npm - samlesa - Versions diffs - 2.12.3 → 2.12.6 - Mend

samlesa 2.12.3 → 2.12.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of samlesa might be problematic. Click here for more details.

Files changed (66) hide show

package/build/index.js +54 -64
package/build/index.js.map +1 -1
package/build/src/api.js +24 -23
package/build/src/api.js.map +1 -1
package/build/src/binding-post.js +358 -368
package/build/src/binding-post.js.map +1 -1
package/build/src/binding-redirect.js +333 -332
package/build/src/binding-redirect.js.map +1 -1
package/build/src/binding-simplesign.js +222 -232
package/build/src/binding-simplesign.js.map +1 -1
package/build/src/entity-idp.js +132 -130
package/build/src/entity-idp.js.map +1 -1
package/build/src/entity-sp.js +96 -96
package/build/src/entity-sp.js.map +1 -1
package/build/src/entity.js +225 -235
package/build/src/entity.js.map +1 -1
package/build/src/extractor.js +369 -369
package/build/src/extractor.js.map +1 -1
package/build/src/flow.js +320 -319
package/build/src/flow.js.map +1 -1
package/build/src/libsaml.js +660 -641
package/build/src/libsaml.js.map +1 -1
package/build/src/metadata-idp.js +127 -127
package/build/src/metadata-idp.js.map +1 -1
package/build/src/metadata-sp.js +231 -231
package/build/src/metadata-sp.js.map +1 -1
package/build/src/metadata.js +166 -176
package/build/src/metadata.js.map +1 -1
package/build/src/types.js +11 -11
package/build/src/urn.js +212 -212
package/build/src/urn.js.map +1 -1
package/build/src/utility.js +292 -248
package/build/src/utility.js.map +1 -1
package/build/src/validator.js +27 -26
package/build/src/validator.js.map +1 -1
package/index.d.ts +10 -10
package/index.js +18 -18
package/package.json +1 -5
package/qodana.yaml +29 -29
package/src/binding-post.ts +1 -1
package/src/binding-redirect.ts +83 -64
package/src/entity-idp.ts +26 -20
package/src/libsaml.ts +79 -48
package/src/utility.ts +147 -76
package/types/index.d.ts +10 -10
package/types/src/api.d.ts +13 -13
package/types/src/binding-post.d.ts +46 -46
package/types/src/binding-redirect.d.ts +52 -52
package/types/src/binding-simplesign.d.ts +39 -39
package/types/src/entity-idp.d.ts +35 -42
package/types/src/entity-sp.d.ts +36 -36
package/types/src/entity.d.ts +101 -99
package/types/src/extractor.d.ts +25 -25
package/types/src/flow.d.ts +6 -6
package/types/src/libsaml.d.ts +200 -210
package/types/src/metadata-idp.d.ts +24 -24
package/types/src/metadata-sp.d.ts +36 -36
package/types/src/metadata.d.ts +59 -57
package/types/src/types.d.ts +129 -127
package/types/src/urn.d.ts +194 -194
package/types/src/utility.d.ts +134 -134
package/types/src/validator.d.ts +3 -3
package/.idea/compiler.xml +0 -6
package/.idea/deployment.xml +0 -14
package/.idea/jsLibraryMappings.xml +0 -6
package/build/.idea/workspace.xml +0 -58

package/build/src/binding-redirect.js CHANGED Viewed

@@ -1,333 +1,334 @@
-"use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || (function () {
-    var ownKeys = function(o) {
-        ownKeys = Object.getOwnPropertyNames || function (o) {
-            var ar = [];
-            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
-            return ar;
-        };
-        return ownKeys(o);
-    };
-    return function (mod) {
-        if (mod && mod.__esModule) return mod;
-        var result = {};
-        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
-        __setModuleDefault(result, mod);
-        return result;
-    };
-})();
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-/**
-* @file binding-redirect.ts
-* @author tngan
-* @desc Binding-level API, declare the functions using Redirect binding
-*/
-const utility_js_1 = __importStar(require("./utility.js"));
-const libsaml_js_1 = __importDefault(require("./libsaml.js"));
-const url = __importStar(require("url"));
-const urn_js_1 = require("./urn.js");
-const binding = urn_js_1.wording.binding;
-const urlParams = urn_js_1.wording.urlParams;
-/**
-* @private
-* @desc Helper of generating URL param/value pair
-* @param  {string} param     key
-* @param  {string} value     value of key
-* @param  {boolean} first    determine whether the param is the starting one in order to add query header '?'
