npm - @boxyhq/saml-jackson - Versions diffs - 1.9.0 → 1.9.1 - Mend

@boxyhq/saml-jackson 1.9.0 → 1.9.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (47) hide show

package/dist/controller/admin.d.ts +7 -3
package/dist/controller/admin.js +17 -1
package/dist/controller/admin.js.map +1 -1
package/dist/controller/oauth.d.ts +3 -1
package/dist/controller/oauth.js +321 -211
package/dist/controller/oauth.js.map +1 -1
package/dist/controller/saml-handler.d.ts +1 -0
package/dist/controller/saml-handler.js +4 -2
package/dist/controller/saml-handler.js.map +1 -1
package/dist/controller/utils.d.ts +2 -1
package/dist/controller/utils.js +1 -0
package/dist/controller/utils.js.map +1 -1
package/dist/directory-sync/DirectoryUsers.js +10 -9
package/dist/directory-sync/DirectoryUsers.js.map +1 -1
package/dist/directory-sync/types.d.ts +11 -0
package/dist/directory-sync/utils.d.ts +6 -9
package/dist/directory-sync/utils.js +35 -28
package/dist/directory-sync/utils.js.map +1 -1
package/dist/ee/branding/index.d.ts +15 -0
package/dist/ee/branding/index.js +49 -0
package/dist/ee/branding/index.js.map +1 -0
package/dist/ee/federated-saml/app.d.ts +12 -5
package/dist/ee/federated-saml/app.js +19 -12
package/dist/ee/federated-saml/app.js.map +1 -1
package/dist/ee/federated-saml/index.d.ts +3 -2
package/dist/ee/federated-saml/index.js +2 -2
package/dist/ee/federated-saml/index.js.map +1 -1
package/dist/ee/federated-saml/sso.d.ts +4 -1
package/dist/ee/federated-saml/sso.js +70 -45
package/dist/ee/federated-saml/sso.js.map +1 -1
package/dist/ee/federated-saml/types.d.ts +3 -0
package/dist/index.d.ts +3 -0
package/dist/index.js +12 -2
package/dist/index.js.map +1 -1
package/dist/saml/lib.d.ts +1 -0
package/dist/saml/lib.js +3 -2
package/dist/saml/lib.js.map +1 -1
package/dist/saml-tracer/index.d.ts +14 -0
package/dist/saml-tracer/index.js +87 -0
package/dist/saml-tracer/index.js.map +1 -0
package/dist/saml-tracer/types.d.ts +31 -0
package/dist/saml-tracer/types.js +3 -0
package/dist/saml-tracer/types.js.map +1 -0
package/dist/typings.d.ts +12 -0
package/dist/typings.js +1 -0
package/dist/typings.js.map +1 -1
package/package.json +6 -5

package/dist/controller/oauth.js CHANGED Viewed

@@ -54,11 +54,12 @@ const lib_1 = require("../saml/lib");
 const oidc_issuer_1 = require("./oauth/oidc-issuer");
 const deflateRawAsync = (0, util_1.promisify)(zlib_1.deflateRaw);
 class OAuthController {
-    constructor({ connectionStore, sessionStore, codeStore, tokenStore, opts }) {
+    constructor({ connectionStore, sessionStore, codeStore, tokenStore, samlTracer, opts }) {
         this.connectionStore = connectionStore;
         this.sessionStore = sessionStore;
         this.codeStore = codeStore;
         this.tokenStore = tokenStore;
+        this.samlTracer = samlTracer;
         this.opts = opts;
         this.samlHandler = new saml_handler_1.SAMLHandler({
             connection: connectionStore,
@@ -70,55 +71,25 @@ class OAuthController {
         var _a;
         return __awaiter(this, void 0, void 0, function* () {
             const { response_type = 'code', client_id, redirect_uri, state, scope, nonce, code_challenge, code_challenge_method = '', idp_hint, forceAuthn = 'false', } = body;
-            const tenant = 'tenant' in body ? body.tenant : undefined;
-            const product = 'product' in body ? body.product : undefined;
-            const access_type = 'access_type' in body ? body.access_type : undefined;
-            const resource = 'resource' in body ? body.resource : undefined;
-            let requestedTenant = tenant;
-            let requestedProduct = product;
-            metrics.increment('oauthAuthorize');
-            if (!redirect_uri) {
-                throw new error_1.JacksonError('Please specify a redirect URL.', 400);
-            }
+            let requestedTenant;
+            let requestedProduct;
+            let requestedScopes;
+            let requestedOIDCFlow;
             let connection;
-            const requestedScopes = (0, utils_1.getScopeValues)(scope);
-            const requestedOIDCFlow = requestedScopes.includes('openid');
-            if (tenant && product) {
-                const response = yield this.samlHandler.resolveConnection({
-                    tenant,
-                    product,
-                    idp_hint,
-                    authFlow: 'oauth',
-                    originalParams: Object.assign({}, body),
-                });
-                if ('redirectUrl' in response) {
-                    return {
-                        redirect_url: response.redirectUrl,
-                    };
-                }
-                if ('connection' in response) {
-                    connection = response.connection;
-                }
-            }
-            else if (client_id && client_id !== '' && client_id !== 'undefined' && client_id !== 'null') {
-                // if tenant and product are encoded in the client_id then we parse it and check for the relevant connection(s)
