samlesa 2.12.113 → 2.14.0

package/build/src/binding-redirect.js

@@ -1,341 +1,313 @@
-"use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || function (mod) {
-    if (mod && mod.__esModule) return mod;
-    var result = {};
-    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
-    __setModuleDefault(result, mod);
-    return result;
-};
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-/**
- * @file binding-redirect.ts
- * @author tngan
- * @desc Binding-level API, declare the functions using Redirect binding
- */
-const utility_js_1 = __importStar(require("./utility.js"));
-const libsaml_js_1 = __importDefault(require("./libsaml.js"));
-const urn_js_1 = require("./urn.js");
-const binding = urn_js_1.wording.binding;
-const urlParams = urn_js_1.wording.urlParams;
-/**
- * @private
- * @desc Helper of generating URL param/value pair
- * @param  {string} param     key
- * @param  {string} value     value of key
- * @param  {boolean} first    determine whether the param is the starting one in order to add query header '?'
- * @return {string}
- */
-function pvPair(param, value, first) {
-    return (first === true ? '?' : '&') + param + '=' + value;
-}
-/**
- * @private
- * @desc Refractored part of URL generation for login/logout request
- * @param  {string} type
- * @param  {boolean} isSigned
- * @param  {string} rawSamlRequest
- * @param  {object} entitySetting
- * @return {string}
- */
-function buildRedirectURL(opts) {
-    const { baseUrl, type, isSigned, context, entitySetting, } = opts;
-    let { relayState = '' } = opts;
-    let noParams = true;
-    try {
-        noParams = new URL(baseUrl)?.searchParams?.size === 0;
-    }
-    catch {
-        noParams = true;
-    }
-    const queryParam = libsaml_js_1.default.getQueryParamByType(type);
-    // In general, this xmlstring is required to do deflate -> base64 -> urlencode
-    const samlRequest = encodeURIComponent(utility_js_1.default.base64Encode(utility_js_1.default.deflateString(context)));
-    if (relayState !== '') {
-        relayState = pvPair(urlParams.relayState, encodeURIComponent(relayState));
-    }
-    if (isSigned) {
-        const sigAlg = pvPair(urlParams.sigAlg, encodeURIComponent(entitySetting.requestSignatureAlgorithm));
-        const octetString = samlRequest + relayState + sigAlg;
-        return baseUrl
-            + pvPair(queryParam, octetString, noParams)
-            + pvPair(urlParams.signature, encodeURIComponent(libsaml_js_1.default.constructMessageSignature(queryParam + '=' + octetString, entitySetting.privateKey, entitySetting.privateKeyPass, undefined, entitySetting.requestSignatureAlgorithm).toString()));
-    }
-    return baseUrl + pvPair(queryParam, samlRequest + relayState, noParams);
-}
-/**
- * @desc Redirect URL for login request
- * @param  {object} entity                       object includes both idp and sp
- * @param  {function} customTagReplacement      used when developers have their own login response template
- * @return {string} redirect URL
- */
-function loginRequestRedirectURL(entity, customTagReplacement) {
-    const metadata = { idp: entity.idp.entityMeta, sp: entity.sp.entityMeta };
-    const spSetting = entity.sp.entitySetting;
-    let id = '';
-    if (metadata && metadata.idp && metadata.sp) {
-        const base = metadata.idp.getSingleSignOnService(binding.redirect);
-        let rawSamlRequest;
-        if (spSetting.loginRequestTemplate && customTagReplacement) {
-            const info = customTagReplacement(spSetting.loginRequestTemplate);
-            id = (0, utility_js_1.get)(info, 'id', null);
-            rawSamlRequest = (0, utility_js_1.get)(info, 'context', null);
-        }
-        else {
-            const nameIDFormat = spSetting.nameIDFormat;
-            const selectedNameIDFormat = Array.isArray(nameIDFormat) ? nameIDFormat[0] : nameIDFormat;
-            id = spSetting.generateID();
-            rawSamlRequest = libsaml_js_1.default.replaceTagsByValue(libsaml_js_1.default.defaultLoginRequestTemplate.context, {
-                ID: id,
-                Destination: base,
-                Issuer: metadata.sp.getEntityID(),
-                IssueInstant: new Date().toISOString(),
-                NameIDFormat: selectedNameIDFormat,
-                AssertionConsumerServiceURL: metadata.sp.getAssertionConsumerService(binding.post),
-                EntityID: metadata.sp.getEntityID(),
-                AllowCreate: spSetting.allowCreate,
-            });
-        }
-        return {
-            id,
-            context: buildRedirectURL({