-* @return {string}
-*/
-function pvPair(param, value, first) {
-    return (first === true ? '?' : '&') + param + '=' + value;
-}
-/**
-* @private
-* @desc Refractored part of URL generation for login/logout request
-* @param  {string} type
-* @param  {boolean} isSigned
-* @param  {string} rawSamlRequest
-* @param  {object} entitySetting
-* @return {string}
-*/
-function buildRedirectURL(opts) {
-    const { baseUrl, type, isSigned, context, entitySetting, } = opts;
-    let { relayState = '' } = opts;
-    const noParams = (url.parse(baseUrl).query || []).length === 0;
-    const queryParam = libsaml_js_1.default.getQueryParamByType(type);
-    // In general, this xmlstring is required to do deflate -> base64 -> urlencode
-    const samlRequest = encodeURIComponent(utility_js_1.default.base64Encode(utility_js_1.default.deflateString(context)));
-    if (relayState !== '') {
-        relayState = pvPair(urlParams.relayState, encodeURIComponent(relayState));
-    }
-    if (isSigned) {
-        const sigAlg = pvPair(urlParams.sigAlg, encodeURIComponent(entitySetting.requestSignatureAlgorithm));
-        const octetString = samlRequest + relayState + sigAlg;
-        return baseUrl
-            + pvPair(queryParam, octetString, noParams)
-            + pvPair(urlParams.signature, encodeURIComponent(libsaml_js_1.default.constructMessageSignature(queryParam + '=' + octetString, entitySetting.privateKey, entitySetting.privateKeyPass, undefined, entitySetting.requestSignatureAlgorithm).toString()));
-    }
-    return baseUrl + pvPair(queryParam, samlRequest + relayState, noParams);
-}
-/**
-* @desc Redirect URL for login request
-* @param  {object} entity                       object includes both idp and sp
-* @param  {function} customTagReplacement      used when developers have their own login response template
-* @return {string} redirect URL
-*/
-function loginRequestRedirectURL(entity, customTagReplacement) {
-    const metadata = { idp: entity.idp.entityMeta, sp: entity.sp.entityMeta };
-    const spSetting = entity.sp.entitySetting;
-    let id = '';
-    if (metadata && metadata.idp && metadata.sp) {
-        const base = metadata.idp.getSingleSignOnService(binding.redirect);
-        let rawSamlRequest;
-        if (spSetting.loginRequestTemplate && customTagReplacement) {
-            const info = customTagReplacement(spSetting.loginRequestTemplate);
-            id = (0, utility_js_1.get)(info, 'id', null);
-            rawSamlRequest = (0, utility_js_1.get)(info, 'context', null);
-        }
-        else {
-            const nameIDFormat = spSetting.nameIDFormat;
-            const selectedNameIDFormat = Array.isArray(nameIDFormat) ? nameIDFormat[0] : nameIDFormat;
-            id = spSetting.generateID();
-            rawSamlRequest = libsaml_js_1.default.replaceTagsByValue(libsaml_js_1.default.defaultLoginRequestTemplate.context, {
-                ID: id,
-                Destination: base,
-                Issuer: metadata.sp.getEntityID(),
-                IssueInstant: new Date().toISOString(),
-                NameIDFormat: selectedNameIDFormat,
-                AssertionConsumerServiceURL: metadata.sp.getAssertionConsumerService(binding.post),
-                EntityID: metadata.sp.getEntityID(),
-                AllowCreate: spSetting.allowCreate,
-            });
-        }
-        return {
-            id,
-            context: buildRedirectURL({
-                context: rawSamlRequest,
-                type: urlParams.samlRequest,
-                isSigned: metadata.sp.isAuthnRequestSigned(),