-                let sp = (0, utils_1.getEncodedTenantProduct)(client_id);
-                if (!sp && access_type) {
-                    sp = (0, utils_1.getEncodedTenantProduct)(access_type);
-                }
-                if (!sp && resource) {
-                    sp = (0, utils_1.getEncodedTenantProduct)(resource);
-                }
-                if (!sp && requestedScopes) {
-                    const encodedParams = requestedScopes.find((scope) => scope.includes('=') && scope.includes('&')); // for now assume only one encoded param i.e. for tenant/product
-                    if (encodedParams) {
-                        sp = (0, utils_1.getEncodedTenantProduct)(encodedParams);
-                    }
-                }
-                if (sp && sp.tenant && sp.product) {
-                    const { tenant, product } = sp;
-                    requestedTenant = tenant;
-                    requestedProduct = product;
+            try {
+                const tenant = 'tenant' in body ? body.tenant : undefined;
+                const product = 'product' in body ? body.product : undefined;
+                const access_type = 'access_type' in body ? body.access_type : undefined;
+                const resource = 'resource' in body ? body.resource : undefined;
+                requestedTenant = tenant;
+                requestedProduct = product;
+                metrics.increment('oauthAuthorize');
+                if (!redirect_uri) {
+                    throw new error_1.JacksonError('Please specify a redirect URL.', 400);
+                }
+                requestedScopes = (0, utils_1.getScopeValues)(scope);
+                requestedOIDCFlow = requestedScopes.includes('openid');
+                if (tenant && product) {
                     const response = yield this.samlHandler.resolveConnection({
                         tenant,
                         product,
@@ -135,47 +106,113 @@ class OAuthController {
                         connection = response.connection;
                     }
                 }
-                else {
-                    connection = yield this.connectionStore.get(client_id);
-                    if (connection) {
-                        requestedTenant = connection.tenant;
-                        requestedProduct = connection.product;
+                else if (client_id && client_id !== '' && client_id !== 'undefined' && client_id !== 'null') {
+                    // if tenant and product are encoded in the client_id then we parse it and check for the relevant connection(s)
+                    let sp = (0, utils_1.getEncodedTenantProduct)(client_id);
+                    if (!sp && access_type) {
+                        sp = (0, utils_1.getEncodedTenantProduct)(access_type);
+                    }
+                    if (!sp && resource) {
+                        sp = (0, utils_1.getEncodedTenantProduct)(resource);
+                    }
+                    if (!sp && requestedScopes) {
+                        const encodedParams = requestedScopes.find((scope) => scope.includes('=') && scope.includes('&')); // for now assume only one encoded param i.e. for tenant/product
+                        if (encodedParams) {
+                            sp = (0, utils_1.getEncodedTenantProduct)(encodedParams);
+                        }
+                    }
+                    if (sp && sp.tenant && sp.product) {
+                        const { tenant, product } = sp;
+                        requestedTenant = tenant;
+                        requestedProduct = product;
+                        const response = yield this.samlHandler.resolveConnection({
+                            tenant,
+                            product,
+                            idp_hint,
+                            authFlow: 'oauth',
+                            originalParams: Object.assign({}, body),
+                        });
+                        if ('redirectUrl' in response) {
+                            return {
+                                redirect_url: response.redirectUrl,
+                            };
+                        }
+                        if ('connection' in response) {
+                            connection = response.connection;
+                        }
+                    }
+                    else {
+                        connection = yield this.connectionStore.get(client_id);
+                        if (connection) {
+                            requestedTenant = connection.tenant;
+                            requestedProduct = connection.product;
+                        }
                     }
                 }
+                else {
+                    throw new error_1.JacksonError('You need to specify client_id or tenant & product', 403);
+                }
+                if (!connection) {
+                    throw new error_1.JacksonError('IdP connection not found.', 403);
+                }