-                context: rawSamlRequest,
-                type: urlParams.samlRequest,
-                isSigned: metadata.sp.isAuthnRequestSigned(),
-                entitySetting: spSetting,
-                baseUrl: base,
-                relayState: spSetting.relayState,
-            }),
-        };
-    }
-    throw new Error('ERR_GENERATE_REDIRECT_LOGIN_REQUEST_MISSING_METADATA');
-}
-/**
- * @desc Redirect URL for login response
- * @param  {object} requestInfo             corresponding request, used to obtain the id
- * @param  {object} entity                      object includes both idp and sp
- * @param  {object} user                         current logged user (e.g. req.user)
- * @param  {String} relayState                the relaystate sent by sp corresponding request
- * @param  {function} customTagReplacement     used when developers have their own login response template
- * @param AttributeStatement
- */
-function loginResponseRedirectURL(requestInfo, entity, user = {}, relayState, customTagReplacement, AttributeStatement = []) {
-    const idpSetting = entity.idp.entitySetting;
-    const spSetting = entity.sp.entitySetting;
-    const metadata = {
-        idp: entity.idp.entityMeta,
-        sp: entity.sp.entityMeta,
-    };
-    let id = idpSetting.generateID();
-    if (metadata && metadata.idp && metadata.sp) {
-        const base = metadata.sp.getAssertionConsumerService(binding.redirect);
-        if (!base) {
-            throw new Error('dont have a base url');
-        }
-        let rawSamlResponse;
-        //
-        const nameIDFormat = idpSetting.nameIDFormat;
-        const selectedNameIDFormat = Array.isArray(nameIDFormat) ? nameIDFormat[0] : nameIDFormat;
-        const nowTime = new Date();
-        // Five minutes later : nowtime  + 5 * 60 * 1000 (in milliseconds)
-        const fiveMinutesLaterTime = new Date(nowTime.getTime() + 300_000);
-        const now = nowTime.toISOString();
-        console.log(`现在是北京时间:${nowTime.toLocaleString()}`);
-        const sessionIndex = 'session' + idpSetting.generateID(); // 这个是当前系统的会话索引，用于单点注销
-        const tenHoursLaterTime = new Date(nowTime.getTime());
-        tenHoursLaterTime.setHours(tenHoursLaterTime.getHours() + 10);
-        const tenHoursLater = tenHoursLaterTime.toISOString();
-        const tvalue = {
-            ID: id,
-            AssertionID: idpSetting.generateID(),
-            Destination: base,
-            SubjectRecipient: base,
-            Issuer: metadata.idp.getEntityID(),
-            Audience: metadata.sp.getEntityID(),
-            EntityID: metadata.sp.getEntityID(),
-            IssueInstant: nowTime.toISOString(),
-            AssertionConsumerServiceURL: base,
-            StatusCode: urn_js_1.namespace.statusCode.success,
-            // can be customized
-            ConditionsNotBefore: nowTime.toISOString(),
-            ConditionsNotOnOrAfter: fiveMinutesLaterTime.toISOString(),
-            SubjectConfirmationDataNotOnOrAfter: fiveMinutesLaterTime.toISOString(),
-            NameIDFormat: selectedNameIDFormat,
-            NameID: user.NameID || '',
-            InResponseTo: (0, utility_js_1.get)(requestInfo, 'extract.request.id', ''),
-            AuthnStatement: `<saml:AuthnStatement AuthnInstant="${now}" SessionNotOnOrAfter="${tenHoursLater}" SessionIndex="${sessionIndex}"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement>`,
-            AttributeStatement: libsaml_js_1.default.attributeStatementBuilder(AttributeStatement),
-        };
-        if (idpSetting.loginResponseTemplate && customTagReplacement) {
-            const template = customTagReplacement(idpSetting.loginResponseTemplate.context);
-            id = (0, utility_js_1.get)(template, 'id', null);
-            rawSamlResponse = (0, utility_js_1.get)(template, 'context', null);
-        }
-        else {
-            if (requestInfo !== null) {
-                tvalue.InResponseTo = requestInfo?.extract?.request?.id;
-            }
-            rawSamlResponse = libsaml_js_1.default.replaceTagsByValue(libsaml_js_1.default.defaultLoginResponseTemplate.context, tvalue);
-        }
-        const { privateKey, privateKeyPass, requestSignatureAlgorithm: signatureAlgorithm } = idpSetting;
-        const config = {
-            privateKey,
-            privateKeyPass,
-            signatureAlgorithm,
-            signingCert: metadata.idp.getX509Certificate('signing'),
-            isBase64Output: false,
-        };
-        // step: sign assertion ? -> encrypted ? -> sign message ?