-                entitySetting: spSetting,
-                baseUrl: base,
-                relayState: spSetting.relayState,
-            }),
-        };
-    }
-    throw new Error('ERR_GENERATE_REDIRECT_LOGIN_REQUEST_MISSING_METADATA');
-}
-/**
-* @desc Redirect URL for login response
-* @param  {object} requestInfo             corresponding request, used to obtain the id
-* @param  {object} entity                      object includes both idp and sp
-* @param  {object} user                         current logged user (e.g. req.user)
-* @param  {String} relayState                the relaystate sent by sp corresponding request
-* @param  {function} customTagReplacement     used when developers have their own login response template
-*/
-function loginResponseRedirectURL(requestInfo, entity, user = {}, relayState, customTagReplacement) {
-    const idpSetting = entity.idp.entitySetting;
-    const spSetting = entity.sp.entitySetting;
-    const metadata = {
-        idp: entity.idp.entityMeta,
-        sp: entity.sp.entityMeta,
-    };
-    let id = idpSetting.generateID();
-    if (metadata && metadata.idp && metadata.sp) {
-        const base = metadata.sp.getAssertionConsumerService(binding.redirect);
-        let rawSamlResponse;
-        //
-        const nameIDFormat = idpSetting.nameIDFormat;
-        const selectedNameIDFormat = Array.isArray(nameIDFormat) ? nameIDFormat[0] : nameIDFormat;
-        const nowTime = new Date();
-        // Five minutes later : nowtime  + 5 * 60 * 1000 (in milliseconds)
-        const fiveMinutesLaterTime = new Date(nowTime.getTime() + 300_000);
-        const tvalue = {
-            ID: id,
-            AssertionID: idpSetting.generateID(),
-            Destination: base,
-            SubjectRecipient: base,
-            Issuer: metadata.idp.getEntityID(),
-            Audience: metadata.sp.getEntityID(),
-            EntityID: metadata.sp.getEntityID(),
-            IssueInstant: nowTime.toISOString(),
-            AssertionConsumerServiceURL: base,
-            StatusCode: urn_js_1.namespace.statusCode.success,
-            // can be customized
-            ConditionsNotBefore: nowTime.toISOString(),
-            ConditionsNotOnOrAfter: fiveMinutesLaterTime.toISOString(),
-            SubjectConfirmationDataNotOnOrAfter: fiveMinutesLaterTime.toISOString(),
-            NameIDFormat: selectedNameIDFormat,
-            NameID: user.email || '',
-            InResponseTo: (0, utility_js_1.get)(requestInfo, 'extract.request.id', ''),
-            AuthnStatement: '',
-            AttributeStatement: '',
-        };
-        if (idpSetting.loginResponseTemplate && customTagReplacement) {
-            const template = customTagReplacement(idpSetting.loginResponseTemplate.context);
-            id = (0, utility_js_1.get)(template, 'id', null);
-            rawSamlResponse = (0, utility_js_1.get)(template, 'context', null);
-        }
-        else {
-            if (requestInfo !== null) {
-                tvalue.InResponseTo = requestInfo.extract.request.id;
-            }
-            rawSamlResponse = libsaml_js_1.default.replaceTagsByValue(libsaml_js_1.default.defaultLoginResponseTemplate.context, tvalue);
-        }
-        const { privateKey, privateKeyPass, requestSignatureAlgorithm: signatureAlgorithm } = idpSetting;
-        const config = {
-            privateKey,
-            privateKeyPass,
-            signatureAlgorithm,
-            signingCert: metadata.idp.getX509Certificate('signing'),
-            isBase64Output: false,
-        };
-        // step: sign assertion ? -> encrypted ? -> sign message ?
