SAML.prototype.checkAudienceValidityError = function(expectedAudience, audienceRestrictions) {
+  var self = this;
+  if (!audienceRestrictions || audienceRestrictions.length < 1) {
+    return new Error('SAML assertion has no AudienceRestriction');
+  }
+  var errors = audienceRestrictions.map(function(restriction) {
+    if (!restriction.Audience || !restriction.Audience[0]) {
+      return new Error('SAML assertion AudienceRestriction has no Audience value');
+    }
+    if (restriction.Audience[0] !== expectedAudience) {
+      return new Error('SAML assertion audience mismatch');
+    }
+    return null;
+  }).filter(function(result) {
+    return result !== null;
+  });
+  if (errors.length > 0) {
+    return errors[0];
+  }
+  return null;
+};
+
 SAML.prototype.validatePostRequest = function (container, callback) {
   var self = this;
   var xml = new Buffer(container.SAMLRequest, 'base64').toString('utf8');

diff --git a/test/tests.js b/test/tests.js