-        if (metadata.sp.isWantAssertionsSigned()) {
-            rawSamlResponse = libsaml_js_1.default.constructSAMLSignature({
-                ...config,
-                rawSamlMessage: rawSamlResponse,
-                transformationAlgorithms: spSetting.transformationAlgorithms,
-                referenceTagXPath: "/*[local-name(.)='Response']/*[local-name(.)='Assertion']",
-                signatureConfig: {
-                    prefix: 'ds',
-                    location: {
-                        reference: "/*[local-name(.)='Response']/*[local-name(.)='Assertion']/*[local-name(.)='Issuer']",
-                        action: 'after'
-                    },
-                },
-            });
-        }
-        // Like in post binding, SAML response is always signed
-        return {
-            id,
-            context: buildRedirectURL({
-                baseUrl: base,
-                type: urlParams.samlResponse,
-                isSigned: true,
-                context: rawSamlResponse,
-                entitySetting: idpSetting,
-                relayState,
-            }),
-        };
-    }
-    throw new Error('ERR_GENERATE_REDIRECT_LOGIN_RESPONSE_MISSING_METADATA');
-}
-/**
- * @desc Redirect URL for logout request
- * @param  {object} user                        current logged user (e.g. req.user)
- * @param  {object} entity                      object includes both idp and sp
- * @param  {function} customTagReplacement     used when developers have their own login response template
- * @return {string} redirect URL
- */
-function logoutRequestRedirectURL(user, entity, relayState, customTagReplacement) {
-    const metadata = { init: entity.init.entityMeta, target: entity.target.entityMeta };
-    const initSetting = entity.init.entitySetting;
-    let id = initSetting.generateID();
-    const nameIDFormat = initSetting.nameIDFormat;
-    const selectedNameIDFormat = Array.isArray(nameIDFormat) ? nameIDFormat[0] : nameIDFormat;
-    if (metadata && metadata.init && metadata.target) {
-        const base = metadata.target.getSingleLogoutService(binding.redirect);
-        let rawSamlRequest = '';
-        const requiredTags = {
-            ID: id,
-            Destination: base,
-            EntityID: metadata.init.getEntityID(),
-            Issuer: metadata.init.getEntityID(),
-            IssueInstant: new Date().toISOString(),
-            NameIDFormat: selectedNameIDFormat,
-            NameID: user.NameID || '',
-            SessionIndex: user.sessionIndex,
-        };
-        if (initSetting.logoutRequestTemplate && customTagReplacement) {
-            const info = customTagReplacement(initSetting.logoutRequestTemplate, requiredTags);
-            id = (0, utility_js_1.get)(info, 'id', null);
-            rawSamlRequest = (0, utility_js_1.get)(info, 'context', null);
-        }
-        else {
-            rawSamlRequest = libsaml_js_1.default.replaceTagsByValue(libsaml_js_1.default.defaultLogoutRequestTemplate.context, requiredTags);
-        }
-        return {
-            id,
-            context: buildRedirectURL({
-                context: rawSamlRequest,
-                relayState,
-                type: urlParams.logoutRequest,
-                isSigned: entity.target.entitySetting.wantLogoutRequestSigned,