-        if (metadata.sp.isWantAssertionsSigned()) {
-            rawSamlResponse = libsaml_js_1.default.constructSAMLSignature({
-                ...config,
-                rawSamlMessage: rawSamlResponse,
-                transformationAlgorithms: spSetting.transformationAlgorithms,
-                referenceTagXPath: "/*[local-name(.)='Response']/*[local-name(.)='Assertion']",
-                signatureConfig: {
-                    prefix: 'ds',
-                    location: { reference: "/*[local-name(.)='Response']/*[local-name(.)='Assertion']/*[local-name(.)='Issuer']", action: 'after' },
-                },
-            });
-        }
-        // Like in post binding, SAML response is always signed
-        return {
-            id,
-            context: buildRedirectURL({
-                baseUrl: base,
-                type: urlParams.samlResponse,
-                isSigned: true,
-                context: rawSamlResponse,
-                entitySetting: idpSetting,
-                relayState,
-            }),
-        };
-    }
-    throw new Error('ERR_GENERATE_REDIRECT_LOGIN_RESPONSE_MISSING_METADATA');
-}
-/**
-* @desc Redirect URL for logout request
-* @param  {object} user                        current logged user (e.g. req.user)
-* @param  {object} entity                      object includes both idp and sp
-* @param  {function} customTagReplacement     used when developers have their own login response template
-* @return {string} redirect URL
-*/
-function logoutRequestRedirectURL(user, entity, relayState, customTagReplacement) {
-    const metadata = { init: entity.init.entityMeta, target: entity.target.entityMeta };
-    const initSetting = entity.init.entitySetting;
-    let id = initSetting.generateID();
-    const nameIDFormat = initSetting.nameIDFormat;
-    const selectedNameIDFormat = Array.isArray(nameIDFormat) ? nameIDFormat[0] : nameIDFormat;
-    if (metadata && metadata.init && metadata.target) {
-        const base = metadata.target.getSingleLogoutService(binding.redirect);
-        let rawSamlRequest = '';
-        const requiredTags = {
-            ID: id,
-            Destination: base,
-            EntityID: metadata.init.getEntityID(),
-            Issuer: metadata.init.getEntityID(),
-            IssueInstant: new Date().toISOString(),
-            NameIDFormat: selectedNameIDFormat,
-            NameID: user.logoutNameID,
-            SessionIndex: user.sessionIndex,
-        };
-        if (initSetting.logoutRequestTemplate && customTagReplacement) {
-            const info = customTagReplacement(initSetting.logoutRequestTemplate, requiredTags);
-            id = (0, utility_js_1.get)(info, 'id', null);
-            rawSamlRequest = (0, utility_js_1.get)(info, 'context', null);
-        }
-        else {
-            rawSamlRequest = libsaml_js_1.default.replaceTagsByValue(libsaml_js_1.default.defaultLogoutRequestTemplate.context, requiredTags);
-        }
-        return {
-            id,
-            context: buildRedirectURL({
-                context: rawSamlRequest,
-                relayState,
-                type: urlParams.logoutRequest,
-                isSigned: entity.target.entitySetting.wantLogoutRequestSigned,
-                entitySetting: initSetting,
-                baseUrl: base,
-            }),
-        };
-    }
-    throw new Error('ERR_GENERATE_REDIRECT_LOGOUT_REQUEST_MISSING_METADATA');
-}
-/**
-* @desc Redirect URL for logout response
-* @param  {object} requescorresponding request, used to obtain the id
-* @param  {object} entity                      object includes both idp and sp
-* @param  {function} customTagReplacement     used when developers have their own login response template
-*/
-function logoutResponseRedirectURL(requestInfo, entity, relayState, customTagReplacement) {
-    const metadata = {
-        init: entity.init.entityMeta,
-        target: entity.target.entityMeta,
-    };
-    const initSetting = entity.init.entitySetting;