+                if (!allowed.redirect(redirect_uri, connection.redirectUrl)) {
+                    throw new error_1.JacksonError('Redirect URL is not allowed.', 403);
+                }
             }
-            else {
-                throw new error_1.JacksonError('You need to specify client_id or tenant & product', 403);
-            }
-            if (!connection) {
-                throw new error_1.JacksonError('IdP connection not found.', 403);
-            }
-            if (!allowed.redirect(redirect_uri, connection.redirectUrl)) {
-                throw new error_1.JacksonError('Redirect URL is not allowed.', 403);
-            }
-            if (requestedOIDCFlow &&
-                (!((_a = this.opts.openid) === null || _a === void 0 ? void 0 : _a.jwtSigningKeys) || !(0, utils_1.isJWSKeyPairLoaded)(this.opts.openid.jwtSigningKeys))) {
-                return {
-                    redirect_url: (0, utils_1.OAuthErrorResponse)({
-                        error: 'server_error',
-                        error_description: 'OAuth server not configured correctly for openid flow, check if JWT signing keys are loaded',
-                        redirect_uri,
-                    }),
-                };
-            }
-            if (!state) {
-                return {
-                    redirect_url: (0, utils_1.OAuthErrorResponse)({
-                        error: 'invalid_request',
-                        error_description: 'Please specify a state to safeguard against XSRF attacks',
-                        redirect_uri,
-                    }),
-                };
+            catch (err) {
+                const error_description = (0, utils_1.getErrorMessage)(err);
+                // Save the error trace
+                yield this.samlTracer.saveTrace({
+                    error: error_description,
+                    context: {
+                        tenant: requestedTenant || '',
+                        product: requestedProduct || '',
+                        clientID: (connection === null || connection === void 0 ? void 0 : connection.clientID) || '',
+                        requestedOIDCFlow,
+                        redirectUri: redirect_uri,
+                    },
+                });
+                throw err;
             }
-            if (response_type !== 'code') {
+            const isMissingJWTKeysForOIDCFlow = requestedOIDCFlow &&
+                (!((_a = this.opts.openid) === null || _a === void 0 ? void 0 : _a.jwtSigningKeys) || !(0, utils_1.isJWSKeyPairLoaded)(this.opts.openid.jwtSigningKeys));
+            const oAuthClientReqError = !state || response_type !== 'code';
+            const connectionIsSAML = 'idpMetadata' in connection && connection.idpMetadata !== undefined;
+            const connectionIsOIDC = 'oidcProvider' in connection && connection.oidcProvider !== undefined;
+            if (isMissingJWTKeysForOIDCFlow || oAuthClientReqError || (!connectionIsSAML && !connectionIsOIDC)) {
+                let error, error_description;
+                if (isMissingJWTKeysForOIDCFlow) {
+                    error = 'server_error';
+                    error_description =
+                        'OAuth server not configured correctly for openid flow, check if JWT signing keys are loaded';
+                }
+                if (!state) {
+                    error = 'invalid_request';
+                    error_description = 'Please specify a state to safeguard against XSRF attacks';
+                }
+                if (response_type !== 'code') {
+                    error = 'unsupported_response_type';
+                    error_description = 'Only Authorization Code grant is supported';
+                }
+                if (!connectionIsSAML && !connectionIsOIDC) {
+                    error = 'server_error';
+                    error_description = 'Connection appears to be misconfigured';
+                }
+                // Save the error trace
+                const traceId = yield this.samlTracer.saveTrace({
+                    error: error_description,
+                    context: {
+                        tenant: requestedTenant,
+                        product: requestedProduct,
+                        clientID: connection.clientID,
+                        requestedOIDCFlow,
+                        redirectUri: redirect_uri,
+                    },
+                });
                 return {
                     redirect_url: (0, utils_1.OAuthErrorResponse)({
-                        error: 'unsupported_response_type',
-                        error_description: 'Only Authorization Code grant is supported',
+                        error,
+                        error_description: traceId ? `${traceId}: ${error_description}` : error_description,
                         redirect_uri,
                         state,
                     }),
@@ -184,37 +221,47 @@ class OAuthController {
             // Connection retrieved: Handover to IdP starts here
