samlesa 2.16.5 → 2.17.0

package/README.md

@@ -1,64 +1,44 @@
-# samlify · [![构建状态](https://img.shields.io/circleci/build/github/tngan/samlify?style=for-the-badge&logo=circleci)](https://app.circleci.com/pipelines/github/tngan/samlify) [![npm 版本](https://img.shields.io/npm/v/samlify.svg?style=for-the-badge&logo=npm)](https://www.npmjs.com/package/samlify) [![下载量](https://img.shields.io/npm/dm/samlify.svg?style=for-the-badge&logo=npm)](https://www.npmjs.com/package/samlify) [![覆盖率](https://img.shields.io/coveralls/tngan/samlify/master.svg?style=for-the-badge&logo=coveralls)](https://coveralls.io/github/tngan/samlify?branch=master)
-
-高度可配置的 Node.js SAML 2.0 单点登录库
-Highly configurable Node.js SAML 2.0 library for Single Sign On
+# samlify · [![构建状态](https://img.shields.io/circleci/build/github/tngan/samlify?style=for-the-badge&logo=circleci)](https://app.circleci.com/pipelines/github/tngan/samlify) [![npm 版本](https://img.shields.io/npm/v/samlify.svg?style=for-the-badge&logo=npm)](https://www.npmjs.com/package/samlify) [![下载量](https://img.shields.io/npm/dm/samlify.svg?style=for-the-badge&logo=npm)](https://www.npmjs.com/package/samlify) [![覆盖率](https://img.shields.io/coveralls/tngan/samlify/master.svg?style=for-the-badge&logo=coveralls)](https://coveralls.io/github/tngan/samlify?branch=master)
 
 ---
-
-## 🔄 本仓库为 [samlify](https://github.com/tngan/samlify) 的改进分支版本，原作者[tngan](https://github.com/tngan)
-
-### 主要改进 / Key Improvements
-
-- 📦 将 CJS模块打包转为 ESModule
-
-- ✅ 将依赖包 `@authenio/xml-encryption` 替换为 `xml-encryption` 并升级版本对 sha256/512 加密密钥 OAEP 摘要方法的支持
-
-- 🛠️ 修复加密断言验证签名函数 verifySignature 提取`Assertion` 字段的错误，增加对加密断言  `EncryptedAssertion` 字段提取逻辑
-
-- 📦 ServiceProvider实例化函数 attributeConsumingService字段参函数， 生成默认的 `AttributeConsumingService` 元素和属性值
-
-- 🗑️ 移除作为Idp使用 IdentityProvider 函数自定义函数模板loginResponseTemplate字段的支持，并改进了自定义函数替换。
-  改进createLoginResponse函数签名改为对象的传参方式
-
-- 🔒 默认签名算法升级为 SHA-256，Idp默认加密算法为 AES_256_GCM
-
-- ⬆️ 升级所有能够升级的依赖版本，移除 `node-rsa`/`node-forge` 模块儿,改用原生nodejs `crypto` 模块实现。
-
-- 🌐 将 `url` 库替换为 `URL` 原生 API
-- 改进了如果响应为的绑定`urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect`,某些情况下未能DEFLATE压缩导致不能提取xml的异常情况的处理
-- 现在如果遇到加密响应无需显示传递 `isAssertionEncrypted` 字段,也无需传递 `MessageSignatureOrder`
-  字段。因为我认为是否加密应该是可以自动判断的，MessageSignatureOrder我修改了判断逻辑并在Keycloak 验证可以通过。使用前你应该自行验证这其中的风险
-- 默认 elementsOrder 增加了 AttributeConsumingService 适配
-- 我已经使用 Burp SAML Raider测试了 八种XSW都能良好的应对，以及XXE。你应该自行验证
+[English Version](#README.md) | [中文版本](#readmeCN.md)
+## 🔄 This repository is an improved fork of [samlify](https://github.com/tngan/samlify) by [tngan](https://github.com/tngan)
+
+### Key Improvements
+
+- 📦 Converted from CJS to ESModule
+- ✅ Replaced `@authenio/xml-encryption` with `xml-encryption` and added support for sha256/512 encryption key OAEP digest methods
+- ✅ Upgraded `@xmldom/xmldom` to the latest version
+- 🛠️ Fixed encrypted assertion signature verification by adding `EncryptedAssertion` field extraction logic
+- 📦 Added default `AttributeConsumingService` element generation for ServiceProvider
+- 📦 Added partial Artifact binding support
+- 🗑️ Removed custom template support for IdentityProvider and improved parameter passing
+- 🔒 Upgraded default signature algorithm to SHA-256 and default encryption to AES_256_GCM
+- 🧪 Added built-in XML XSD validator
+- 🐛 Improved handling of HTTP-Redirect binding without DEFLATE compression
+- 🔓 Automatic detection of encrypted assertions without explicit flags
+- 📝 Added AttributeConsumingService to default elementsOrder
+- ✅ Tested against Burp SAML Raider (XSW and XXE attacks)
+- ⚡ Migrated tests to Vitest
 
