samlesa 2.16.1 → 2.16.6

package/build/src/binding-artifact.js

@@ -0,0 +1,333 @@
+/**
+ * @file binding-post.ts
+ * @author tngan
+ * @desc Binding-level API, declare the functions using POST binding
+ */
+import { wording, StatusCode } from './urn.js';
+import libsaml from './libsaml.js';
+import utility, { get } from './utility.js';
+const binding = wording.binding;
+/**
+ * @desc Generate a base64 encoded login request
+ * @param  {string} referenceTagXPath           reference uri
+ * @param  {object} entity                      object includes both idp and sp
+ * @param  {function} customTagReplacement     used when developers have their own login response template
+ */
+function base64LoginRequest(referenceTagXPath, entity, customTagReplacement) {
+    const metadata = { idp: entity.idp.entityMeta, sp: entity.sp.entityMeta };
+    const spSetting = entity.sp.entitySetting;
+    let id = '';
+    if (metadata && metadata.idp && metadata.sp) {
+        const base = metadata.idp.getSingleSignOnService(binding.post);
+        let rawSamlRequest;
+        if (spSetting.loginRequestTemplate && customTagReplacement) {
+            const info = customTagReplacement(spSetting.loginRequestTemplate.context);
+            id = get(info, 'id', null);
+            rawSamlRequest = get(info, 'context', null);
+        }
+        else {
+            const nameIDFormat = spSetting.nameIDFormat;
+            const selectedNameIDFormat = Array.isArray(nameIDFormat) ? nameIDFormat[0] : nameIDFormat;
+            id = spSetting.generateID();
+            rawSamlRequest = libsaml.replaceTagsByValue(libsaml.defaultLoginRequestTemplate.context, {
+                ID: id,
+                Destination: base,
+                Issuer: metadata.sp.getEntityID(),
+                IssueInstant: new Date().toISOString(),
+                AssertionConsumerServiceURL: metadata.sp.getAssertionConsumerService(binding.post),
+                EntityID: metadata.sp.getEntityID(),
+                AllowCreate: spSetting.allowCreate,
+                NameIDFormat: selectedNameIDFormat
+            });
+        }
+        if (metadata.idp.isWantAuthnRequestsSigned()) {
+            const { privateKey, privateKeyPass, requestSignatureAlgorithm: signatureAlgorithm, transformationAlgorithms } = spSetting;
+            return {
+                id,
+                context: libsaml.constructSAMLSignature({
+                    referenceTagXPath,
+                    privateKey,
+                    privateKeyPass,
+                    signatureAlgorithm,
+                    transformationAlgorithms,
+                    rawSamlMessage: rawSamlRequest,
+                    signingCert: metadata.sp.getX509Certificate('signing'),
+                    signatureConfig: spSetting.signatureConfig || {
+                        prefix: 'ds',
+                        location: { reference: "/*[local-name(.)='AuthnRequest']/*[local-name(.)='Issuer']", action: 'after' },
+                    }
+                }),
+            };
+        }
+        // No need to embeded XML signature
+        return {
+            id,
+            context: utility.base64Encode(rawSamlRequest),
+        };
+    }
+    throw new Error('ERR_GENERATE_POST_LOGIN_REQUEST_MISSING_METADATA');
+}
+/**
+ * @desc Generate a base64 encoded login response
+ * @param  {object} requestInfo                 corresponding request, used to obtain the id
+ * @param  {object} entity                      object includes both idp and sp
+ * @param  {object} user                        current logged user (e.g. req.user)
+ * @param  {function} customTagReplacement     used when developers have their own login response template
+ * @param  {boolean}  encryptThenSign           whether or not to encrypt then sign first (if signing). Defaults to sign-then-encrypt
+ * @param AttributeStatement
+ */
+async function base64LoginResponse(requestInfo = {}, entity, user = {}, customTagReplacement, encryptThenSign = false, AttributeStatement = []) {
+    const idpSetting = entity.idp.entitySetting;
+    const spSetting = entity.sp.entitySetting;
+    const id = idpSetting.generateID();
+    const metadata = {
+        idp: entity.idp.entityMeta,
+        sp: entity.sp.entityMeta,
+    };
+    const nameIDFormat = idpSetting.nameIDFormat;
+    const selectedNameIDFormat = Array.isArray(nameIDFormat) ? nameIDFormat[0] : nameIDFormat;
+    if (metadata && metadata.idp && metadata.sp) {
