samlesa 2.16.6 → 2.17.0

package/README.md

@@ -1,64 +1,44 @@
-# samlify · [![构建状态](https://img.shields.io/circleci/build/github/tngan/samlify?style=for-the-badge&logo=circleci)](https://app.circleci.com/pipelines/github/tngan/samlify) [![npm 版本](https://img.shields.io/npm/v/samlify.svg?style=for-the-badge&logo=npm)](https://www.npmjs.com/package/samlify) [![下载量](https://img.shields.io/npm/dm/samlify.svg?style=for-the-badge&logo=npm)](https://www.npmjs.com/package/samlify) [![覆盖率](https://img.shields.io/coveralls/tngan/samlify/master.svg?style=for-the-badge&logo=coveralls)](https://coveralls.io/github/tngan/samlify?branch=master)
-
-高度可配置的 Node.js SAML 2.0 单点登录库
-Highly configurable Node.js SAML 2.0 library for Single Sign On
+# samlify · [![构建状态](https://img.shields.io/circleci/build/github/tngan/samlify?style=for-the-badge&logo=circleci)](https://app.circleci.com/pipelines/github/tngan/samlify) [![npm 版本](https://img.shields.io/npm/v/samlify.svg?style=for-the-badge&logo=npm)](https://www.npmjs.com/package/samlify) [![下载量](https://img.shields.io/npm/dm/samlify.svg?style=for-the-badge&logo=npm)](https://www.npmjs.com/package/samlify) [![覆盖率](https://img.shields.io/coveralls/tngan/samlify/master.svg?style=for-the-badge&logo=coveralls)](https://coveralls.io/github/tngan/samlify?branch=master)
 
 ---
-
-## 🔄 本仓库为 [samlify](https://github.com/tngan/samlify) 的改进分支版本，原作者[tngan](https://github.com/tngan)
-
-### 主要改进 / Key Improvements
-
-- 📦 将 CJS模块打包转为 ESModule
-
-- ✅ 将依赖包 `@authenio/xml-encryption` 替换为 `xml-encryption` 并升级版本对 sha256/512 加密密钥 OAEP 摘要方法的支持
-
-- 🛠️ 修复加密断言验证签名函数 verifySignature 提取`Assertion` 字段的错误，增加对加密断言  `EncryptedAssertion` 字段提取逻辑
-
-- 📦 ServiceProvider实例化函数 attributeConsumingService字段参函数， 生成默认的 `AttributeConsumingService` 元素和属性值
-
-- 🗑️ 移除作为Idp使用 IdentityProvider 函数自定义函数模板loginResponseTemplate字段的支持，并改进了自定义函数替换。
-  改进createLoginResponse函数签名改为对象的传参方式
-
-- 🔒 默认签名算法升级为 SHA-256，Idp默认加密算法为 AES_256_GCM
-
-- ⬆️ 升级所有能够升级的依赖版本，移除 `node-rsa`/`node-forge` 模块儿,改用原生nodejs `crypto` 模块实现。
-
-- 🌐 将 `url` 库替换为 `URL` 原生 API
-- 改进了如果响应为的绑定`urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect`,某些情况下未能DEFLATE压缩导致不能提取xml的异常情况的处理
-- 现在如果遇到加密响应无需显示传递 `isAssertionEncrypted` 字段,也无需传递 `MessageSignatureOrder`
-  字段。因为我认为是否加密应该是可以自动判断的，MessageSignatureOrder我修改了判断逻辑并在Keycloak 验证可以通过。使用前你应该自行验证这其中的风险
-- 默认 elementsOrder 增加了 AttributeConsumingService 适配
-- 我已经使用 Burp SAML Raider测试了 八种XSW都能良好的应对，以及XXE。你应该自行验证
+[English Version](#README.md) | [中文版本](#readmeCN.md)
+## 🔄 This repository is an improved fork of [samlify](https://github.com/tngan/samlify) by [tngan](https://github.com/tngan)
+
+### Key Improvements
+
+- 📦 Converted from CJS to ESModule
+- ✅ Replaced `@authenio/xml-encryption` with `xml-encryption` and added support for sha256/512 encryption key OAEP digest methods
+- ✅ Upgraded `@xmldom/xmldom` to the latest version
+- 🛠️ Fixed encrypted assertion signature verification by adding `EncryptedAssertion` field extraction logic
+- 📦 Added default `AttributeConsumingService` element generation for ServiceProvider
+- 📦 Added partial Artifact binding support
+- 🗑️ Removed custom template support for IdentityProvider and improved parameter passing
+- 🔒 Upgraded default signature algorithm to SHA-256 and default encryption to AES_256_GCM
+- 🧪 Added built-in XML XSD validator
+- 🐛 Improved handling of HTTP-Redirect binding without DEFLATE compression
+- 🔓 Automatic detection of encrypted assertions without explicit flags
+- 📝 Added AttributeConsumingService to default elementsOrder
+- ✅ Tested against Burp SAML Raider (XSW and XXE attacks)
+- ⚡ Migrated tests to Vitest
 