 ---
 
-## 欢迎 PR / Welcome PRs
+## Welcome PRs
 
-欢迎贡献代码或提供与其他框架集成的用例  
-Welcome contributions or integration examples with frameworks
+Contributions are welcome! Please feel free to submit pull requests or provide integration examples with other frameworks.
 
 ---
 
-## 安装 / Installation
-您应该在使用的前提下首先设置验证其
-```js
+## How to use?
 
-import * as validator from '@authenio/samlify-xsd-schema-validator';
-import * as Saml from "samlesa";
-import {Extractor,} from "samlesa";
-import validator from '@authenio/samlify-node-xmllint'
-// 设置模式验证器 / Set schema validator
-Saml.setSchemaValidator(validator);
+Refer to the `type/flows.test.ts` test cases and the original documentation at [https://samlify.js.org](https://samlify.js.org). Note that some parameters have been changed in this fork.
 
+---
 
-```
-
-## 生成密钥
-
-我们使用 openssl 生成密钥和证书用于测试。私钥可以使用密码保护，这是可选的。以下是生成私钥和自签名证书的命令。
+## Generating Keys
 
-> openssl genrsa -passout pass:foobar -out encryptKey.pem 4096
-> openssl req -new -x509 -key encryptKey.pem -out encryptionCert.cer -days 3650
+Use OpenSSL to generate keys and certificates for testing. Private keys can be password-protected (optional). Here are the commands:
 
-#
+```bash
+openssl genrsa -passout pass:foobar -out encryptKey.pem 4096
+openssl req -new -x509 -key encryptKey.pem -out encryptionCert.cer -days 3650