+        const base = metadata.sp.getAssertionConsumerService(binding.post);
+        let rawSamlResponse;
+        const nowTime = new Date();
+        const spEntityID = metadata.sp.getEntityID();
+        const oneMinutesLaterTime = new Date(nowTime.getTime());
+        oneMinutesLaterTime.setMinutes(oneMinutesLaterTime.getMinutes() + 5);
+        const OneMinutesLater = oneMinutesLaterTime.toISOString();
+        const now = nowTime.toISOString();
+        const acl = metadata.sp.getAssertionConsumerService(binding.post);
+        const sessionIndex = 'session' + idpSetting.generateID(); // 这个是当前系统的会话索引，用于单点注销
+        const tenHoursLaterTime = new Date(nowTime.getTime());
+        tenHoursLaterTime.setHours(tenHoursLaterTime.getHours() + 10);
+        const tenHoursLater = tenHoursLaterTime.toISOString();
+        const tvalue = {
+            ID: id,
+            AssertionID: idpSetting.generateID(),
+            Destination: base,
+            Audience: spEntityID,
+            EntityID: spEntityID,
+            SubjectRecipient: acl,
+            Issuer: metadata.idp.getEntityID(),
+            IssueInstant: now,
+            AssertionConsumerServiceURL: acl,
+            StatusCode: StatusCode.Success,
+            // can be customized
+            ConditionsNotBefore: now,
+            ConditionsNotOnOrAfter: OneMinutesLater,
+            SubjectConfirmationDataNotOnOrAfter: OneMinutesLater,
+            NameIDFormat: selectedNameIDFormat,
+            NameID: user?.NameID || '',
+            InResponseTo: get(requestInfo, 'extract.request.id', ''),
+            AuthnStatement: `<saml:AuthnStatement AuthnInstant="${now}" SessionNotOnOrAfter="${tenHoursLater}" SessionIndex="${sessionIndex}"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement>`,
+            AttributeStatement: libsaml.attributeStatementBuilder(AttributeStatement),
+        };
+        if (idpSetting.loginResponseTemplate && customTagReplacement) {
+            const template = customTagReplacement(idpSetting.loginResponseTemplate.context);
+            rawSamlResponse = get(template, 'context', null);
+        }
+        else {
+            if (requestInfo !== null) {
+                tvalue.InResponseTo = requestInfo?.extract?.request?.id ?? '';
+            }
+            rawSamlResponse = libsaml.replaceTagsByValue(libsaml.defaultLoginResponseTemplate.context, tvalue);
+        }
+        const { privateKey, privateKeyPass, requestSignatureAlgorithm: signatureAlgorithm } = idpSetting;
+        const config = {
+            privateKey,
+            privateKeyPass,
+            signatureAlgorithm,
+            signingCert: metadata.idp.getX509Certificate('signing'),
+            isBase64Output: false,
+        };
+        // step: sign assertion ? -> encrypted ? -> sign message ?
+        if (metadata.sp.isWantAssertionsSigned()) {
+            // console.debug('sp wants assertion signed');
+            rawSamlResponse = libsaml.constructSAMLSignature({
+                ...config,
+                rawSamlMessage: rawSamlResponse,
+                transformationAlgorithms: spSetting.transformationAlgorithms,
+                referenceTagXPath: "/*[local-name(.)='Response']/*[local-name(.)='Assertion']",
+                signatureConfig: {
+                    prefix: 'ds',
+                    location: { reference: "/*[local-name(.)='Response']/*[local-name(.)='Assertion']/*[local-name(.)='Issuer']", action: 'after' },
+                },
+            });
+        }
+        // console.debug('after assertion signed', rawSamlResponse);
+        // SAML response must be signed sign message first, then encrypt
+        if (!encryptThenSign && (spSetting.wantMessageSigned || !metadata.sp.isWantAssertionsSigned())) {
+            // console.debug('sign then encrypt and sign entire message');
+            rawSamlResponse = libsaml.constructSAMLSignature({
+                ...config,
+                rawSamlMessage: rawSamlResponse,
+                isMessageSigned: true,
+                transformationAlgorithms: spSetting.transformationAlgorithms,
+                signatureConfig: spSetting.signatureConfig || {
+                    prefix: 'ds',
+                    location: { reference: "/*[local-name(.)='Response']/*[local-name(.)='Issuer']", action: 'after' },
+                },
+            });
+        }
+        // console.debug('after message signed', rawSamlResponse);
+        if (idpSetting.isAssertionEncrypted) {
