SP Configuration
Required Parameters
?> You can either choose to import from metadata plus optional paramters, or defined properties plus optional parameters.
- metadata: String
SP issued metadata to declare the structure and scope of the entity, as a common contract on how sso/slo should be proceeded.
const sp = new ServiceProvider({
// required
metadata: readFileSync('./test/misc/spmeta.xml'),
// optional
privateKey: readFileSync('./test/key/sp/privkey.pem'),
privateKeyPass: 'q9ALNhGT5EhfcRmp8Pg7e9zTQeP2x1bW',
encPrivateKey: readFileSync('./test/key/sp/encryptKey.pem'),
encPrivateKeyPass: 'g7hGcRmp8PxT5QeP2q9Ehf1bWe9zTALN'
});OR
entityID: String
Entity identifier. It is used to identify your entity, and match the equivalence in each saml request/response.authnRequestsSigned: Boolean
Optional: Declare if sp signs the authn request, reflects to theAuthnRequestsSignedin sp metadata, default tofalse.wantAssertionsSigned: Boolean
Optional: Declare if sp wants the signed assertion, reflects to theWantAssertionsSignedin sp metadata, default tofalse.wantMessageSigned: Boolean
Optional: Declare if sp wants the signed message, default tofalse.signingCert: String
Optional: Specify the certificate used for signing purpose if you construct the sp without a metadata.encryptCert: String
Optional: Specify the certificate used for encryption purpose if you construct the sp without a metadata.elementsOrder: String[]
Optional: Define the DOM structure of xml document, default to['KeyDescriptor', 'NameIDFormat', 'SingleLogoutService', 'AssertionConsumerService']. (See more #89)nameIDFormat: NameIDFormat[]
Optional: Declare the name id format that would respond if you construct the sp without a metadata. The request will always pick the first one if multiple formats are specified.singleLogoutService: Service[]
Optional: Declare the single logout service if you construct the sp without a metadata.assertionConsumerService: Service[]
Optional: Declare the asssertion consumer service where the saml response redirects to if you construct the sp without a metadata.signatureConfig: SignatureConfig
Optional: Configure how the signature is being constructed. (See more)
const sp = new ServiceProvider({
// required
entityID: 'http://hello-saml-sp.com/metadata',
// optional parameters listed below
});Optional Parameters
allowCreate: Boolean
Declare if identitiy provider is allowed, in the course of fulfilling the request, to create a new identifier to represent the principal, default tofalseloginRequestTemplate: {context: String, attributes: Attributes}
Customize the login request template, and user can reuse it in the callback function to do runtime interpolation. (See more)wantLogoutRequestSigned: Boolean
Declare if sp guarantees the logout request from idp is signed.relayState: String
Specify the relayState of the request.!> It will be deprecated soon and put into request level instead g of entity level.
generateID: (): String
A function to generate the document identifier in root node. Default to_${UUID_V4}.clockDrifts: [Number, Number]
A time range allowing for drifting the range that specified in the SAML document. The first one is for thenotBeforetime and the second one is fornotOnOrAfter. Default value of both drift value is0. The unit is inms.For example, if you set
[-5000, 3000]. The value can be either positive or negative in order to take care of the flexibility.console# tolerated timeline notBefore - 5s >>>>>>> notBefore >>>>>>> notAfter ---- notAfter + 3s # new valid time notBefore - 5s >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> notAfter + 3sAnother example, if you don't set, the default drift tolerance is
[0, 0]. The valid range is trivial.console# valid time notBefore >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> notAfter?> The flow will skip the validation when there is no
notBeforeandnotOnOrAfterat the same time.?> See SAML Core P.19 for more detail.