Added a configuration option for passport-saml:

disableRequestedAuthnContext: true|false

By default only Password authmethod is accepted, this option allows any other method.

Issue and option described here:
node-saml/passport-saml#226

Signed-off-by: Emmanuel Ormancey <emmanuel.ormancey@cern.ch>

Author: nopap

README.md

@@ -225,6 +225,7 @@ There are some config settings you need to change in the files below.
 | `CMD_SAML_IDPCERT` | `/path/to/cert.pem` | certificate file path of IdP in PEM format |
 | `CMD_SAML_ISSUER` | no example | identity of the service provider (optional, default: serverurl)" |
 | `CMD_SAML_IDENTIFIERFORMAT` | no example | name identifier format (optional, default: `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress`) |
+| `CMD_SAML_DISABLEREQUESTEDAUTHNCONTEXT` | `true` or `false` | true to allow any authentication method, false restricts to password authentication (PasswordProtectedTransport) method (default: false) |
 | `CMD_SAML_GROUPATTRIBUTE` | `memberOf` | attribute name for group list (optional) |
 | `CMD_SAML_REQUIREDGROUPS` | `Hackmd-users` | group names that allowed (use vertical bar to separate) (optional) |
 | `CMD_SAML_EXTERNALGROUPS` | `Temporary-staff` | group names that not allowed (use vertical bar to separate) (optional) |

config.json.example

@@ -93,6 +93,7 @@
             "idpCert": "change: certificate file path of IdP in PEM format",
             "issuer": "change or delete: identity of the service provider (default: serverurl)",
             "identifierFormat": "change or delete: name identifier format (default: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress')",
+            "disableRequestedAuthnContext": "change or delete: true to allow any authentication method, false restricts to password authentication method (default: false)",
             "groupAttribute": "change or delete: attribute name for group list (ex: memberOf)",
             "requiredGroups": [ "change or delete: group names that allowed" ],
             "externalGroups": [ "change or delete: group names that not allowed" ],

lib/config/default.js

@@ -138,6 +138,7 @@ module.exports = {
     idpCert: undefined,
     issuer: undefined,
     identifierFormat: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
+    disableRequestedAuthnContext: false,
     groupAttribute: undefined,
     externalGroups: [],
     requiredGroups: [],

lib/config/environment.js

@@ -115,6 +115,7 @@ module.exports = {
     idpCert: process.env.CMD_SAML_IDPCERT,
     issuer: process.env.CMD_SAML_ISSUER,
     identifierFormat: process.env.CMD_SAML_IDENTIFIERFORMAT,
+    disableRequestedAuthnContext: toBooleanConfig(process.env.CMD_SAML_DISABLEREQUESTEDAUTHNCONTEXT),
     groupAttribute: process.env.CMD_SAML_GROUPATTRIBUTE,
     externalGroups: toArrayConfig(process.env.CMD_SAML_EXTERNALGROUPS, '|', []),
     requiredGroups: toArrayConfig(process.env.CMD_SAML_REQUIREDGROUPS, '|', []),

lib/config/hackmdEnvironment.js

@@ -109,6 +109,7 @@ module.exports = {
     idpCert: process.env.HMD_SAML_IDPCERT,
     issuer: process.env.HMD_SAML_ISSUER,
     identifierFormat: process.env.HMD_SAML_IDENTIFIERFORMAT,
+    disableRequestedAuthnContext: toBooleanConfig(process.env.HMD_SAML_DISABLEREQUESTEDAUTHNCONTEXT),
     groupAttribute: process.env.HMD_SAML_GROUPATTRIBUTE,
     externalGroups: toArrayConfig(process.env.HMD_SAML_EXTERNALGROUPS, '|', []),
     requiredGroups: toArrayConfig(process.env.HMD_SAML_REQUIREDGROUPS, '|', []),

lib/web/auth/saml/index.js

@@ -17,7 +17,8 @@ passport.use(new SamlStrategy({
   entryPoint: config.saml.idpSsoUrl,
   issuer: config.saml.issuer || config.serverURL,
   cert: fs.readFileSync(config.saml.idpCert, 'utf-8'),
-  identifierFormat: config.saml.identifierFormat
+  identifierFormat: config.saml.identifierFormat,
+  disableRequestedAuthnContext: config.saml.disableRequestedAuthnContext
 }, function (user, done) {
   // check authorization if needed
   if (config.saml.externalGroups && config.saml.groupAttribute) {