             let ssoUrl;
             let post = false;
-            const connectionIsSAML = 'idpMetadata' in connection && connection.idpMetadata !== undefined;
-            const connectionIsOIDC = 'oidcProvider' in connection && connection.oidcProvider !== undefined;
             // Init sessionId
             const sessionId = crypto_1.default.randomBytes(16).toString('hex');
             const relayState = utils_1.relayStatePrefix + sessionId;
             // SAML connection: SAML request will be constructed here
             let samlReq;
-            if ('idpMetadata' in connection) {
-                const { sso } = connection.idpMetadata;
-                if ('redirectUrl' in sso) {
-                    // HTTP Redirect binding
-                    ssoUrl = sso.redirectUrl;
-                }
-                else if ('postUrl' in sso) {
-                    // HTTP-POST binding
-                    ssoUrl = sso.postUrl;
-                    post = true;
-                }
-                else {
-                    // This code here is kept for backward compatibility. We now have validation while adding the SSO connection to ensure binding is present.
-                    return {
-                        redirect_url: (0, utils_1.OAuthErrorResponse)({
-                            error: 'invalid_request',
-                            error_description: 'SAML binding could not be retrieved',
-                            redirect_uri,
-                            state,
-                        }),
-                    };
-                }
-                const cert = yield (0, x509_1.getDefaultCertificate)();
+            if (connectionIsSAML) {
                 try {
+                    const { sso } = connection.idpMetadata;
+                    if ('redirectUrl' in sso) {
+                        // HTTP Redirect binding
+                        ssoUrl = sso.redirectUrl;
+                    }
+                    else if ('postUrl' in sso) {
+                        // HTTP-POST binding
+                        ssoUrl = sso.postUrl;
+                        post = true;
+                    }
+                    else {
+                        // This code here is kept for backward compatibility. We now have validation while adding the SSO connection to ensure binding is present.
+                        const error_description = 'SAML binding could not be retrieved';
+                        // Save the error trace
+                        const traceId = yield this.samlTracer.saveTrace({
+                            error: error_description,
+                            context: {
+                                tenant: requestedTenant,
+                                product: requestedProduct,
+                                clientID: connection.clientID,
+                                requestedOIDCFlow,
+                                redirectUri: redirect_uri,
+                            },
+                        });
+                        return {
+                            redirect_url: (0, utils_1.OAuthErrorResponse)({
+                                error: 'invalid_request',
+                                error_description: traceId ? `${traceId}: ${error_description}` : error_description,
+                                redirect_uri,
+                                state,
+                            }),
+                        };
+                    }
+                    const cert = yield (0, x509_1.getDefaultCertificate)();
                     samlReq = saml20_1.default.request({
                         ssoUrl,
                         entityID: this.opts.samlAudience,
@@ -228,10 +275,22 @@ class OAuthController {
                     });
                 }
                 catch (err) {
+                    const error_description = (0, utils_1.getErrorMessage)(err);
+                    // Save the error trace
+                    const traceId = yield this.samlTracer.saveTrace({
+                        error: error_description,
+                        context: {
+                            tenant: requestedTenant,
+                            product: requestedProduct,
+                            clientID: connection.clientID,
+                            requestedOIDCFlow,
+                            redirectUri: redirect_uri,
+                        },
+                    });
                     return {
                         redirect_url: (0, utils_1.OAuthErrorResponse)({
                             error: 'server_error',
-                            error_description: (0, utils_1.getErrorMessage)(err),
+                            error_description: traceId ? `${traceId}: ${error_description}` : error_description,
                             redirect_uri,
                             state,
                         }),
@@ -241,7 +300,7 @@ class OAuthController {
             // OIDC Connection: Issuer discovery, openid-client init and extraction of authorization endpoint happens here