+            // console.debug('idp is configured to do encryption');
+            const context = await libsaml.encryptAssertion(entity.idp, entity.sp, rawSamlResponse);
+            if (encryptThenSign) {
+                //need to decode it
+                rawSamlResponse = utility.base64Decode(context);
+            }
+            else {
+                return Promise.resolve({ id, context });
+            }
+        }
+        //sign after encrypting
+        if (encryptThenSign && (spSetting.wantMessageSigned || !metadata.sp.isWantAssertionsSigned())) {
+            rawSamlResponse = libsaml.constructSAMLSignature({
+                ...config,
+                rawSamlMessage: rawSamlResponse,
+                isMessageSigned: true,
+                transformationAlgorithms: spSetting.transformationAlgorithms,
+                signatureConfig: spSetting.signatureConfig || {
+                    prefix: 'ds',
+                    location: { reference: "/*[local-name(.)='Response']/*[local-name(.)='Issuer']", action: 'after' },
+                },
+            });
+        }
+        return Promise.resolve({
+            id,
+            context: utility.base64Encode(rawSamlResponse),
+        });
+    }
+    throw new Error('ERR_GENERATE_POST_LOGIN_RESPONSE_MISSING_METADATA');
+}
+/**
+ * @desc Generate a base64 encoded logout request
+ * @param  {object} user                         current logged user (e.g. req.user)
+ * @param  {string} referenceTagXPath            reference uri
+ * @param  {object} entity                       object includes both idp and sp
+ * @param  {function} customTagReplacement      used when developers have their own login response template
+ * @return {string} base64 encoded request
+ */
+function base64LogoutRequest(user, referenceTagXPath, entity, customTagReplacement) {
+    const metadata = { init: entity.init.entityMeta, target: entity.target.entityMeta };
+    const initSetting = entity.init.entitySetting;
+    const nameIDFormat = initSetting.nameIDFormat;
+    const selectedNameIDFormat = Array.isArray(nameIDFormat) ? nameIDFormat[0] : nameIDFormat;
+    let id = '';
+    if (metadata && metadata.init && metadata.target) {
+        let rawSamlRequest;
+        if (initSetting.logoutRequestTemplate && customTagReplacement) {
+            const template = customTagReplacement(initSetting.logoutRequestTemplate.context);
+            id = get(template, 'id', null);
+            rawSamlRequest = get(template, 'context', null);
+        }
+        else {
+            id = initSetting.generateID();
+            const tvalue = {
+                ID: id,
+                Destination: metadata.target.getSingleLogoutService(binding.post),
+                Issuer: metadata.init.getEntityID(),
+                IssueInstant: new Date().toISOString(),
+                EntityID: metadata.init.getEntityID(),
+                NameIDFormat: selectedNameIDFormat,
+                NameID: user.NameID || '',
+            };
+            rawSamlRequest = libsaml.replaceTagsByValue(libsaml.defaultLogoutRequestTemplate.context, tvalue);
+        }
+        if (entity.target.entitySetting.wantLogoutRequestSigned) {
+            // Need to embeded XML signature
+            const { privateKey, privateKeyPass, requestSignatureAlgorithm: signatureAlgorithm, transformationAlgorithms } = initSetting;
+            return {
+                id,
+                context: libsaml.constructSAMLSignature({
+                    referenceTagXPath,
+                    privateKey,
+                    privateKeyPass,
+                    signatureAlgorithm,
+                    transformationAlgorithms,
+                    rawSamlMessage: rawSamlRequest,
+                    signingCert: metadata.init.getX509Certificate('signing'),
+                    signatureConfig: initSetting.signatureConfig || {
+                        prefix: 'ds',
+                        location: { reference: "/*[local-name(.)='LogoutRequest']/*[local-name(.)='Issuer']", action: 'after' },
+                    }
+                }),
+            };
+        }
+        return {
+            id,
+            context: utility.base64Encode(rawSamlRequest),
+        };
+    }
+    throw new Error('ERR_GENERATE_POST_LOGOUT_REQUEST_MISSING_METADATA');
+}
+/**
+ * @desc Generate a base64 encoded logout response
+ * @param  {object} requestInfo                 corresponding request, used to obtain the id