-    let id = initSetting.generateID();
-    if (metadata && metadata.init && metadata.target) {
-        const base = metadata.target.getSingleLogoutService(binding.redirect);
-        let rawSamlResponse;
-        if (initSetting.logoutResponseTemplate && customTagReplacement) {
-            const template = customTagReplacement(initSetting.logoutResponseTemplate);
-            id = (0, utility_js_1.get)(template, 'id', null);
-            rawSamlResponse = (0, utility_js_1.get)(template, 'context', null);
-        }
-        else {
-            const tvalue = {
-                ID: id,
-                Destination: base,
-                Issuer: metadata.init.getEntityID(),
-                EntityID: metadata.init.getEntityID(),
-                IssueInstant: new Date().toISOString(),
-                StatusCode: urn_js_1.namespace.statusCode.success,
-            };
-            if (requestInfo && requestInfo.extract && requestInfo.extract.request) {
-                tvalue.InResponseTo = requestInfo.extract.request.id;
-            }
-            rawSamlResponse = libsaml_js_1.default.replaceTagsByValue(libsaml_js_1.default.defaultLogoutResponseTemplate.context, tvalue);
-        }
-        return {
-            id,
-            context: buildRedirectURL({
-                baseUrl: base,
-                type: urlParams.logoutResponse,
-                isSigned: entity.target.entitySetting.wantLogoutResponseSigned,
-                context: rawSamlResponse,
-                entitySetting: initSetting,
-                relayState,
-            }),
-        };
-    }
-    throw new Error('ERR_GENERATE_REDIRECT_LOGOUT_RESPONSE_MISSING_METADATA');
-}
-const redirectBinding = {
-    loginRequestRedirectURL,
-    loginResponseRedirectURL,
-    logoutRequestRedirectURL,
-    logoutResponseRedirectURL,
-};
-exports.default = redirectBinding;
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+/**
+ * @file binding-redirect.ts
+ * @author tngan
+ * @desc Binding-level API, declare the functions using Redirect binding
+ */
+const utility_js_1 = __importStar(require("./utility.js"));
+const libsaml_js_1 = __importDefault(require("./libsaml.js"));
+const urn_js_1 = require("./urn.js");
+const binding = urn_js_1.wording.binding;
+const urlParams = urn_js_1.wording.urlParams;
+/**
+ * @private
+ * @desc Helper of generating URL param/value pair
+ * @param  {string} param     key
+ * @param  {string} value     value of key
+ * @param  {boolean} first    determine whether the param is the starting one in order to add query header '?'
+ * @return {string}
+ */
+function pvPair(param, value, first) {
+    return (first === true ? '?' : '&') + param + '=' + value;
+}
+/**
+ * @private
+ * @desc Refractored part of URL generation for login/logout request
+ * @param  {string} type
+ * @param  {boolean} isSigned
+ * @param  {string} rawSamlRequest
+ * @param  {object} entitySetting
+ * @return {string}
+ */
+function buildRedirectURL(opts) {
+    const { baseUrl, type, isSigned, context, entitySetting, } = opts;
+    let { relayState = '' } = opts;
+    let noParams = true;
+    try {
+        noParams = new URL(baseUrl)?.searchParams?.size === 0;
+    }
+    catch {
+        noParams = true;
+    }
+    const queryParam = libsaml_js_1.default.getQueryParamByType(type);
+    // In general, this xmlstring is required to do deflate -> base64 -> urlencode
+    const samlRequest = encodeURIComponent(utility_js_1.default.base64Encode(utility_js_1.default.deflateString(context)));
+    if (relayState !== '') {
+        relayState = pvPair(urlParams.relayState, encodeURIComponent(relayState));
+    }
+    if (isSigned) {
+        const sigAlg = pvPair(urlParams.sigAlg, encodeURIComponent(entitySetting.requestSignatureAlgorithm));
+        const octetString = samlRequest + relayState + sigAlg;
+        return baseUrl
+            + pvPair(queryParam, octetString, noParams)