package/build/src/binding-post.js

@@ -1,18 +1,18 @@
 /**
-* @file binding-post.ts
-* @author tngan
-* @desc Binding-level API, declare the functions using POST binding
-*/
+ * @file binding-post.ts
+ * @author tngan
+ * @desc Binding-level API, declare the functions using POST binding
+ */
 import { wording, StatusCode } from './urn.js';
 import libsaml from './libsaml.js';
 import utility, { get } from './utility.js';
 const binding = wording.binding;
 /**
-* @desc Generate a base64 encoded login request
-* @param  {string} referenceTagXPath           reference uri
-* @param  {object} entity                      object includes both idp and sp
-* @param  {function} customTagReplacement     used when developers have their own login response template
-*/
+ * @desc Generate a base64 encoded login request
+ * @param  {string} referenceTagXPath           reference uri
+ * @param  {object} entity                      object includes both idp and sp
+ * @param  {function} customTagReplacement     used when developers have their own login response template
+ */
 function base64LoginRequest(referenceTagXPath, entity, customTagReplacement) {
     const metadata = { idp: entity.idp.entityMeta, sp: entity.sp.entityMeta };
     const spSetting = entity.sp.entitySetting;
@@ -141,7 +141,6 @@ async function base64LoginResponse(requestInfo = {}, entity, user = {}, customTa
         };
         // step: sign assertion ? -> encrypted ? -> sign message ?
         if (metadata.sp.isWantAssertionsSigned()) {
-            // console.debug('sp wants assertion signed');
             rawSamlResponse = libsaml.constructSAMLSignature({
                 ...config,
                 rawSamlMessage: rawSamlResponse,
@@ -149,7 +148,10 @@ async function base64LoginResponse(requestInfo = {}, entity, user = {}, customTa
                 referenceTagXPath: "/*[local-name(.)='Response']/*[local-name(.)='Assertion']",
                 signatureConfig: {
                     prefix: 'ds',
-                    location: { reference: "/*[local-name(.)='Response']/*[local-name(.)='Assertion']/*[local-name(.)='Issuer']", action: 'after' },
+                    location: {
+                        reference: "/*[local-name(.)='Response']/*[local-name(.)='Assertion']/*[local-name(.)='Issuer']",
+                        action: 'after'
+                    },
                 },
             });
         }
@@ -168,7 +170,19 @@ async function base64LoginResponse(requestInfo = {}, entity, user = {}, customTa
                 },
             });
         }
-        // console.debug('after message signed', rawSamlResponse);
+        /*    if (spSetting.wantMessageSigned) {
+              // console.debug('sign then encrypt and sign entire message');
+              rawSamlResponse = libsaml.constructSAMLSignature({
+                ...config,
+                rawSamlMessage: rawSamlResponse,
+                isMessageSigned: true,
+                transformationAlgorithms: spSetting.transformationAlgorithms,
+                signatureConfig: spSetting.signatureConfig || {
+                  prefix: 'ds',
+                  location: {reference: "/!*[local-name(.)='Response']/!*[local-name(.)='Issuer']", action: 'after'},
+                },
+              });
+            }*/
         if (idpSetting.isAssertionEncrypted) {
             // console.debug('idp is configured to do encryption');
             const context = await libsaml.encryptAssertion(entity.idp, entity.sp, rawSamlResponse);
@@ -181,18 +195,18 @@ async function base64LoginResponse(requestInfo = {}, entity, user = {}, customTa
             }
         }
         //sign after encrypting
-        if (encryptThenSign && (spSetting.wantMessageSigned || !metadata.sp.isWantAssertionsSigned())) {
-            rawSamlResponse = libsaml.constructSAMLSignature({
+        /*    if (encryptThenSign && (spSetting.wantMessageSigned || !metadata.sp.isWantAssertionsSigned())) {
+              rawSamlResponse = libsaml.constructSAMLSignature({
                 ...config,
                 rawSamlMessage: rawSamlResponse,
                 isMessageSigned: true,
                 transformationAlgorithms: spSetting.transformationAlgorithms,
                 signatureConfig: spSetting.signatureConfig || {
-                    prefix: 'ds',
-                    location: { reference: "/*[local-name(.)='Response']/*[local-name(.)='Issuer']", action: 'after' },
+                  prefix: 'ds',
+                  location: {reference: "/!*[local-name(.)='Response']/!*[local-name(.)='Issuer']", action: 'after'},
                 },
-            });
-        }
+              });
+            }*/
         return Promise.resolve({
             id,
             context: utility.base64Encode(rawSamlResponse),
@@ -201,13 +215,13 @@ async function base64LoginResponse(requestInfo = {}, entity, user = {}, customTa
     throw new Error('ERR_GENERATE_POST_LOGIN_RESPONSE_MISSING_METADATA');
 }
 /**
-* @desc Generate a base64 encoded logout request
-* @param  {object} user                         current logged user (e.g. req.user)
-* @param  {string} referenceTagXPath            reference uri
-* @param  {object} entity                       object includes both idp and sp
-* @param  {function} customTagReplacement      used when developers have their own login response template
-* @return {string} base64 encoded request
-*/
+ * @desc Generate a base64 encoded logout request
+ * @param  {object} user                         current logged user (e.g. req.user)
+ * @param  {string} referenceTagXPath            reference uri
+ * @param  {object} entity                       object includes both idp and sp
+ * @param  {function} customTagReplacement      used when developers have their own login response template
+ * @return {string} base64 encoded request
+ */
 function base64LogoutRequest(user, referenceTagXPath, entity, customTagReplacement) {
     const metadata = { init: entity.init.entityMeta, target: entity.target.entityMeta };
     const initSetting = entity.init.entitySetting;
@@ -262,12 +276,12 @@ function base64LogoutRequest(user, referenceTagXPath, entity, customTagReplaceme
     throw new Error('ERR_GENERATE_POST_LOGOUT_REQUEST_MISSING_METADATA');
 }
 /**
-* @desc Generate a base64 encoded logout response
-* @param  {object} requestInfo                 corresponding request, used to obtain the id
-* @param  {string} referenceTagXPath           reference uri
-* @param  {object} entity                      object includes both idp and sp
-* @param  {function} customTagReplacement     used when developers have their own login response template
-*/
+ * @desc Generate a base64 encoded logout response
+ * @param  {object} requestInfo                 corresponding request, used to obtain the id
+ * @param  {string} referenceTagXPath           reference uri
+ * @param  {object} entity                      object includes both idp and sp
+ * @param  {function} customTagReplacement     used when developers have their own login response template
+ */
 function base64LogoutResponse(requestInfo, entity, customTagReplacement) {
     const metadata = {
         init: entity.init.entityMeta,

