Add WantAssertionsSigned

README.md

@@ -125,6 +125,7 @@ type Profile = {
 - `additionalParams`: dictionary of additional query params to add to all requests; if an object with this key is passed to `authenticate`, the dictionary of additional query params will be appended to those present on the returned URL, overriding any specified by initialization options' additional parameters (`additionalParams`, `additionalAuthorizeParams`, and `additionalLogoutParams`)
 - `additionalAuthorizeParams`: dictionary of additional query params to add to 'authorize' requests
 - `identifierFormat`: if truthy, name identifier format to request from identity provider (default: `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress`)
+- `wantAssertionsSigned`: it truthy, add `WantAssertionsSigned="true"` to the metadata, to specify that the IdP should always sign the assertions.
 - `acceptedClockSkewMs`: Time in milliseconds of skew that is acceptable between client and server when checking `OnBefore` and `NotOnOrAfter` assertion condition validity timestamps. Setting to `-1` will disable checking these conditions entirely. Default is `0`.
 - `attributeConsumingServiceIndex`: optional `AttributeConsumingServiceIndex` attribute to add to AuthnRequest to instruct the IDP which attribute set to attach to the response ([link](http://blog.aniljohn.com/2014/01/data-minimization-front-channel-saml-attribute-requests.html))
 - `disableRequestedAuthnContext`: if truthy, do not request a specific authentication context. This is [known to help when authenticating against Active Directory](https://github.com/node-saml/passport-saml/issues/226) (AD FS) servers.

src/passport-saml/saml.ts

@@ -1552,6 +1552,10 @@ class SAML {
       metadata.EntityDescriptor.SPSSODescriptor.NameIDFormat = this.options.identifierFormat;
     }
 
+    if (this.options.wantAssertionsSigned) {
+      metadata.EntityDescriptor.SPSSODescriptor["@WantAssertionsSigned"] = true;
+    }
+
     metadata.EntityDescriptor.SPSSODescriptor.AssertionConsumerService = {
       "@index": "1",
       "@isDefault": "true",

src/passport-saml/types.ts

@@ -45,6 +45,7 @@ export interface SAMLOptions {
   idpIssuer: string;
   audience: string;
   scoping: SamlScopingConfig;
+  wantAssertionsSigned: boolean;
 
   // InResponseTo Validation
   validateInResponseTo: boolean;

test/tests.js

@@ -1660,6 +1660,24 @@ describe("passport-saml /", function () {
       metadata.should.containEql(samlConfig.logoutCallbackUrl);
     });
 
+    it("generateServiceProviderMetadata contains WantAssertionsSigned", function () {
+      var samlConfig = {
+        issuer: "http://example.serviceprovider.com",
+        callbackUrl: "http://example.serviceprovider.com/saml/callback",
+        identifierFormat: "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
+        decryptionPvk: fs.readFileSync(__dirname + "/static/testshib encryption pvk.pem"),
+        wantAssertionsSigned: true,
+      };
+
+      var samlObj = new SAML(samlConfig);
+      var decryptionCert = fs.readFileSync(
+        __dirname + "/static/testshib encryption cert.pem",
+        "utf-8"
+      );
+      var metadata = samlObj.generateServiceProviderMetadata(decryptionCert);
+      metadata.should.containEql('WantAssertionsSigned="true"');
+    });
+
     it("#certToPEM should generate valid certificate", function (done) {
       var samlConfig = {
         entryPoint: "https://app.onelogin.com/trust/saml2/http-post/sso/371755",