+ * @param  {string} referenceTagXPath           reference uri
+ * @param  {object} entity                      object includes both idp and sp
+ * @param  {function} customTagReplacement     used when developers have their own login response template
+ */
+function base64LogoutResponse(requestInfo, entity, customTagReplacement) {
+    const metadata = {
+        init: entity.init.entityMeta,
+        target: entity.target.entityMeta,
+    };
+    let id = '';
+    const initSetting = entity.init.entitySetting;
+    if (metadata && metadata.init && metadata.target) {
+        let rawSamlResponse;
+        if (initSetting.logoutResponseTemplate) {
+            const template = customTagReplacement(initSetting.logoutResponseTemplate.context);
+            id = template.id;
+            rawSamlResponse = template.context;
+        }
+        else {
+            id = initSetting.generateID();
+            const tvalue = {
+                ID: id,
+                Destination: metadata.target.getSingleLogoutService(binding.post),
+                EntityID: metadata.init.getEntityID(),
+                Issuer: metadata.init.getEntityID(),
+                IssueInstant: new Date().toISOString(),
+                StatusCode: StatusCode.Success,
+                InResponseTo: get(requestInfo, 'extract.request.id', '')
+            };
+            rawSamlResponse = libsaml.replaceTagsByValue(libsaml.defaultLogoutResponseTemplate.context, tvalue);
+        }
+        if (entity.target.entitySetting.wantLogoutResponseSigned) {
+            const { privateKey, privateKeyPass, requestSignatureAlgorithm: signatureAlgorithm, transformationAlgorithms } = initSetting;
+            return {
+                id,
+                context: libsaml.constructSAMLSignature({
+                    isMessageSigned: true,
+                    transformationAlgorithms: transformationAlgorithms,
+                    privateKey,
+                    privateKeyPass,
+                    signatureAlgorithm,
+                    rawSamlMessage: rawSamlResponse,
+                    signingCert: metadata.init.getX509Certificate('signing'),
+                    signatureConfig: {
+                        prefix: 'ds',
+                        location: {
+                            reference: "/*[local-name(.)='LogoutResponse']/*[local-name(.)='Issuer']",
+                            action: 'after'
+                        }
+                    }
+                }),
+            };
+        }
+        return {
+            id,
+            context: utility.base64Encode(rawSamlResponse),
+        };
+    }
+    throw new Error('ERR_GENERATE_POST_LOGOUT_RESPONSE_MISSING_METADATA');
+}
+const artifactSignBinding = {
+    base64LoginRequest,
+    base64LoginResponse,
+    base64LogoutRequest,
+    base64LogoutResponse,
+};
+export default artifactSignBinding;

package/build/src/binding-redirect.js

@@ -5,7 +5,7 @@
  */
 import utility, { get } from './utility.js';
 import libsaml from './libsaml.js';
-import { wording, namespace } from './urn.js';
+import { namespace, wording } from './urn.js';
 const binding = wording.binding;
 const urlParams = wording.urlParams;
 /**
@@ -59,8 +59,9 @@ function buildRedirectURL(opts) {
  * @param  {function} customTagReplacement      used when developers have their own login response template
  * @return {string} redirect URL
  */
+// @ts-ignore
 function loginRequestRedirectURL(entity, customTagReplacement) {
-    const metadata = { idp: entity.idp.entityMeta, sp: entity.sp.entityMeta };
+    const metadata = { idp: entity.idp.entityMeta, sp: entity.sp.entityMeta, soap: entity.soap ?? false };
     const spSetting = entity.sp.entitySetting;
     let id = '';
     if (metadata && metadata.idp && metadata.sp) {
@@ -100,6 +101,99 @@ function loginRequestRedirectURL(entity, customTagReplacement) {
     }
     throw new Error('ERR_GENERATE_REDIRECT_LOGIN_REQUEST_MISSING_METADATA');
 }
+/**
+ * @desc Redirect URL for login request
+ * @param  {object} entity                       object includes both idp and sp
+ * @param  {function} customTagReplacement      used when developers have their own login response template
+ * @return {string} redirect URL
+ */
+// @ts-ignore
+function loginRequestRedirectURLArt(entity, customTagReplacement) {
+    const metadata = { idp: entity.idp.entityMeta, sp: entity.sp.entityMeta, inResponse: entity.inResponse ?? false };
+    const spSetting = entity.sp.entitySetting;