package/build/src/binding-redirect.js

@@ -5,7 +5,7 @@
  */
 import utility, { get } from './utility.js';
 import libsaml from './libsaml.js';
-import { wording, namespace } from './urn.js';
+import { namespace, wording } from './urn.js';
 const binding = wording.binding;
 const urlParams = wording.urlParams;
 /**
@@ -59,8 +59,9 @@ function buildRedirectURL(opts) {
  * @param  {function} customTagReplacement      used when developers have their own login response template
  * @return {string} redirect URL
  */
+// @ts-ignore
 function loginRequestRedirectURL(entity, customTagReplacement) {
-    const metadata = { idp: entity.idp.entityMeta, sp: entity.sp.entityMeta };
+    const metadata = { idp: entity.idp.entityMeta, sp: entity.sp.entityMeta, soap: entity.soap ?? false };
     const spSetting = entity.sp.entitySetting;
     let id = '';
     if (metadata && metadata.idp && metadata.sp) {
@@ -100,6 +101,90 @@ function loginRequestRedirectURL(entity, customTagReplacement) {
     }
     throw new Error('ERR_GENERATE_REDIRECT_LOGIN_REQUEST_MISSING_METADATA');
 }
+/**
+ * @desc Redirect URL for login request
+ * @param  {object} entity                       object includes both idp and sp
+ * @param  {function} customTagReplacement      used when developers have their own login response template
+ * @return {string} redirect URL
+ */
+// @ts-ignore
+function loginRequestRedirectURLArt(entity, customTagReplacement) {
+    const metadata = { idp: entity.idp.entityMeta, sp: entity.sp.entityMeta, inResponse: entity.inResponse ?? false };
+    const spSetting = entity.sp.entitySetting;
+    let id = '';
+    if (metadata && metadata.idp && metadata.sp) {
+        const base = metadata.idp.getSingleSignOnService(binding.redirect);
+        let rawSamlRequest;
+        if (spSetting.loginRequestTemplate && customTagReplacement) {
+            const info = customTagReplacement(spSetting.loginRequestTemplate);
+            id = get(info, 'id', null);
+            rawSamlRequest = get(info, 'context', null);
+        }
+        else {
+            const nameIDFormat = spSetting.nameIDFormat;
+            const selectedNameIDFormat = Array.isArray(nameIDFormat) ? nameIDFormat[0] : nameIDFormat;
+            id = spSetting.generateID();
+            rawSamlRequest = libsaml.replaceTagsByValue(libsaml.defaultLoginRequestTemplate.context, {
+                ID: id,
+                Destination: base,
+                Issuer: metadata.sp.getEntityID(),
+                IssueInstant: new Date().toISOString(),
+                NameIDFormat: selectedNameIDFormat,
+                AssertionConsumerServiceURL: metadata.sp.getAssertionConsumerService(binding.post),
+                EntityID: metadata.sp.getEntityID(),
+                AllowCreate: spSetting.allowCreate,
+            });
+        }
+        const { privateKey, privateKeyPass, requestSignatureAlgorithm: signatureAlgorithm, transformationAlgorithms } = spSetting;
+        if (metadata.idp.isWantAuthnRequestsSigned()) {
+            let signAuthnRequest = libsaml.constructSAMLSignature({
+                referenceTagXPath: "/*[local-name(.)='AuthnRequest']",
+                privateKey,
+                privateKeyPass,
+                signatureAlgorithm,
+                transformationAlgorithms,
+                isBase64Output: false,
+                rawSamlMessage: rawSamlRequest,
+                signingCert: metadata.sp.getX509Certificate('signing'),
+                signatureConfig: spSetting.signatureConfig || {
+                    prefix: 'ds',
+                    location: {
+                        reference: "/*[local-name(.)='AuthnRequest']/*[local-name(.)='Issuer']",
+                        action: 'after'
+                    },
+                }
+            });
+            rawSamlRequest = signAuthnRequest;
+        }
+        /*            console.log(metadata.idp)
+                    console.log(entity.idp.getEntitySetting())*/
+        let soapTemplate = libsaml.replaceTagsByValue(libsaml.defaultArtAuthnRequestTemplate.context, {
+            ID: id,
+            IssueInstant: new Date().toISOString(),
+            InResponseTo: metadata.inResponse ?? "",
+            Issuer: metadata.sp.getEntityID(),
+            AuthnRequest: rawSamlRequest
+        });
+        let rootSignSoap = libsaml.constructSAMLSignature({
+            isMessageSigned: true,
+            isBase64Output: false,
+            privateKey,
+            privateKeyPass,
+            signatureAlgorithm,
+            transformationAlgorithms,
+            rawSamlMessage: soapTemplate,
+            signingCert: metadata.sp.getX509Certificate('signing'),
+            signatureConfig: {
+                prefix: 'ds',
+                location: { reference: "//*[local-name()='Header']", action: 'after' },
+            }
+        });
+        return {
+            authnRequest: rootSignSoap
+        };
+    }
+    throw new Error('ERR_GENERATE_REDIRECT_LOGIN_REQUEST_MISSING_METADATA');
+}
 /**
  * @desc Redirect URL for login response
  * @param  {object} requestInfo             corresponding request, used to obtain the id
@@ -130,7 +215,6 @@ function loginResponseRedirectURL(requestInfo, entity, user = {}, relayState, cu
         // Five minutes later : nowtime  + 5 * 60 * 1000 (in milliseconds)
         const fiveMinutesLaterTime = new Date(nowTime.getTime() + 300_000);
         const now = nowTime.toISOString();
-        console.log(`现在是北京时间:${nowTime.toLocaleString()}`);
         const sessionIndex = 'session' + idpSetting.generateID(); // 这个是当前系统的会话索引，用于单点注销
         const tenHoursLaterTime = new Date(nowTime.getTime());
         tenHoursLaterTime.setHours(tenHoursLaterTime.getHours() + 10);
@@ -304,6 +388,7 @@ function logoutResponseRedirectURL(requestInfo, entity, relayState, customTagRep
     throw new Error('ERR_GENERATE_REDIRECT_LOGOUT_RESPONSE_MISSING_METADATA');
 }
 const redirectBinding = {
+    loginRequestRedirectURLArt,
     loginRequestRedirectURL,
     loginResponseRedirectURL,
     logoutRequestRedirectURL,