+            + pvPair(urlParams.signature, encodeURIComponent(libsaml_js_1.default.constructMessageSignature(queryParam + '=' + octetString, entitySetting.privateKey, entitySetting.privateKeyPass, undefined, entitySetting.requestSignatureAlgorithm).toString()));
+    }
+    return baseUrl + pvPair(queryParam, samlRequest + relayState, noParams);
+}
+/**
+ * @desc Redirect URL for login request
+ * @param  {object} entity                       object includes both idp and sp
+ * @param  {function} customTagReplacement      used when developers have their own login response template
+ * @return {string} redirect URL
+ */
+function loginRequestRedirectURL(entity, customTagReplacement) {
+    const metadata = { idp: entity.idp.entityMeta, sp: entity.sp.entityMeta };
+    const spSetting = entity.sp.entitySetting;
+    let id = '';
+    if (metadata && metadata.idp && metadata.sp) {
+        const base = metadata.idp.getSingleSignOnService(binding.redirect);
+        let rawSamlRequest;
+        if (spSetting.loginRequestTemplate && customTagReplacement) {
+            const info = customTagReplacement(spSetting.loginRequestTemplate);
+            id = (0, utility_js_1.get)(info, 'id', null);
+            rawSamlRequest = (0, utility_js_1.get)(info, 'context', null);
+        }
+        else {
+            const nameIDFormat = spSetting.nameIDFormat;
+            const selectedNameIDFormat = Array.isArray(nameIDFormat) ? nameIDFormat[0] : nameIDFormat;
+            id = spSetting.generateID();
+            rawSamlRequest = libsaml_js_1.default.replaceTagsByValue(libsaml_js_1.default.defaultLoginRequestTemplate.context, {
+                ID: id,
+                Destination: base,
+                Issuer: metadata.sp.getEntityID(),
+                IssueInstant: new Date().toISOString(),
+                NameIDFormat: selectedNameIDFormat,
+                AssertionConsumerServiceURL: metadata.sp.getAssertionConsumerService(binding.post),
+                EntityID: metadata.sp.getEntityID(),
+                AllowCreate: spSetting.allowCreate,
+            });
+        }
+        return {
+            id,
+            context: buildRedirectURL({
+                context: rawSamlRequest,
+                type: urlParams.samlRequest,
+                isSigned: metadata.sp.isAuthnRequestSigned(),
+                entitySetting: spSetting,
+                baseUrl: base,
+                relayState: spSetting.relayState,
+            }),
+        };
+    }
+    throw new Error('ERR_GENERATE_REDIRECT_LOGIN_REQUEST_MISSING_METADATA');
+}
+/**
+ * @desc Redirect URL for login response
+ * @param  {object} requestInfo             corresponding request, used to obtain the id
+ * @param  {object} entity                      object includes both idp and sp
+ * @param  {object} user                         current logged user (e.g. req.user)
+ * @param  {String} relayState                the relaystate sent by sp corresponding request
+ * @param  {function} customTagReplacement     used when developers have their own login response template
+ */
+function loginResponseRedirectURL(requestInfo, entity, user = {}, relayState, customTagReplacement) {
+    const idpSetting = entity.idp.entitySetting;
+    const spSetting = entity.sp.entitySetting;
+    const metadata = {
+        idp: entity.idp.entityMeta,
+        sp: entity.sp.entityMeta,
+    };
+    let id = idpSetting.generateID();
+    if (metadata && metadata.idp && metadata.sp) {
+        const base = metadata.sp.getAssertionConsumerService(binding.redirect) ?? 'https://signin.volcengine.com/saml/sso';
+        if (!base) {
+            throw new Error('dont have a base url');
+        }
+        let rawSamlResponse;
+        //
+        const nameIDFormat = idpSetting.nameIDFormat;
+        const selectedNameIDFormat = Array.isArray(nameIDFormat) ? nameIDFormat[0] : nameIDFormat;
+        const nowTime = new Date();
+        // Five minutes later : nowtime  + 5 * 60 * 1000 (in milliseconds)
+        const fiveMinutesLaterTime = new Date(nowTime.getTime() + 300_000);