             let oidcCodeVerifier;
             let oidcNonce;
-            if (connectionIsOIDC && 'oidcProvider' in connection) {
+            if (connectionIsOIDC) {
                 if (!this.opts.oidcPath) {
                     return {
                         redirect_url: (0, utils_1.OAuthErrorResponse)({
@@ -347,25 +406,29 @@ class OAuthController {
                         authorize_form: authorizeForm,
                     };
                 }
-                else if (connectionIsOIDC) {
+                if (connectionIsOIDC) {
                     return { redirect_url: ssoUrl };
                 }
-                else {
-                    return {
-                        redirect_url: (0, utils_1.OAuthErrorResponse)({
-                            error: 'invalid_request',
-                            error_description: 'Connection appears to be misconfigured',
-                            redirect_uri,
-                            state,
-                        }),
-                    };
-                }
+                throw 'Connection appears to be misconfigured';
             }
             catch (err) {
+                const error_description = (0, utils_1.getErrorMessage)(err);
+                // Save the error trace
+                const traceId = yield this.samlTracer.saveTrace({
+                    error: error_description,
+                    context: {
+                        tenant: requestedTenant,
+                        product: requestedProduct,
+                        clientID: connection.clientID,
+                        requestedOIDCFlow,
+                        redirectUri: redirect_uri,
+                        samlRequest: (samlReq === null || samlReq === void 0 ? void 0 : samlReq.request) || '',
+                    },
+                });
                 return {
                     redirect_url: (0, utils_1.OAuthErrorResponse)({
                         error: 'server_error',
-                        error_description: (0, utils_1.getErrorMessage)(err),
+                        error_description: traceId ? `${traceId}: ${error_description}` : error_description,
                         redirect_uri,
                         state,
                     }),
@@ -376,112 +439,159 @@ class OAuthController {
     samlResponse(body) {
         var _a;
         return __awaiter(this, void 0, void 0, function* () {
-            const { SAMLResponse, idp_hint, RelayState = '' } = body;
-            const isIdPFlow = !RelayState.startsWith(utils_1.relayStatePrefix);
-            // IdP is disabled so block the request
-            if (!this.opts.idpEnabled && isIdPFlow) {
-                // IdP login is disabled so block the request
-                throw new error_1.JacksonError('IdP (Identity Provider) flow has been disabled. Please head to your Service Provider to login.', 403);
-            }
-            const sessionId = RelayState.replace(utils_1.relayStatePrefix, '');
-            const rawResponse = Buffer.from(SAMLResponse, 'base64').toString();
-            const issuer = saml20_1.default.parseIssuer(rawResponse);
-            if (!issuer) {
-                throw new error_1.JacksonError('Issuer not found.', 403);
-            }
-            const connections = yield this.connectionStore.getByIndex({
-                name: utils_1.IndexNames.EntityID,
-                value: issuer,
-            });
-            if (!connections || connections.length === 0) {
-                throw new error_1.JacksonError('SAML connection not found.', 403);
-            }
-            const session = sessionId ? yield this.sessionStore.get(sessionId) : null;
-            if (!isIdPFlow && !session) {
-                throw new error_1.JacksonError('Unable to validate state from the origin request.', 403);
-            }
-            const isSAMLFederated = session && 'samlFederated' in session;
-            const isSPFflow = !isIdPFlow && !isSAMLFederated;
             let connection;
-            // IdP initiated SSO flow
-            if (isIdPFlow) {
-                const response = yield this.samlHandler.resolveConnection({
-                    idp_hint,
-                    authFlow: 'idp-initiated',
-                    entityId: issuer,
-                    originalParams: {
-                        SAMLResponse,
-                    },
+            let rawResponse;
+            let sessionId;
+            let session;
+            let issuer;
+            let isIdPFlow;
+            let isSAMLFederated;
+            let validateOpts;
+            let redirect_uri;
+            const { SAMLResponse, idp_hint, RelayState = '' } = body;
+            try {
+                isIdPFlow = !RelayState.startsWith(utils_1.relayStatePrefix);
+                rawResponse = Buffer.from(SAMLResponse, 'base64').toString();
+                issuer = saml20_1.default.parseIssuer(rawResponse);
+                if (!this.opts.idpEnabled && isIdPFlow) {