+    let id = '';
+    if (metadata && metadata.idp && metadata.sp) {
+        const base = metadata.idp.getSingleSignOnService(binding.redirect);
+        let rawSamlRequest;
+        if (spSetting.loginRequestTemplate && customTagReplacement) {
+            const info = customTagReplacement(spSetting.loginRequestTemplate);
+            id = get(info, 'id', null);
+            rawSamlRequest = get(info, 'context', null);
+        }
+        else {
+            const nameIDFormat = spSetting.nameIDFormat;
+            const selectedNameIDFormat = Array.isArray(nameIDFormat) ? nameIDFormat[0] : nameIDFormat;
+            id = spSetting.generateID();
+            rawSamlRequest = libsaml.replaceTagsByValue(libsaml.defaultLoginRequestTemplate.context, {
+                ID: id,
+                Destination: base,
+                Issuer: metadata.sp.getEntityID(),
+                IssueInstant: new Date().toISOString(),
+                NameIDFormat: selectedNameIDFormat,
+                AssertionConsumerServiceURL: metadata.sp.getAssertionConsumerService(binding.post),
+                EntityID: metadata.sp.getEntityID(),
+                AllowCreate: spSetting.allowCreate,
+            });
+        }
+        console.log(rawSamlRequest);
+        console.log("-----------------这是原始请求模板-------------------");
+        const { privateKey, privateKeyPass, requestSignatureAlgorithm: signatureAlgorithm, transformationAlgorithms } = spSetting;
+        if (metadata.idp.isWantAuthnRequestsSigned()) {
+            let signAuthnRequest = libsaml.constructSAMLSignature({
+                referenceTagXPath: "/*[local-name(.)='AuthnRequest']",
+                privateKey,
+                privateKeyPass,
+                signatureAlgorithm,
+                transformationAlgorithms,
+                isBase64Output: false,
+                rawSamlMessage: rawSamlRequest,
+                signingCert: metadata.sp.getX509Certificate('signing'),
+                signatureConfig: spSetting.signatureConfig || {
+                    prefix: 'ds',
+                    location: {
+                        reference: "/*[local-name(.)='AuthnRequest']/*[local-name(.)='Issuer']",
+                        action: 'after'
+                    },
+                }
+            });
+            console.log(signAuthnRequest);
+            console.log("签名后的模板");
+            rawSamlRequest = signAuthnRequest;
+        }
+        /*            console.log(metadata.idp)
+                    console.log(entity.idp.getEntitySetting())*/
+        let soapTemplate = libsaml.replaceTagsByValue(libsaml.defaultArtAuthnRequestTemplate.context, {
+            ID: id,
+            IssueInstant: new Date().toISOString(),
+            InResponseTo: metadata.inResponse ?? "",
+            Issuer: metadata.sp.getEntityID(),
+            AuthnRequest: rawSamlRequest
+        });
+        console.log(soapTemplate);
+        console.log("======================最后结果========================");
+        console.log("======================开始签名根节点========================");
+        let rootSignSoap = libsaml.constructSAMLSignature({
+            isMessageSigned: true,
+            isBase64Output: false,
+            privateKey,
+            privateKeyPass,
+            signatureAlgorithm,
+            transformationAlgorithms,
+            rawSamlMessage: soapTemplate,
+            signingCert: metadata.sp.getX509Certificate('signing'),
+            signatureConfig: {
+                prefix: 'ds',
+                location: { reference: "//*[local-name()='Header']", action: 'after' },
+            }
+        });
+        console.log(rootSignSoap);
+        console.log("======================已经签名========================");
+        return {
+            authnRequest: rootSignSoap
+        };
+    }
+    throw new Error('ERR_GENERATE_REDIRECT_LOGIN_REQUEST_MISSING_METADATA');
+}
 /**
  * @desc Redirect URL for login response
  * @param  {object} requestInfo             corresponding request, used to obtain the id
@@ -304,6 +398,7 @@ function logoutResponseRedirectURL(requestInfo, entity, relayState, customTagRep
     throw new Error('ERR_GENERATE_REDIRECT_LOGOUT_RESPONSE_MISSING_METADATA');
 }
 const redirectBinding = {
+    loginRequestRedirectURLArt,
     loginRequestRedirectURL,
     loginResponseRedirectURL,
     logoutRequestRedirectURL,

package/build/src/entity-sp.js

@@ -1,13 +1,15 @@
 /**
-* @file entity-sp.ts
-* @author tngan