-                entitySetting: initSetting,
-                baseUrl: base,
-            }),
-        };
-    }
-    throw new Error('ERR_GENERATE_REDIRECT_LOGOUT_REQUEST_MISSING_METADATA');
-}
-/**
- * @desc Redirect URL for logout response
- * @param  {object} requescorresponding request, used to obtain the id
- * @param  {object} entity                      object includes both idp and sp
- * @param  {function} customTagReplacement     used when developers have their own login response template
- */
-function logoutResponseRedirectURL(requestInfo, entity, relayState, customTagReplacement) {
-    const metadata = {
-        init: entity.init.entityMeta,
-        target: entity.target.entityMeta,
-    };
-    const initSetting = entity.init.entitySetting;
-    let id = initSetting.generateID();
-    if (metadata && metadata.init && metadata.target) {
-        const base = metadata.target.getSingleLogoutService(binding.redirect);
-        let rawSamlResponse;
-        if (initSetting.logoutResponseTemplate && customTagReplacement) {
-            const template = customTagReplacement(initSetting.logoutResponseTemplate);
-            id = (0, utility_js_1.get)(template, 'id', null);
-            rawSamlResponse = (0, utility_js_1.get)(template, 'context', null);
-        }
-        else {
-            const tvalue = {
-                ID: id,
-                Destination: base,
-                Issuer: metadata.init.getEntityID(),
-                EntityID: metadata.init.getEntityID(),
-                IssueInstant: new Date().toISOString(),
-                StatusCode: urn_js_1.namespace.statusCode.success,
-            };
-            if (requestInfo && requestInfo.extract && requestInfo.extract.request) {
-                tvalue.InResponseTo = requestInfo?.extract?.request?.id;
-            }
-            rawSamlResponse = libsaml_js_1.default.replaceTagsByValue(libsaml_js_1.default.defaultLogoutResponseTemplate.context, tvalue);
-        }
-        return {
-            id,
-            context: buildRedirectURL({
-                baseUrl: base,
-                type: urlParams.logoutResponse,
-                isSigned: entity.target.entitySetting.wantLogoutResponseSigned,
-                context: rawSamlResponse,
-                entitySetting: initSetting,
-                relayState,
-            }),
-        };
-    }
-    throw new Error('ERR_GENERATE_REDIRECT_LOGOUT_RESPONSE_MISSING_METADATA');
-}
-const redirectBinding = {
-    loginRequestRedirectURL,
-    loginResponseRedirectURL,
-    logoutRequestRedirectURL,
-    logoutResponseRedirectURL,
-};
-exports.default = redirectBinding;
+/**
+ * @file binding-redirect.ts
+ * @author tngan
+ * @desc Binding-level API, declare the functions using Redirect binding
+ */
+import utility, { get } from './utility.js';
+import libsaml from './libsaml.js';
+import { wording, namespace } from './urn.js';
+const binding = wording.binding;
+const urlParams = wording.urlParams;
+/**
+ * @private
+ * @desc Helper of generating URL param/value pair
+ * @param  {string} param     key
+ * @param  {string} value     value of key
+ * @param  {boolean} first    determine whether the param is the starting one in order to add query header '?'
