Changed the default Logout Response template to include the <Status> …

…tag and to use the request ID; Added a migration with the old template so that existing instances will continue generating the same XML it does today.
RocketChat · Jun 17, 2020 · 3059ff9 · 3059ff9
1 parent 938727f
commit 3059ff9
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 12 deletions.
diff --git a/app/meteor-accounts-saml/server/lib/constants.ts b/app/meteor-accounts-saml/server/lib/constants.ts
@@ -1,24 +1,24 @@
 export const defaultAuthnContextTemplate = `<samlp:RequestedAuthnContext xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Comparison="__authnContextComparison__">
-	<saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
-		__authnContext__
-	</saml:AuthnContextClassRef>
+  <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
+    __authnContext__
+  </saml:AuthnContextClassRef>
 </samlp:RequestedAuthnContext>`;
 
 export const defaultAuthRequestTemplate = `<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="__uniqueId__" Version="2.0" IssueInstant="__instant__" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="__callbackUrl__" Destination="__entryPoint__">
-	<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">__issuer__</saml:Issuer>
-	__identifierFormatTag__
-	__authnContextTag__
+  <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">__issuer__</saml:Issuer>
+  __identifierFormatTag__
+  __authnContextTag__
 </samlp:AuthnRequest>`;
 
-export const defaultLogoutResponseTemplate = `<samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="__uniqueId__" Version="2.0" IssueInstant="__instant__" Destination="__idpSLORedirectURL__">
-	<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">__issuer__</saml:Issuer>
-	<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
+export const defaultLogoutResponseTemplate = `<samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="__inResponseToId__" Version="2.0" IssueInstant="__instant__" Destination="__idpSLORedirectURL__">
+  <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">__issuer__</saml:Issuer>
+  <samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>
 </samlp:LogoutResponse>`;
 
 export const defaultLogoutRequestTemplate = `<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="__uniqueId__" Version="2.0" IssueInstant="__instant__" Destination="__idpSLORedirectURL__">
-	<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">__issuer__</saml:Issuer>
-	<saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" NameQualifier="http://id.init8.net:8080/openam" SPNameQualifier="__issuer__" Format="__identifierFormat__">__nameID__</saml:NameID>
-	<samlp:SessionIndex xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">__sessionIndex__</samlp:SessionIndex>
+  <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">__issuer__</saml:Issuer>
+  <saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" NameQualifier="http://id.init8.net:8080/openam" SPNameQualifier="__issuer__" Format="__identifierFormat__">__nameID__</saml:NameID>
+  <samlp:SessionIndex xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">__sessionIndex__</samlp:SessionIndex>
 </samlp:LogoutRequest>`;
 
 export const defaultMetadataCertificateTemplate = `

diff --git a/server/startup/migrations/index.js b/server/startup/migrations/index.js
@@ -191,4 +191,5 @@ import './v191';
 import './v192';
 import './v193';
 import './v194';
+import './v195';
 import './xrun';
diff --git a/server/startup/migrations/v195.js b/server/startup/migrations/v195.js
@@ -0,0 +1,21 @@
+import {
+	Settings,
+} from '../../../app/models/server';
+import { Migrations } from '../../../app/migrations/server';
+
+Migrations.add({
+	version: 195,
+	up() {
+		// For existing users, use a template compatible with the old SAML implementation instead of the default
+		Settings.upsert({
+			_id: 'SAML_Custom_Default_LogoutResponse_template',
+		}, {
+			$set: {
+				value: `<samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="__uniqueId__" Version="2.0" IssueInstant="__instant__" Destination="__idpSLORedirectURL__">
+  <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">__issuer__</saml:Issuer>
+  <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
+</samlp:LogoutResponse>`,
+			},
+		});
+	},
+});