-* @desc  Declares the actions taken by service provider
-*/
+ * @file entity-sp.ts
+ * @author tngan
+ * @desc  Declares the actions taken by service provider
+ */
 import Entity from './entity.js';
+import * as crypto from "node:crypto";
 import { namespace } from './urn.js';
 import redirectBinding from './binding-redirect.js';
 import postBinding from './binding-post.js';
 import simpleSignBinding from './binding-simplesign.js';
+import artifactSignBinding from './binding-artifact.js';
 import { flow } from './flow.js';
 /*
  * @desc interface function
@@ -16,15 +18,15 @@ export default function (props) {
     return new ServiceProvider(props);
 }
 /**
-* @desc Service provider can be configured using either metadata importing or spSetting
-* @param  {object} spSettingimport { FlowResult } from '../types/src/flow.d';
+ * @desc Service provider can be configured using either metadata importing or spSetting
+ * @param  {object} spSettingimport { FlowResult } from '../types/src/flow.d';
 
-*/
+ */
 export class ServiceProvider extends Entity {
     /**
-    * @desc  Inherited from Entity
-    * @param {object} spSetting    setting of service provider
-    */
+     * @desc  Inherited from Entity
+     * @param {object} spSetting    setting of service provider
+     */
     constructor(spSetting) {
         const entitySetting = Object.assign({
             authnRequestsSigned: false,
@@ -34,11 +36,11 @@ export class ServiceProvider extends Entity {
         super(entitySetting, 'sp');
     }
     /**
-    * @desc  Generates the login request for developers to design their own method
-    * @param  {IdentityProvider} idp               object of identity provider
-    * @param  {string}   binding                   protocol binding
-    * @param  {function} customTagReplacement     used when developers have their own login response template
-    */
+     * @desc  Generates the login request for developers to design their own method
+     * @param  {IdentityProvider} idp               object of identity provider
+     * @param  {string}   binding                   protocol binding
+     * @param  {function} customTagReplacement     used when developers have their own login response template
+     */
     createLoginRequest(idp, binding = 'redirect', customTagReplacement) {
         const nsBinding = namespace.binding;
         const protocol = nsBinding[binding];
@@ -50,12 +52,21 @@ export class ServiceProvider extends Entity {
             case nsBinding.redirect:
                 return redirectBinding.loginRequestRedirectURL({ idp, sp: this }, customTagReplacement);
             case nsBinding.post:
-                context = postBinding.base64LoginRequest("/*[local-name(.)='AuthnRequest']", { idp, sp: this }, customTagReplacement);
+                context = postBinding.base64LoginRequest("/*[local-name(.)='AuthnRequest']", {
+                    idp,
+                    sp: this
+                }, customTagReplacement);
                 break;
             case nsBinding.simpleSign:
                 // Object context = {id, context, signature, sigAlg}
                 context = simpleSignBinding.base64LoginRequest({ idp, sp: this }, customTagReplacement);
                 break;
+            case nsBinding.artifact:
+                context = artifactSignBinding.base64LoginRequest("/*[local-name(.)='AuthnRequest']", {
+                    idp,
+                    sp: this
+                }, customTagReplacement);
+                break;
             default:
                 // Will support artifact in the next release
                 throw new Error('ERR_SP_LOGIN_REQUEST_UNDEFINED_BINDING');
@@ -68,11 +79,45 @@ export class ServiceProvider extends Entity {
         };
     }
     /**
-    * @desc   Validation of the parsed the URL parameters
-    * @param  {IdentityProvider}   idp             object of identity provider
-    * @param  {string}   binding                   protocol binding
-    * @param  {request}   req                      request
-    */
+     * @desc  Generates the Art login request for developers to design their own method
+     * @param  {IdentityProvider} idp               object of identity provider
+     * @param  {string}   binding                   protocol binding
+     * @param  {function} customTagReplacement     used when developers have their own login response template
+     */
+    createLoginRequestArt(idp, binding = 'redirect', customTagReplacement) {