 ---
 
-## 欢迎 PR / Welcome PRs
+## Welcome PRs
 
-欢迎贡献代码或提供与其他框架集成的用例  
-Welcome contributions or integration examples with frameworks
+Contributions are welcome! Please feel free to submit pull requests or provide integration examples with other frameworks.
 
 ---
 
-## 安装 / Installation
-您应该在使用的前提下首先设置验证其
-```js
+## How to use?
 
-import * as validator from '@authenio/samlify-xsd-schema-validator';
-import * as Saml from "samlesa";
-import {Extractor,} from "samlesa";
-import validator from '@authenio/samlify-node-xmllint'
-// 设置模式验证器 / Set schema validator
-Saml.setSchemaValidator(validator);
+Refer to the `type/flows.test.ts` test cases and the original documentation at [https://samlify.js.org](https://samlify.js.org). Note that some parameters have been changed in this fork.
 
+---
 
-```
-
-## 生成密钥
-
-我们使用 openssl 生成密钥和证书用于测试。私钥可以使用密码保护，这是可选的。以下是生成私钥和自签名证书的命令。
+## Generating Keys
 
-> openssl genrsa -passout pass:foobar -out encryptKey.pem 4096
-> openssl req -new -x509 -key encryptKey.pem -out encryptionCert.cer -days 3650
+Use OpenSSL to generate keys and certificates for testing. Private keys can be password-protected (optional). Here are the commands:
 
-#
+```bash
+openssl genrsa -passout pass:foobar -out encryptKey.pem 4096
+openssl req -new -x509 -key encryptKey.pem -out encryptionCert.cer -days 3650