+        const tvalue = {
+            ID: id,
+            AssertionID: idpSetting.generateID(),
+            Destination: base,
+            SubjectRecipient: base,
+            Issuer: metadata.idp.getEntityID(),
+            Audience: metadata.sp.getEntityID(),
+            EntityID: metadata.sp.getEntityID(),
+            IssueInstant: nowTime.toISOString(),
+            AssertionConsumerServiceURL: base,
+            StatusCode: urn_js_1.namespace.statusCode.success,
+            // can be customized
+            ConditionsNotBefore: nowTime.toISOString(),
+            ConditionsNotOnOrAfter: fiveMinutesLaterTime.toISOString(),
+            SubjectConfirmationDataNotOnOrAfter: fiveMinutesLaterTime.toISOString(),
+            NameIDFormat: selectedNameIDFormat,
+            NameID: user.email || '',
+            InResponseTo: (0, utility_js_1.get)(requestInfo, 'extract.request.id', ''),
+            AuthnStatement: '',
+            AttributeStatement: '',
+        };
+        if (idpSetting.loginResponseTemplate && customTagReplacement) {
+            const template = customTagReplacement(idpSetting.loginResponseTemplate.context);
+            id = (0, utility_js_1.get)(template, 'id', null);
+            rawSamlResponse = (0, utility_js_1.get)(template, 'context', null);
+        }
+        else {
+            if (requestInfo !== null) {
+                tvalue.InResponseTo = requestInfo.extract.request.id;
+            }
+            rawSamlResponse = libsaml_js_1.default.replaceTagsByValue(libsaml_js_1.default.defaultLoginResponseTemplate.context, tvalue);
+        }
+        const { privateKey, privateKeyPass, requestSignatureAlgorithm: signatureAlgorithm } = idpSetting;
+        const config = {
+            privateKey,
+            privateKeyPass,
+            signatureAlgorithm,
+            signingCert: metadata.idp.getX509Certificate('signing'),
+            isBase64Output: false,
+        };
+        // step: sign assertion ? -> encrypted ? -> sign message ?
+        if (metadata.sp.isWantAssertionsSigned()) {
+            rawSamlResponse = libsaml_js_1.default.constructSAMLSignature({
+                ...config,
+                rawSamlMessage: rawSamlResponse,
+                transformationAlgorithms: spSetting.transformationAlgorithms,
+                referenceTagXPath: "/*[local-name(.)='Response']/*[local-name(.)='Assertion']",
+                signatureConfig: {
+                    prefix: 'ds',
+                    location: {
+                        reference: "/*[local-name(.)='Response']/*[local-name(.)='Assertion']/*[local-name(.)='Issuer']",
+                        action: 'after'
+                    },
+                },
+            });
+        }
+        // Like in post binding, SAML response is always signed
+        return {
+            id,
+            context: buildRedirectURL({
+                baseUrl: base,
+                type: urlParams.samlResponse,
+                isSigned: true,
+                context: rawSamlResponse,
+                entitySetting: idpSetting,
+                relayState,
+            }),
+        };
+    }
+    throw new Error('ERR_GENERATE_REDIRECT_LOGIN_RESPONSE_MISSING_METADATA');
+}
+/**
+ * @desc Redirect URL for logout request
+ * @param  {object} user                        current logged user (e.g. req.user)
+ * @param  {object} entity                      object includes both idp and sp
+ * @param  {function} customTagReplacement     used when developers have their own login response template
+ * @return {string} redirect URL
+ */
+function logoutRequestRedirectURL(user, entity, relayState, customTagReplacement) {
+    const metadata = { init: entity.init.entityMeta, target: entity.target.entityMeta };
+    const initSetting = entity.init.entitySetting;
+    let id = initSetting.generateID();
+    const nameIDFormat = initSetting.nameIDFormat;
+    const selectedNameIDFormat = Array.isArray(nameIDFormat) ? nameIDFormat[0] : nameIDFormat;