+        const nsBinding = namespace.binding;
+        const protocol = nsBinding[binding];
+        if (this.entityMeta.isAuthnRequestSigned() !== idp.entityMeta.isWantAuthnRequestsSigned()) {
+            throw new Error('ERR_METADATA_CONFLICT_REQUEST_SIGNED_FLAG');
+        }
+        let context = null;
+        switch (protocol) {
+            case nsBinding.redirect:
+                return redirectBinding.loginRequestRedirectURLArt({ idp, sp: this }, customTagReplacement);
+            case nsBinding.post:
+                context = postBinding.base64LoginRequest("/*[local-name(.)='AuthnRequest']", {
+                    idp,
+                    sp: this,
+                    soap: true
+                }, customTagReplacement);
+                break;
+            default:
+                // Will support artifact in the next release
+                throw new Error('ERR_SP_LOGIN_REQUEST_UNDEFINED_BINDING');
+        }
+        return {
+            ...context,
+            relayState: this.entitySetting.relayState,
+            entityEndpoint: idp.entityMeta.getSingleSignOnService(binding),
+            type: 'SAMLRequest',
+        };
+    }
+    /**
+     * @desc   Validation of the parsed the URL parameters
+     * @param  {IdentityProvider}   idp             object of identity provider
+     * @param  {string}   binding                   protocol binding
+     * @param  {request}   req                      request
+     */
     parseLoginResponse(idp, binding, request) {
         const self = this;
         return flow({
@@ -85,4 +130,76 @@ export class ServiceProvider extends Entity {
             request: request
         });
     }
+    /**
+     * @desc   request SamlResponse by Arc id
+     * @param  {IdentityProvider}   idp             object of identity provider
+     * @param  {string}   binding                   protocol binding
+     * @param  {request}   req                      request
+     */
+    parseLoginResponseArt(idp, binding, request) {
+        const self = this;
+        return flow({
+            soap: true,
+            from: idp,
+            self: self,
+            checkSignature: true, // saml response must have signature
+            parserType: 'SAMLResponse',
+            type: 'login',
+            binding: binding,
+            request: request
+        });
+    }
+    /**
+     * @desc   generate Art id
+     *
+     * @param entityIDString
+     */
+    createArt(entityIDString, endpointIndex = 0) {
+        let sourceEntityId = entityIDString ? entityIDString : this.entityMeta.getEntityID();
+        console.log(sourceEntityId);
+        console.log("0000000000000000000000000000000000000000");
+        // 1. 固定类型代码 (0x0004 - 2字节)
+        const typeCode = Buffer.from([0x00, 0x04]);
+        // 2. 端点索引 (2字节，大端序)
+        if (endpointIndex < 0 || endpointIndex > 65535) {
+            throw new Error('Endpoint index must be between 0 and 65535');
+        }
+        const endpointBuf = Buffer.alloc(2);
+        endpointBuf.writeUInt16BE(endpointIndex);
+        // 3. Source ID - 实体ID的SHA-1哈希 (20字节)
+        const sourceId = crypto.createHash('sha1')
+            .update(sourceEntityId)
+            .digest();
+        // 4. Message Handler - 20字节随机值
+        const messageHandler = crypto.randomBytes(20);
+        // 组合所有组件 (2+2+20+20 = 44字节)
+        const artifact = Buffer.concat([typeCode, endpointBuf, sourceId, messageHandler]);
+        // 返回Base64编码的Artifact
+        return artifact.toString('base64');
+    }
+    /**
+     * @desc   generate Art id
+     * @param artifact
+     */
+    parseArt(artifact) {
+        // 解码 Base64
+        const decoded = Buffer.from(artifact, 'base64');
+        // 确保长度正确（SAML 工件固定为 44 字节）
+        if (decoded.length !== 44) {
+            throw new Error(`Invalid artifact length: ${decoded.length}, expected 44 bytes`);
+        }
+        // 读取前 4 字节（TypeCode + EndpointIndex）
+        const typeCode = decoded.readUInt16BE(0);
+        const endpointIndex = decoded.readUInt16BE(2);
+        // 使用 Buffer.from() 替代 slice()
+        const sourceId = Buffer.from(decoded.buffer, // 底层 ArrayBuffer
+        decoded.byteOffset + 4, // 起始偏移量
+        20 // 长度
+        ).toString('hex');
+        const messageHandle = Buffer.from(decoded.buffer, // 底层 ArrayBuffer
+        decoded.byteOffset + 24, // 起始偏移量
+        20 // 长度
+        ).toString('hex');
+        return { typeCode, endpointIndex, sourceId, messageHandle };
+    }
 }