+ * @return {string}
+ */
+function pvPair(param, value, first) {
+    return (first === true ? '?' : '&') + param + '=' + value;
+}
+/**
+ * @private
+ * @desc Refractored part of URL generation for login/logout request
+ * @param  {string} type
+ * @param  {boolean} isSigned
+ * @param  {string} rawSamlRequest
+ * @param  {object} entitySetting
+ * @return {string}
+ */
+function buildRedirectURL(opts) {
+    const { baseUrl, type, isSigned, context, entitySetting, } = opts;
+    let { relayState = '' } = opts;
+    let noParams = true;
+    try {
+        noParams = new URL(baseUrl)?.searchParams?.size === 0;
+    }
+    catch {
+        noParams = true;
+    }
+    const queryParam = libsaml.getQueryParamByType(type);
+    // In general, this xmlstring is required to do deflate -> base64 -> urlencode
+    const samlRequest = encodeURIComponent(utility.base64Encode(utility.deflateString(context)));
+    if (relayState !== '') {
+        relayState = pvPair(urlParams.relayState, encodeURIComponent(relayState));
+    }
+    if (isSigned) {
+        const sigAlg = pvPair(urlParams.sigAlg, encodeURIComponent(entitySetting.requestSignatureAlgorithm));
+        const octetString = samlRequest + relayState + sigAlg;
+        return baseUrl
+            + pvPair(queryParam, octetString, noParams)
+            + pvPair(urlParams.signature, encodeURIComponent(libsaml.constructMessageSignature(queryParam + '=' + octetString, entitySetting.privateKey, entitySetting.privateKeyPass, undefined, entitySetting.requestSignatureAlgorithm).toString()));
+    }
+    return baseUrl + pvPair(queryParam, samlRequest + relayState, noParams);
+}
+/**
+ * @desc Redirect URL for login request
+ * @param  {object} entity                       object includes both idp and sp
+ * @param  {function} customTagReplacement      used when developers have their own login response template
+ * @return {string} redirect URL
+ */
+function loginRequestRedirectURL(entity, customTagReplacement) {
+    const metadata = { idp: entity.idp.entityMeta, sp: entity.sp.entityMeta };
+    const spSetting = entity.sp.entitySetting;
+    let id = '';
+    if (metadata && metadata.idp && metadata.sp) {
+        const base = metadata.idp.getSingleSignOnService(binding.redirect);
+        let rawSamlRequest;
+        if (spSetting.loginRequestTemplate && customTagReplacement) {
+            const info = customTagReplacement(spSetting.loginRequestTemplate);
+            id = get(info, 'id', null);
+            rawSamlRequest = get(info, 'context', null);
+        }
+        else {
+            const nameIDFormat = spSetting.nameIDFormat;
+            const selectedNameIDFormat = Array.isArray(nameIDFormat) ? nameIDFormat[0] : nameIDFormat;
+            id = spSetting.generateID();
+            rawSamlRequest = libsaml.replaceTagsByValue(libsaml.defaultLoginRequestTemplate.context, {
+                ID: id,
+                Destination: base,
+                Issuer: metadata.sp.getEntityID(),
+                IssueInstant: new Date().toISOString(),
+                NameIDFormat: selectedNameIDFormat,
+                AssertionConsumerServiceURL: metadata.sp.getAssertionConsumerService(binding.post),
+                EntityID: metadata.sp.getEntityID(),
+                AllowCreate: spSetting.allowCreate,
+            });
+        }
+        return {
+            id,
+            context: buildRedirectURL({
+                context: rawSamlRequest,
+                type: urlParams.samlRequest,
+                isSigned: metadata.sp.isAuthnRequestSigned(),
+                entitySetting: spSetting,
+                baseUrl: base,
+                relayState: spSetting.relayState,
+            }),
+        };
+    }
+    throw new Error('ERR_GENERATE_REDIRECT_LOGIN_REQUEST_MISSING_METADATA');
+}
+/**
+ * @desc Redirect URL for login response
+ * @param  {object} requestInfo             corresponding request, used to obtain the id
+ * @param  {object} entity                      object includes both idp and sp
+ * @param  {object} user                         current logged user (e.g. req.user)
+ * @param  {String} relayState                the relaystate sent by sp corresponding request
+ * @param  {function} customTagReplacement     used when developers have their own login response template
+ * @param AttributeStatement
+ */
+function loginResponseRedirectURL(requestInfo, entity, user = {}, relayState, customTagReplacement, AttributeStatement = []) {
+    const idpSetting = entity.idp.entitySetting;
+    const spSetting = entity.sp.entitySetting;