package/build/src/binding-simplesign.js

@@ -119,7 +119,6 @@ async function base64LoginResponse(requestInfo = {}, entity, user = {}, relaySta
         // Five minutes later : nowtime  + 5 * 60 * 1000 (in milliseconds)
         const fiveMinutesLaterTime = new Date(nowTime.getTime() + 300_000);
         const now = nowTime.toISOString();
-        console.log(`现在是北京时间:${nowTime.toLocaleString()}`);
         const sessionIndex = 'session' + idpSetting.generateID(); // 这个是当前系统的会话索引，用于单点注销
         const tenHoursLaterTime = new Date(nowTime.getTime());
         tenHoursLaterTime.setHours(tenHoursLaterTime.getHours() + 10);

package/build/src/entity-idp.js

@@ -59,11 +59,7 @@ export class IdentityProvider extends Entity {
                     sp,
                 }, user, relayState, customTagReplacement, AttributeStatement);
             default:
-                context = await postBinding.base64LoginResponse(requestInfo, {
-                    idp: this,
-                    sp,
-                }, user, customTagReplacement, encryptThenSign, AttributeStatement);
-            /*       throw new Error('ERR_CREATE_RESPONSE_UNDEFINED_BINDING');*/
+                throw new Error('ERR_CREATE_RESPONSE_UNDEFINED_BINDING');
         }
         return {
             ...context,