package/build/src/binding-post.js

@@ -1,18 +1,18 @@
 /**
-* @file binding-post.ts
-* @author tngan
-* @desc Binding-level API, declare the functions using POST binding
-*/
+ * @file binding-post.ts
+ * @author tngan
+ * @desc Binding-level API, declare the functions using POST binding
+ */
 import { wording, StatusCode } from './urn.js';
 import libsaml from './libsaml.js';
 import utility, { get } from './utility.js';
 const binding = wording.binding;
 /**
-* @desc Generate a base64 encoded login request
-* @param  {string} referenceTagXPath           reference uri
-* @param  {object} entity                      object includes both idp and sp
-* @param  {function} customTagReplacement     used when developers have their own login response template
-*/
+ * @desc Generate a base64 encoded login request
+ * @param  {string} referenceTagXPath           reference uri
+ * @param  {object} entity                      object includes both idp and sp
+ * @param  {function} customTagReplacement     used when developers have their own login response template
+ */
 function base64LoginRequest(referenceTagXPath, entity, customTagReplacement) {
     const metadata = { idp: entity.idp.entityMeta, sp: entity.sp.entityMeta };
     const spSetting = entity.sp.entitySetting;
@@ -141,7 +141,6 @@ async function base64LoginResponse(requestInfo = {}, entity, user = {}, customTa
         };
         // step: sign assertion ? -> encrypted ? -> sign message ?
         if (metadata.sp.isWantAssertionsSigned()) {
-            // console.debug('sp wants assertion signed');
             rawSamlResponse = libsaml.constructSAMLSignature({
                 ...config,
                 rawSamlMessage: rawSamlResponse,
@@ -149,7 +148,10 @@ async function base64LoginResponse(requestInfo = {}, entity, user = {}, customTa
                 referenceTagXPath: "/*[local-name(.)='Response']/*[local-name(.)='Assertion']",
                 signatureConfig: {
                     prefix: 'ds',
-                    location: { reference: "/*[local-name(.)='Response']/*[local-name(.)='Assertion']/*[local-name(.)='Issuer']", action: 'after' },
+                    location: {
+                        reference: "/*[local-name(.)='Response']/*[local-name(.)='Assertion']/*[local-name(.)='Issuer']",
+                        action: 'after'
+                    },
                 },
             });
         }
@@ -168,7 +170,19 @@ async function base64LoginResponse(requestInfo = {}, entity, user = {}, customTa
                 },
             });
         }
-        // console.debug('after message signed', rawSamlResponse);
+        /*    if (spSetting.wantMessageSigned) {
+              // console.debug('sign then encrypt and sign entire message');
+              rawSamlResponse = libsaml.constructSAMLSignature({
+                ...config,
+                rawSamlMessage: rawSamlResponse,
+                isMessageSigned: true,
+                transformationAlgorithms: spSetting.transformationAlgorithms,
+                signatureConfig: spSetting.signatureConfig || {
+                  prefix: 'ds',
+                  location: {reference: "/!*[local-name(.)='Response']/!*[local-name(.)='Issuer']", action: 'after'},
+                },
+              });
+            }*/
         if (idpSetting.isAssertionEncrypted) {
             // console.debug('idp is configured to do encryption');
             const context = await libsaml.encryptAssertion(entity.idp, entity.sp, rawSamlResponse);
@@ -181,18 +195,18 @@ async function base64LoginResponse(requestInfo = {}, entity, user = {}, customTa
             }
         }
         //sign after encrypting
-        if (encryptThenSign && (spSetting.wantMessageSigned || !metadata.sp.isWantAssertionsSigned())) {
-            rawSamlResponse = libsaml.constructSAMLSignature({
+        /*    if (encryptThenSign && (spSetting.wantMessageSigned || !metadata.sp.isWantAssertionsSigned())) {
+              rawSamlResponse = libsaml.constructSAMLSignature({
                 ...config,
                 rawSamlMessage: rawSamlResponse,
                 isMessageSigned: true,
                 transformationAlgorithms: spSetting.transformationAlgorithms,
                 signatureConfig: spSetting.signatureConfig || {
-                    prefix: 'ds',
-                    location: { reference: "/*[local-name(.)='Response']/*[local-name(.)='Issuer']", action: 'after' },
+                  prefix: 'ds',
+                  location: {reference: "/!*[local-name(.)='Response']/!*[local-name(.)='Issuer']", action: 'after'},
                 },
-            });
-        }
+              });
+            }*/
         return Promise.resolve({
             id,
             context: utility.base64Encode(rawSamlResponse),
@@ -201,13 +215,13 @@ async function base64LoginResponse(requestInfo = {}, entity, user = {}, customTa
     throw new Error('ERR_GENERATE_POST_LOGIN_RESPONSE_MISSING_METADATA');
 }
 /**
-* @desc Generate a base64 encoded logout request
-* @param  {object} user                         current logged user (e.g. req.user)
-* @param  {string} referenceTagXPath            reference uri
-* @param  {object} entity                       object includes both idp and sp
-* @param  {function} customTagReplacement      used when developers have their own login response template
-* @return {string} base64 encoded request
-*/
+ * @desc Generate a base64 encoded logout request
+ * @param  {object} user                         current logged user (e.g. req.user)
+ * @param  {string} referenceTagXPath            reference uri
+ * @param  {object} entity                       object includes both idp and sp
+ * @param  {function} customTagReplacement      used when developers have their own login response template
+ * @return {string} base64 encoded request
+ */
 function base64LogoutRequest(user, referenceTagXPath, entity, customTagReplacement) {
     const metadata = { init: entity.init.entityMeta, target: entity.target.entityMeta };
     const initSetting = entity.init.entitySetting;
@@ -262,12 +276,12 @@ function base64LogoutRequest(user, referenceTagXPath, entity, customTagReplaceme
     throw new Error('ERR_GENERATE_POST_LOGOUT_REQUEST_MISSING_METADATA');
 }
 /**
-* @desc Generate a base64 encoded logout response
-* @param  {object} requestInfo                 corresponding request, used to obtain the id
-* @param  {string} referenceTagXPath           reference uri
-* @param  {object} entity                      object includes both idp and sp
-* @param  {function} customTagReplacement     used when developers have their own login response template
-*/
+ * @desc Generate a base64 encoded logout response
+ * @param  {object} requestInfo                 corresponding request, used to obtain the id
+ * @param  {string} referenceTagXPath           reference uri
+ * @param  {object} entity                      object includes both idp and sp
+ * @param  {function} customTagReplacement     used when developers have their own login response template
+ */
 function base64LogoutResponse(requestInfo, entity, customTagReplacement) {
     const metadata = {
         init: entity.init.entityMeta,