+                    // IdP login is disabled so block the request
+                    throw new error_1.JacksonError('IdP (Identity Provider) flow has been disabled. Please head to your Service Provider to login.', 403);
+                }
+                sessionId = RelayState.replace(utils_1.relayStatePrefix, '');
+                if (!issuer) {
+                    throw new error_1.JacksonError('Issuer not found.', 403);
+                }
+                const connections = yield this.connectionStore.getByIndex({
+                    name: utils_1.IndexNames.EntityID,
+                    value: issuer,
                 });
-                // Redirect to the product selection page
-                if ('postForm' in response) {
-                    return {
-                        app_select_form: response.postForm,
-                    };
+                if (!connections || connections.length === 0) {
+                    throw new error_1.JacksonError('SAML connection not found.', 403);
                 }
-                // Found a connection
-                if ('connection' in response) {
-                    connection = response.connection;
+                session = sessionId ? yield this.sessionStore.get(sessionId) : null;
+                if (!isIdPFlow && !session) {
+                    throw new error_1.JacksonError('Unable to validate state from the origin request.', 403);
                 }
+                isSAMLFederated = session && 'samlFederated' in session;
+                const isSPFflow = !isIdPFlow && !isSAMLFederated;
+                // IdP initiated SSO flow
+                if (isIdPFlow) {
+                    const response = yield this.samlHandler.resolveConnection({
+                        idp_hint,
+                        authFlow: 'idp-initiated',
+                        entityId: issuer,
+                        originalParams: {
+                            SAMLResponse,
+                        },
+                    });
+                    // Redirect to the product selection page
+                    if ('postForm' in response) {
+                        return {
+                            app_select_form: response.postForm,
+                        };
+                    }
+                    // Found a connection
+                    if ('connection' in response) {
+                        connection = response.connection;
+                    }
+                }
+                // SP initiated SSO flow
+                // Resolve if there are multiple matches for SP login
+                if (isSPFflow) {
+                    connection = connections.filter((c) => {
+                        return (c.clientID === session.requested.client_id ||
+                            (c.tenant === session.requested.tenant && c.product === session.requested.product));
+                    })[0];
+                }
+                if (!connection) {
+                    connection = connections[0];
+                }
+                if (!connection) {
+                    throw new error_1.JacksonError('SAML connection not found.', 403);
+                }
+                if (session &&
+                    session.redirect_uri &&
+                    !allowed.redirect(session.redirect_uri, connection.redirectUrl)) {
+                    throw new error_1.JacksonError('Redirect URL is not allowed.', 403);
+                }
+                const { privateKey } = yield (0, x509_1.getDefaultCertificate)();
+                validateOpts = {
+                    thumbprint: `${connection === null || connection === void 0 ? void 0 : connection.idpMetadata.thumbprint}`,
+                    audience: `${this.opts.samlAudience}`,
+                    privateKey,
+                };
+                if (session && session.id) {
+                    validateOpts['inResponseTo'] = session.id;
+                }
+                redirect_uri = (session && session.redirect_uri) || connection.defaultRedirectUrl;
             }
-            // SP initiated SSO flow
-            // Resolve if there are multiple matches for SP login
-            if (isSPFflow) {
-                connection = connections.filter((c) => {
-                    return (c.clientID === session.requested.client_id ||
-                        (c.tenant === session.requested.tenant && c.product === session.requested.product));
-                })[0];
-            }
-            if (!connection) {
-                connection = connections[0];
-            }
-            if (!connection) {
-                throw new error_1.JacksonError('SAML connection not found.', 403);
-            }
-            if (session &&
-                session.redirect_uri &&
-                !allowed.redirect(session.redirect_uri, connection.redirectUrl)) {
-                throw new error_1.JacksonError('Redirect URL is not allowed.', 403);
-            }
-            const { privateKey } = yield (0, x509_1.getDefaultCertificate)();