package/build/src/entity-sp.js

@@ -1,9 +1,10 @@
 /**
-* @file entity-sp.ts
-* @author tngan
-* @desc  Declares the actions taken by service provider
-*/
+ * @file entity-sp.ts
+ * @author tngan
+ * @desc  Declares the actions taken by service provider
+ */
 import Entity from './entity.js';
+import * as crypto from "node:crypto";
 import { namespace } from './urn.js';
 import redirectBinding from './binding-redirect.js';
 import postBinding from './binding-post.js';
@@ -17,15 +18,15 @@ export default function (props) {
     return new ServiceProvider(props);
 }
 /**
-* @desc Service provider can be configured using either metadata importing or spSetting
-* @param  {object} spSettingimport { FlowResult } from '../types/src/flow.d';
+ * @desc Service provider can be configured using either metadata importing or spSetting
+ * @param  {object} spSettingimport { FlowResult } from '../types/src/flow.d';
 
-*/
+ */
 export class ServiceProvider extends Entity {
     /**
-    * @desc  Inherited from Entity
-    * @param {object} spSetting    setting of service provider
-    */
+     * @desc  Inherited from Entity
+     * @param {object} spSetting    setting of service provider
+     */
     constructor(spSetting) {
         const entitySetting = Object.assign({
             authnRequestsSigned: false,
@@ -35,11 +36,11 @@ export class ServiceProvider extends Entity {
         super(entitySetting, 'sp');
     }
     /**
-    * @desc  Generates the login request for developers to design their own method
-    * @param  {IdentityProvider} idp               object of identity provider
-    * @param  {string}   binding                   protocol binding
-    * @param  {function} customTagReplacement     used when developers have their own login response template
-    */
+     * @desc  Generates the login request for developers to design their own method
+     * @param  {IdentityProvider} idp               object of identity provider
+     * @param  {string}   binding                   protocol binding
+     * @param  {function} customTagReplacement     used when developers have their own login response template
+     */
     createLoginRequest(idp, binding = 'redirect', customTagReplacement) {
         const nsBinding = namespace.binding;
         const protocol = nsBinding[binding];
@@ -51,14 +52,20 @@ export class ServiceProvider extends Entity {
             case nsBinding.redirect:
                 return redirectBinding.loginRequestRedirectURL({ idp, sp: this }, customTagReplacement);
             case nsBinding.post:
-                context = postBinding.base64LoginRequest("/*[local-name(.)='AuthnRequest']", { idp, sp: this }, customTagReplacement);
+                context = postBinding.base64LoginRequest("/*[local-name(.)='AuthnRequest']", {
+                    idp,
+                    sp: this
+                }, customTagReplacement);
                 break;
             case nsBinding.simpleSign:
                 // Object context = {id, context, signature, sigAlg}
                 context = simpleSignBinding.base64LoginRequest({ idp, sp: this }, customTagReplacement);
                 break;
             case nsBinding.artifact:
-                context = artifactSignBinding.base64LoginRequest("/*[local-name(.)='AuthnRequest']", { idp, sp: this }, customTagReplacement);
+                context = artifactSignBinding.base64LoginRequest("/*[local-name(.)='AuthnRequest']", {
+                    idp,
+                    sp: this
+                }, customTagReplacement);
                 break;
             default:
                 // Will support artifact in the next release
@@ -72,11 +79,45 @@ export class ServiceProvider extends Entity {
         };
     }
     /**
-    * @desc   Validation of the parsed the URL parameters
-    * @param  {IdentityProvider}   idp             object of identity provider
-    * @param  {string}   binding                   protocol binding
-    * @param  {request}   req                      request
-    */
+     * @desc  Generates the Art login request for developers to design their own method
+     * @param  {IdentityProvider} idp               object of identity provider
+     * @param  {string}   binding                   protocol binding
