Validation and relay state customization

src/binding-redirect.ts

@@ -72,10 +72,11 @@ function buildRedirectURL(opts: BuildRedirectConfig) {
 * @param  {function} customTagReplacement      used when developers have their own login response template
 * @return {string} redirect URL
 */
-function loginRequestRedirectURL(entity: { idp: Idp, sp: Sp }, customTagReplacement?: (template: string) => BindingContext): BindingContext {
+function loginRequestRedirectURL(entity: { idp: Idp, sp: Sp, relayState?: string }, customTagReplacement?: (template: string) => BindingContext): BindingContext {
 
   const metadata: any = { idp: entity.idp.entityMeta, sp: entity.sp.entityMeta };
   const spSetting: any = entity.sp.entitySetting;
+  const relayState = entity.relayState === undefined ? spSetting.relayState : entity.relayState;
   let id: string = '';
 
   if (metadata && metadata.idp && metadata.sp) {
@@ -108,7 +109,7 @@ function loginRequestRedirectURL(entity: { idp: Idp, sp: Sp }, customTagReplacem
         isSigned: metadata.sp.isAuthnRequestSigned(),
         entitySetting: spSetting,
         baseUrl: base,
-        relayState: spSetting.relayState,
+        relayState,
       }),
     };
   }

src/entity-sp.ts

@@ -12,6 +12,7 @@ import {
   IdentityProviderConstructor as IdentityProvider,
   ServiceProviderMetadata,
   ServiceProviderSettings,
+  ValidationSettings,
 } from './types';
 import { namespace } from './urn';
 import redirectBinding from './binding-redirect';
@@ -50,21 +51,27 @@ export class ServiceProvider extends Entity {
   * @desc  Generates the login request for developers to design their own method
   * @param  {IdentityProvider} idp               object of identity provider
   * @param  {string}   binding                   protocol binding
-  * @param  {function} customTagReplacement     used when developers have their own login response template
+  * @param  {function} customTagReplacement      used when developers have their own login response template
+  * @param  {string}   relayState                optionally override default SP relayState
   */
   public createLoginRequest(
     idp: IdentityProvider,
     binding = 'redirect',
-    customTagReplacement?: (template: string) => BindingContext,
+    relayState?: string,
+    customTagReplacement?: (template: string) => BindingContext
   ): BindingContext | PostBindingContext {
     const nsBinding = namespace.binding;
     const protocol = nsBinding[binding];
     if (this.entityMeta.isAuthnRequestSigned() !== idp.entityMeta.isWantAuthnRequestsSigned()) {
       throw new Error('ERR_METADATA_CONFLICT_REQUEST_SIGNED_FLAG');
     }
 
+    if (relayState === undefined) {
+        relayState = this.entitySetting.relayState;
+    }
+
     if (protocol === nsBinding.redirect) {
-      return redirectBinding.loginRequestRedirectURL({ idp, sp: this }, customTagReplacement);
+      return redirectBinding.loginRequestRedirectURL({ idp, sp: this, relayState }, customTagReplacement);
     }
 
     if (protocol === nsBinding.post) {
@@ -85,18 +92,26 @@ export class ServiceProvider extends Entity {
   * @param  {IdentityProvider}   idp             object of identity provider
   * @param  {string}   binding                   protocol binding
   * @param  {request}   req                      request
+  * @param  {ValidationSettings}   validation    optionally skip some validations
   */
-  public parseLoginResponse(idp, binding, request: ESamlHttpRequest) {
+  public parseLoginResponse(idp, binding, request: ESamlHttpRequest, validation?: ValidationSettings) {
     const self = this;
-    return flow({
+
+    const options = {
       from: idp,
       self: self,
       checkSignature: true, // saml response must have signature
       parserType: 'SAMLResponse',
       type: 'login',
       binding: binding,
       request: request
-    });
+    };
+
+    if (validation) {
+      Object.assign(options, validation);
+    }
+
+    return flow(options);
   }
 
 }

src/flow.ts

@@ -118,7 +118,10 @@ async function postFlow(options): Promise<FlowResult> {
     from,
     self,
     parserType,
-    checkSignature = true
+    checkSignature = true,
+    checkIssuer = true,
+    checkSessionTime = true,
+    checkTime = true
   } = options;
 
   const { body } = request;
@@ -189,6 +192,7 @@ async function postFlow(options): Promise<FlowResult> {
 
   // unmatched issuer
   if (
+    checkIssuer &&
     (parserType === 'LogoutResponse' || parserType === 'SAMLResponse')
     && extractedProperties
     && extractedProperties.issuer !== issuer
@@ -198,6 +202,7 @@ async function postFlow(options): Promise<FlowResult> {
 
   // invalid session time
   if (
+    checkSessionTime &&
     parserType === 'SAMLResponse'
     && !verifyTime(
       undefined,
@@ -210,6 +215,7 @@ async function postFlow(options): Promise<FlowResult> {
   // invalid time
   // 2.4.1.2 https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
   if (
+    checkTime &&
     parserType === 'SAMLResponse'
     && extractedProperties.conditions
     && !verifyTime(

src/types.ts

@@ -115,3 +115,10 @@ export type IdentityProviderSettings = {
   wantLogoutRequestSignedResponseSigned?: boolean;
   tagPrefix?: { [key: string]: string };
 };
+
+export interface ValidationSettings {
+  checkSignature?: boolean;
+  checkIssuer?: boolean;
+  checkSessionTime?: boolean;
+  checkTime?: boolean;
+}