-            const validateOpts = {
-                thumbprint: `${connection.idpMetadata.thumbprint}`,
-                audience: `${this.opts.samlAudience}`,
-                privateKey,
-            };
-            if (session && session.id) {
-                validateOpts['inResponseTo'] = session.id;
+            catch (err) {
+                // Save the error trace
+                yield this.samlTracer.saveTrace({
+                    error: (0, utils_1.getErrorMessage)(err),
+                    context: {
+                        samlResponse: rawResponse,
+                        tenant: (connection === null || connection === void 0 ? void 0 : connection.tenant) || '',
+                        product: (connection === null || connection === void 0 ? void 0 : connection.product) || '',
+                        clientID: (connection === null || connection === void 0 ? void 0 : connection.clientID) || '',
+                        redirectUri: isIdPFlow ? connection === null || connection === void 0 ? void 0 : connection.defaultRedirectUrl : session === null || session === void 0 ? void 0 : session.redirect_uri,
+                        issuer: issuer || '',
+                        isSAMLFederated: !!isSAMLFederated,
+                        isIdPFlow: !!isIdPFlow,
+                        relayState: RelayState,
+                    },
+                });
+                throw err; // Rethrow the error
             }
-            const redirect_uri = (session && session.redirect_uri) || connection.defaultRedirectUrl;
-            let profile = null;
+            let profile;
             try {
                 profile = yield (0, lib_1.extractSAMLResponseAttributes)(rawResponse, validateOpts);
+                // This is a federated SAML flow, let's create a new SAMLResponse and POST it to the SP
+                if (isSAMLFederated) {
+                    const { responseForm } = yield this.samlHandler.createSAMLResponse({ profile, session });
+                    yield this.sessionStore.delete(sessionId);
+                    return { responseForm };
+                }
+                const code = yield this._buildAuthorizationCode(connection, profile, session, isIdPFlow);
+                const params = {
+                    code,
+                };
+                if (session && session.state) {
+                    params['state'] = session.state;
+                }
+                yield this.sessionStore.delete(sessionId);
+                return { redirect_url: redirect.success(redirect_uri, params) };
             }
             catch (err) {
+                const error_description = (0, utils_1.getErrorMessage)(err);
+                // Trace the error
+                const traceId = yield this.samlTracer.saveTrace({
+                    error: error_description,
+                    context: {
+                        samlResponse: rawResponse,
+                        tenant: connection.tenant,
+                        product: connection.product,
+                        clientID: connection.clientID,
+                        redirectUri: isIdPFlow ? connection === null || connection === void 0 ? void 0 : connection.defaultRedirectUrl : session === null || session === void 0 ? void 0 : session.redirect_uri,
+                        isSAMLFederated,
+                        isIdPFlow,
+                        relayState: RelayState,
+                        issuer,
+                        profile,
+                    },
+                });
+                if (isSAMLFederated) {
+                    throw err;
+                }
                 return {
                     redirect_url: (0, utils_1.OAuthErrorResponse)({
                         error: 'access_denied',
-                        error_description: (0, utils_1.getErrorMessage)(err),
+                        error_description: traceId ? `${traceId}: ${error_description}` : error_description,
                         redirect_uri,
                         state: (_a = session.requested) === null || _a === void 0 ? void 0 : _a.state,
                     }),
                 };
             }
-            // This is a federated SAML flow, let's create a new SAMLResponse and POST it to the SP
-            if (isSAMLFederated) {
-                const { responseForm } = yield this.samlHandler.createSAMLResponse({ profile, session });
-                yield this.sessionStore.delete(sessionId);
-                return { responseForm };
-            }
-            const code = yield this._buildAuthorizationCode(connection, profile, session, isIdPFlow);
-            const params = {
-                code,
-            };
-            if (session && session.state) {
-                params['state'] = session.state;
-            }
-            yield this.sessionStore.delete(sessionId);
-            return { redirect_url: redirect.success(redirect_uri, params) };
         });
     }
     oidcAuthzResponse(body) {