+    const metadata = {
+        idp: entity.idp.entityMeta,
+        sp: entity.sp.entityMeta,
+    };
+    let id = idpSetting.generateID();
+    if (metadata && metadata.idp && metadata.sp) {
+        const base = metadata.sp.getAssertionConsumerService(binding.redirect);
+        if (!base) {
+            throw new Error('dont have a base url');
+        }
+        let rawSamlResponse;
+        //
+        const nameIDFormat = idpSetting.nameIDFormat;
+        const selectedNameIDFormat = Array.isArray(nameIDFormat) ? nameIDFormat[0] : nameIDFormat;
+        const nowTime = new Date();
+        // Five minutes later : nowtime  + 5 * 60 * 1000 (in milliseconds)
+        const fiveMinutesLaterTime = new Date(nowTime.getTime() + 300_000);
+        const now = nowTime.toISOString();
+        console.log(`现在是北京时间:${nowTime.toLocaleString()}`);
+        const sessionIndex = 'session' + idpSetting.generateID(); // 这个是当前系统的会话索引，用于单点注销
+        const tenHoursLaterTime = new Date(nowTime.getTime());
+        tenHoursLaterTime.setHours(tenHoursLaterTime.getHours() + 10);
+        const tenHoursLater = tenHoursLaterTime.toISOString();
+        const tvalue = {
+            ID: id,
+            AssertionID: idpSetting.generateID(),
+            Destination: base,
+            SubjectRecipient: base,
+            Issuer: metadata.idp.getEntityID(),
+            Audience: metadata.sp.getEntityID(),
+            EntityID: metadata.sp.getEntityID(),
+            IssueInstant: nowTime.toISOString(),
+            AssertionConsumerServiceURL: base,
+            StatusCode: namespace.statusCode.success,
+            // can be customized
+            ConditionsNotBefore: nowTime.toISOString(),
+            ConditionsNotOnOrAfter: fiveMinutesLaterTime.toISOString(),
+            SubjectConfirmationDataNotOnOrAfter: fiveMinutesLaterTime.toISOString(),
+            NameIDFormat: selectedNameIDFormat,
+            NameID: user.NameID || '',
+            InResponseTo: get(requestInfo, 'extract.request.id', ''),
+            AuthnStatement: `<saml:AuthnStatement AuthnInstant="${now}" SessionNotOnOrAfter="${tenHoursLater}" SessionIndex="${sessionIndex}"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement>`,
+            AttributeStatement: libsaml.attributeStatementBuilder(AttributeStatement),
+        };
+        if (idpSetting.loginResponseTemplate && customTagReplacement) {
+            const template = customTagReplacement(idpSetting.loginResponseTemplate.context);
+            id = get(template, 'id', null);
+            rawSamlResponse = get(template, 'context', null);
+        }
+        else {
+            if (requestInfo !== null) {
+                tvalue.InResponseTo = requestInfo?.extract?.request?.id;
+            }
+            rawSamlResponse = libsaml.replaceTagsByValue(libsaml.defaultLoginResponseTemplate.context, tvalue);
+        }
+        const { privateKey, privateKeyPass, requestSignatureAlgorithm: signatureAlgorithm } = idpSetting;
+        const config = {
+            privateKey,
+            privateKeyPass,
+            signatureAlgorithm,
+            signingCert: metadata.idp.getX509Certificate('signing'),
+            isBase64Output: false,
+        };
+        // step: sign assertion ? -> encrypted ? -> sign message ?
+        if (metadata.sp.isWantAssertionsSigned()) {
+            rawSamlResponse = libsaml.constructSAMLSignature({
+                ...config,
+                rawSamlMessage: rawSamlResponse,
+                transformationAlgorithms: spSetting.transformationAlgorithms,
+                referenceTagXPath: "/*[local-name(.)='Response']/*[local-name(.)='Assertion']",
+                signatureConfig: {
+                    prefix: 'ds',
+                    location: {
+                        reference: "/*[local-name(.)='Response']/*[local-name(.)='Assertion']/*[local-name(.)='Issuer']",
+                        action: 'after'
+                    },
+                },
+            });
+        }
+        // Like in post binding, SAML response is always signed
+        return {
+            id,
+            context: buildRedirectURL({
+                baseUrl: base,
+                type: urlParams.samlResponse,
+                isSigned: true,
+                context: rawSamlResponse,
+                entitySetting: idpSetting,
+                relayState,
+            }),
+        };
+    }
+    throw new Error('ERR_GENERATE_REDIRECT_LOGIN_RESPONSE_MISSING_METADATA');
+}
+/**
+ * @desc Redirect URL for logout request