+     * @param  {function} customTagReplacement     used when developers have their own login response template
+     */
+    createLoginRequestArt(idp, binding = 'redirect', customTagReplacement) {
+        const nsBinding = namespace.binding;
+        const protocol = nsBinding[binding];
+        if (this.entityMeta.isAuthnRequestSigned() !== idp.entityMeta.isWantAuthnRequestsSigned()) {
+            throw new Error('ERR_METADATA_CONFLICT_REQUEST_SIGNED_FLAG');
+        }
+        let context = null;
+        switch (protocol) {
+            case nsBinding.redirect:
+                return redirectBinding.loginRequestRedirectURLArt({ idp, sp: this }, customTagReplacement);
+            case nsBinding.post:
+                context = postBinding.base64LoginRequest("/*[local-name(.)='AuthnRequest']", {
+                    idp,
+                    sp: this,
+                    soap: true
+                }, customTagReplacement);
+                break;
+            default:
+                // Will support artifact in the next release
+                throw new Error('ERR_SP_LOGIN_REQUEST_UNDEFINED_BINDING');
+        }
+        return {
+            ...context,
+            relayState: this.entitySetting.relayState,
+            entityEndpoint: idp.entityMeta.getSingleSignOnService(binding),
+            type: 'SAMLRequest',
+        };
+    }
+    /**
+     * @desc   Validation of the parsed the URL parameters
+     * @param  {IdentityProvider}   idp             object of identity provider
+     * @param  {string}   binding                   protocol binding
+     * @param  {request}   req                      request
+     */
     parseLoginResponse(idp, binding, request) {
         const self = this;
         return flow({
@@ -95,7 +136,7 @@ export class ServiceProvider extends Entity {
      * @param  {string}   binding                   protocol binding
      * @param  {request}   req                      request
      */
-    artifactResolveResponse(idp, binding, request) {
+    parseLoginResponseArt(idp, binding, request) {
         const self = this;
         return flow({
             soap: true,
@@ -108,4 +149,55 @@ export class ServiceProvider extends Entity {
             request: request
         });
     }
+    /**
+     * @desc   generate Art id
+     *
+     * @param entityIDString
+     */
+    createArt(entityIDString, endpointIndex = 0) {
+        let sourceEntityId = entityIDString ? entityIDString : this.entityMeta.getEntityID();
+        // 1. 固定类型代码 (0x0004 - 2字节)
+        const typeCode = Buffer.from([0x00, 0x04]);
+        // 2. 端点索引 (2字节，大端序)
+        if (endpointIndex < 0 || endpointIndex > 65535) {
+            throw new Error('Endpoint index must be between 0 and 65535');
+        }
+        const endpointBuf = Buffer.alloc(2);
+        endpointBuf.writeUInt16BE(endpointIndex);
+        // 3. Source ID - 实体ID的SHA-1哈希 (20字节)
+        const sourceId = crypto.createHash('sha1')
+            .update(sourceEntityId)
+            .digest();
+        // 4. Message Handler - 20字节随机值
+        const messageHandler = crypto.randomBytes(20);
+        // 组合所有组件 (2+2+20+20 = 44字节)
+        const artifact = Buffer.concat([typeCode, endpointBuf, sourceId, messageHandler]);
+        // 返回Base64编码的Artifact
+        return artifact.toString('base64');
+    }
+    /**
+     * @desc   generate Art id
+     * @param artifact
+     */
+    parseArt(artifact) {
+        // 解码 Base64
+        const decoded = Buffer.from(artifact, 'base64');
+        // 确保长度正确（SAML 工件固定为 44 字节）
+        if (decoded.length !== 44) {
+            throw new Error(`Invalid artifact length: ${decoded.length}, expected 44 bytes`);
+        }
+        // 读取前 4 字节（TypeCode + EndpointIndex）
+        const typeCode = decoded.readUInt16BE(0);
+        const endpointIndex = decoded.readUInt16BE(2);
+        // 使用 Buffer.from() 替代 slice()
+        const sourceId = Buffer.from(decoded.buffer, // 底层 ArrayBuffer
+        decoded.byteOffset + 4, // 起始偏移量
+        20 // 长度
+        ).toString('hex');
+        const messageHandle = Buffer.from(decoded.buffer, // 底层 ArrayBuffer
+        decoded.byteOffset + 24, // 起始偏移量
+        20 // 长度
+        ).toString('hex');
+        return { typeCode, endpointIndex, sourceId, messageHandle };
+    }
 }