From 1e3069031fba64c8adc0fecb52da4f61f42f8e55 Mon Sep 17 00:00:00 2001
From: Denis Barbaron <denis.barbaron@orange.com>
Date: Tue, 18 Feb 2025 18:54:51 +0100
Subject: [PATCH] improve saml authentication (#836)

Signed-off-by: Denis barbaron <denis.barbaron@orange.com>
---
 lib/cli/auth-saml2/index.js | 16 ++++++++++++++++
 lib/units/auth/saml2.js     |  4 +++-
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/lib/cli/auth-saml2/index.js b/lib/cli/auth-saml2/index.js
index 1c7763f7..b6df2bc6 100644
--- a/lib/cli/auth-saml2/index.js
+++ b/lib/cli/auth-saml2/index.js
@@ -1,3 +1,7 @@
+/**
+* Copyright © 2025 contains code contributed by Orange SA, authors: Denis Barbaron - Licensed under the Apache license 2.0
+**/
+
 module.exports.command = 'auth-saml2'
 
 module.exports.describe = 'Start a SAML 2.0 auth unit.'
@@ -41,6 +45,16 @@ module.exports.builder = function(yargs) {
     , type: 'string'
     , default: process.env.SAML_ID_PROVIDER_CALLBACK_URL
     })
+    .option('saml-id-provider-want-assertions-signed', {
+      describe: 'SAML 2.0 identity provider want assertions signed.'
+    , type: 'boolean'
+    , default: process.env.SAML_ID_PROVIDER_WANT_ASSERTIONS_SIGNED || true
+    })
+    .option('saml-id-provider-want-authn-response-signed', {
+      describe: 'SAML 2.0 identity provider want authentication response messages signed.'
+    , type: 'boolean'
+    , default: process.env.SAML_ID_PROVIDER_WANT_AUTHN_RESPONSE_SIGNED || true
+    })
     .option('secret', {
       alias: 's'
     , describe: 'The secret to use for auth JSON Web Tokens. Anyone who ' +
@@ -75,6 +89,8 @@ module.exports.handler = function(argv) {
     , issuer: argv.samlIdProviderIssuer
     , certPath: argv.samlIdProviderCertPath
     , callbackUrl: argv.samlIdProviderCallbackUrl
+    , wantAssertionsSigned: argv.samlIdProviderWantAssertionsSigned
+    , wantAuthnResponseSigned: argv.samlIdProviderWantAuthnResponseSigned
     }
   })
 }
diff --git a/lib/units/auth/saml2.js b/lib/units/auth/saml2.js
index 267b8dc6..343c6f87 100644
--- a/lib/units/auth/saml2.js
+++ b/lib/units/auth/saml2.js
@@ -1,5 +1,5 @@
 /**
-* Copyright © 2024 contains code contributed by Orange SA, authors: Denis Barbaron - Licensed under the Apache license 2.0
+* Copyright © 2024-2025 contains code contributed by Orange SA, authors: Denis Barbaron - Licensed under the Apache license 2.0
 **/
 
 var fs = require('fs')
@@ -50,6 +50,8 @@ module.exports = function(options) {
   var samlConfig = {
     entryPoint: options.saml.entryPoint
   , issuer: options.saml.issuer
+  , wantAssertionsSigned: options.saml.wantAssertionsSigned
+  , wantAuthnResponseSigned: options.saml.wantAuthnResponseSigned
   }
 
   if (options.saml.certPath) {