+ * @param  {object} user                        current logged user (e.g. req.user)
+ * @param  {object} entity                      object includes both idp and sp
+ * @param  {function} customTagReplacement     used when developers have their own login response template
+ * @return {string} redirect URL
+ */
+function logoutRequestRedirectURL(user, entity, relayState, customTagReplacement) {
+    const metadata = { init: entity.init.entityMeta, target: entity.target.entityMeta };
+    const initSetting = entity.init.entitySetting;
+    let id = initSetting.generateID();
+    const nameIDFormat = initSetting.nameIDFormat;
+    const selectedNameIDFormat = Array.isArray(nameIDFormat) ? nameIDFormat[0] : nameIDFormat;
+    if (metadata && metadata.init && metadata.target) {
+        const base = metadata.target.getSingleLogoutService(binding.redirect);
+        let rawSamlRequest = '';
+        const requiredTags = {
+            ID: id,
+            Destination: base,
+            EntityID: metadata.init.getEntityID(),
+            Issuer: metadata.init.getEntityID(),
+            IssueInstant: new Date().toISOString(),
+            NameIDFormat: selectedNameIDFormat,
+            NameID: user.NameID || '',
+            SessionIndex: user.sessionIndex,
+        };
+        if (initSetting.logoutRequestTemplate && customTagReplacement) {
+            const info = customTagReplacement(initSetting.logoutRequestTemplate, requiredTags);
+            id = get(info, 'id', null);
+            rawSamlRequest = get(info, 'context', null);
+        }
+        else {
+            rawSamlRequest = libsaml.replaceTagsByValue(libsaml.defaultLogoutRequestTemplate.context, requiredTags);
+        }
+        return {
+            id,
+            context: buildRedirectURL({
+                context: rawSamlRequest,
+                relayState,
+                type: urlParams.logoutRequest,
+                isSigned: entity.target.entitySetting.wantLogoutRequestSigned,
+                entitySetting: initSetting,
+                baseUrl: base,
+            }),
+        };
+    }
+    throw new Error('ERR_GENERATE_REDIRECT_LOGOUT_REQUEST_MISSING_METADATA');
+}
+/**
+ * @desc Redirect URL for logout response
+ * @param  {object} requescorresponding request, used to obtain the id
+ * @param  {object} entity                      object includes both idp and sp
+ * @param  {function} customTagReplacement     used when developers have their own login response template
+ */
+function logoutResponseRedirectURL(requestInfo, entity, relayState, customTagReplacement) {
+    const metadata = {
+        init: entity.init.entityMeta,
+        target: entity.target.entityMeta,
+    };
+    const initSetting = entity.init.entitySetting;
+    let id = initSetting.generateID();
+    if (metadata && metadata.init && metadata.target) {
+        const base = metadata.target.getSingleLogoutService(binding.redirect);
+        let rawSamlResponse;
+        if (initSetting.logoutResponseTemplate && customTagReplacement) {
+            const template = customTagReplacement(initSetting.logoutResponseTemplate);
+            id = get(template, 'id', null);
+            rawSamlResponse = get(template, 'context', null);
+        }
+        else {
+            const tvalue = {
+                ID: id,
+                Destination: base,
+                Issuer: metadata.init.getEntityID(),
+                EntityID: metadata.init.getEntityID(),
+                IssueInstant: new Date().toISOString(),
+                StatusCode: namespace.statusCode.success,
+            };
+            if (requestInfo && requestInfo.extract && requestInfo.extract.request) {
+                tvalue.InResponseTo = requestInfo?.extract?.request?.id;
+            }
+            rawSamlResponse = libsaml.replaceTagsByValue(libsaml.defaultLogoutResponseTemplate.context, tvalue);
+        }
+        return {
+            id,
+            context: buildRedirectURL({
+                baseUrl: base,
+                type: urlParams.logoutResponse,
+                isSigned: entity.target.entitySetting.wantLogoutResponseSigned,
+                context: rawSamlResponse,
+                entitySetting: initSetting,
+                relayState,
+            }),
+        };
+    }
+    throw new Error('ERR_GENERATE_REDIRECT_LOGOUT_RESPONSE_MISSING_METADATA');
+}
+const redirectBinding = {
+    loginRequestRedirectURL,
+    loginResponseRedirectURL,
+    logoutRequestRedirectURL,
+    logoutResponseRedirectURL,
+};
+export default redirectBinding;
 //# sourceMappingURL=binding-redirect.js.map