+    if (metadata && metadata.init && metadata.target) {
+        const base = metadata.target.getSingleLogoutService(binding.redirect);
+        let rawSamlRequest = '';
+        const requiredTags = {
+            ID: id,
+            Destination: base,
+            EntityID: metadata.init.getEntityID(),
+            Issuer: metadata.init.getEntityID(),
+            IssueInstant: new Date().toISOString(),
+            NameIDFormat: selectedNameIDFormat,
+            NameID: user.logoutNameID,
+            SessionIndex: user.sessionIndex,
+        };
+        if (initSetting.logoutRequestTemplate && customTagReplacement) {
+            const info = customTagReplacement(initSetting.logoutRequestTemplate, requiredTags);
+            id = (0, utility_js_1.get)(info, 'id', null);
+            rawSamlRequest = (0, utility_js_1.get)(info, 'context', null);
+        }
+        else {
+            rawSamlRequest = libsaml_js_1.default.replaceTagsByValue(libsaml_js_1.default.defaultLogoutRequestTemplate.context, requiredTags);
+        }
+        return {
+            id,
+            context: buildRedirectURL({
+                context: rawSamlRequest,
+                relayState,
+                type: urlParams.logoutRequest,
+                isSigned: entity.target.entitySetting.wantLogoutRequestSigned,
+                entitySetting: initSetting,
+                baseUrl: base,
+            }),
+        };
+    }
+    throw new Error('ERR_GENERATE_REDIRECT_LOGOUT_REQUEST_MISSING_METADATA');
+}
+/**
+ * @desc Redirect URL for logout response
+ * @param  {object} requescorresponding request, used to obtain the id
+ * @param  {object} entity                      object includes both idp and sp
+ * @param  {function} customTagReplacement     used when developers have their own login response template
+ */
+function logoutResponseRedirectURL(requestInfo, entity, relayState, customTagReplacement) {
+    const metadata = {
+        init: entity.init.entityMeta,
+        target: entity.target.entityMeta,
+    };
+    const initSetting = entity.init.entitySetting;
+    let id = initSetting.generateID();
+    if (metadata && metadata.init && metadata.target) {
+        const base = metadata.target.getSingleLogoutService(binding.redirect);
+        let rawSamlResponse;
+        if (initSetting.logoutResponseTemplate && customTagReplacement) {
+            const template = customTagReplacement(initSetting.logoutResponseTemplate);
+            id = (0, utility_js_1.get)(template, 'id', null);
+            rawSamlResponse = (0, utility_js_1.get)(template, 'context', null);
+        }
+        else {
+            const tvalue = {
+                ID: id,
+                Destination: base,
+                Issuer: metadata.init.getEntityID(),
+                EntityID: metadata.init.getEntityID(),
+                IssueInstant: new Date().toISOString(),
+                StatusCode: urn_js_1.namespace.statusCode.success,
+            };
+            if (requestInfo && requestInfo.extract && requestInfo.extract.request) {
+                tvalue.InResponseTo = requestInfo.extract.request.id;
+            }
+            rawSamlResponse = libsaml_js_1.default.replaceTagsByValue(libsaml_js_1.default.defaultLogoutResponseTemplate.context, tvalue);
+        }
+        return {
+            id,
+            context: buildRedirectURL({
+                baseUrl: base,
+                type: urlParams.logoutResponse,
+                isSigned: entity.target.entitySetting.wantLogoutResponseSigned,
+                context: rawSamlResponse,
+                entitySetting: initSetting,
+                relayState,
+            }),
+        };
+    }
+    throw new Error('ERR_GENERATE_REDIRECT_LOGOUT_RESPONSE_MISSING_METADATA');
+}
+const redirectBinding = {
+    loginRequestRedirectURL,
+    loginResponseRedirectURL,
+    logoutRequestRedirectURL,
+    logoutResponseRedirectURL,
+};
+exports.default = redirectBinding;
 //# sourceMappingURL=binding-redirect.js.map