[NEW] SAML: Adds possibility to decrypt encrypted assertions #12153
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
|
Hudell
previously approved these changes
Oct 2, 2018
|
@gerbsen can you fix the conflict? |
|
@rodrigogs I tried fixing the problems but now there are even more :( could you help me, and tell me what needs to be done? |
rodrigok
approved these changes
Jan 19, 2019
| let assertion = response.getElementsByTagNameNS('urn:oasis:names:tc:SAML:2.0:assertion', 'Assertion')[0]; | ||
| const encAssertion = response.getElementsByTagNameNS('urn:oasis:names:tc:SAML:2.0:assertion', 'EncryptedAssertion')[0]; | ||
|
|
||
| const xmlenc = require('xml-encryption'); |
There was a problem hiding this comment.
Move this to the top of the file as an import
| const options = { key: this.options.privateKey }; | ||
|
|
||
| if (typeof encAssertion !== 'undefined') { | ||
| xmlenc.decrypt(encAssertion.getElementsByTagNameNS('*', 'EncryptedData')[0], options, function(err, result) { |
There was a problem hiding this comment.
Move this to a function to prevent code duplication and prefer to use arrow functions
rodrigok
changed the title
alansikora
pushed a commit
that referenced
this pull request
Jan 23, 2019
* - adds possibility to decrypt encrypted assertions * Update saml_utils.js fixes jslint problems https://circleci.com/gh/RocketChat/Rocket.Chat/18744?utm_campaign=vcs-integration-link&utm_medium=referral&utm_source=github-build-link
Merged
|
Can someone please make unit tests for saml? Willing to help.. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Dear Rocket.Chat team,
First of all, thank you very much for providing this software as open source. Very much appreciated.
We have added the possiblity to also use encrypted assertions with the SAML login. We have developed and tested this extension on an instance with a couple of thousand users. We originally have started to develop this fix for the underlying SAML library and it was approved there. Since we discovered to late that Rocket.Chat uses a custom version of this library, our changes are kind of obsolete now. We have asked here if a PR is welcome and herewith deliver the PR. We are aware of the fact that this might take some time. In case we can do anything to speed up this process, we are happy to help. :)
Here is the documentation that we added in the underlying project.
Kind regards,
Daniel (from team netzbegruenung)
Encryption
The
<EncryptedAssertion>element represents an assertion in encrypted fashion, as defined by the XML Encryption Syntax and Processing specification XMLEnc. Encrypted assertions are intended as a confidentiality protection mechanism when the plain-text value passes through an intermediary.The following schema fragment defines the
<EncryptedAssertion>element:In case the SAML response contains an
<EncryptedAssertion>element and the configuration keyprivateKeyis set, the assertion get's decrypted and handled like it would be an unencrypted one.