package/build/src/binding-redirect.js

@@ -135,8 +135,6 @@ function loginRequestRedirectURLArt(entity, customTagReplacement) {
                 AllowCreate: spSetting.allowCreate,
             });
         }
-        console.log(rawSamlRequest);
-        console.log("-----------------这是原始请求模板-------------------");
         const { privateKey, privateKeyPass, requestSignatureAlgorithm: signatureAlgorithm, transformationAlgorithms } = spSetting;
         if (metadata.idp.isWantAuthnRequestsSigned()) {
             let signAuthnRequest = libsaml.constructSAMLSignature({
@@ -156,8 +154,6 @@ function loginRequestRedirectURLArt(entity, customTagReplacement) {
                     },
                 }
             });
-            console.log(signAuthnRequest);
-            console.log("签名后的模板");
             rawSamlRequest = signAuthnRequest;
         }
         /*            console.log(metadata.idp)
@@ -169,9 +165,6 @@ function loginRequestRedirectURLArt(entity, customTagReplacement) {
             Issuer: metadata.sp.getEntityID(),
             AuthnRequest: rawSamlRequest
         });
-        console.log(soapTemplate);
-        console.log("======================最后结果========================");
-        console.log("======================开始签名根节点========================");
         let rootSignSoap = libsaml.constructSAMLSignature({
             isMessageSigned: true,
             isBase64Output: false,
@@ -186,8 +179,6 @@ function loginRequestRedirectURLArt(entity, customTagReplacement) {
                 location: { reference: "//*[local-name()='Header']", action: 'after' },
             }
         });
-        console.log(rootSignSoap);
-        console.log("======================已经签名========================");
         return {
             authnRequest: rootSignSoap
         };
@@ -224,7 +215,6 @@ function loginResponseRedirectURL(requestInfo, entity, user = {}, relayState, cu
         // Five minutes later : nowtime  + 5 * 60 * 1000 (in milliseconds)
         const fiveMinutesLaterTime = new Date(nowTime.getTime() + 300_000);
         const now = nowTime.toISOString();
-        console.log(`现在是北京时间:${nowTime.toLocaleString()}`);
         const sessionIndex = 'session' + idpSetting.generateID(); // 这个是当前系统的会话索引，用于单点注销
         const tenHoursLaterTime = new Date(nowTime.getTime());
         tenHoursLaterTime.setHours(tenHoursLaterTime.getHours() + 10);

package/build/src/binding-simplesign.js

@@ -119,7 +119,6 @@ async function base64LoginResponse(requestInfo = {}, entity, user = {}, relaySta
         // Five minutes later : nowtime  + 5 * 60 * 1000 (in milliseconds)
         const fiveMinutesLaterTime = new Date(nowTime.getTime() + 300_000);
         const now = nowTime.toISOString();
-        console.log(`现在是北京时间:${nowTime.toLocaleString()}`);
         const sessionIndex = 'session' + idpSetting.generateID(); // 这个是当前系统的会话索引，用于单点注销
         const tenHoursLaterTime = new Date(nowTime.getTime());
         tenHoursLaterTime.setHours(tenHoursLaterTime.getHours() + 10);

package/build/src/entity-idp.js

@@ -59,11 +59,7 @@ export class IdentityProvider extends Entity {
                     sp,
                 }, user, relayState, customTagReplacement, AttributeStatement);
             default:
-                context = await postBinding.base64LoginResponse(requestInfo, {
-                    idp: this,
-                    sp,
-                }, user, customTagReplacement, encryptThenSign, AttributeStatement);
-            /*       throw new Error('ERR_CREATE_RESPONSE_UNDEFINED_BINDING');*/
+                throw new Error('ERR_CREATE_RESPONSE_UNDEFINED_BINDING');
         }
         return {
             ...context,

package/build/src/entity-sp.js

@@ -156,8 +156,6 @@ export class ServiceProvider extends Entity {
      */
     createArt(entityIDString, endpointIndex = 0) {
         let sourceEntityId = entityIDString ? entityIDString : this.entityMeta.getEntityID();
-        console.log(sourceEntityId);
-        console.log("0000000000000000000000000000000000000000");
         // 1. 固定类型代码 (0x0004 - 2字节)
         const typeCode = Buffer.from([0x00, 0x04]);
         // 2. 端点索引 (2字节，大端序)

package/build/src/extractor.js

@@ -191,7 +191,7 @@ export const logoutResponseFields = [
 ];
 export function extract(context, fields) {
     const { dom } = getContext();
-    const rootDoc = dom.parseFromString(context);
+    const rootDoc = dom.parseFromString(context, 'application/xml');
     return fields.reduce((result, field) => {
         // get essential fields
         const key = field.key;
@@ -207,7 +207,7 @@ export function extract(context, fields) {
         // if shortcut is used, then replace the doc
         // it's a design for overriding the doc used during runtime
         if (shortcut) {
-            targetDoc = dom.parseFromString(shortcut);
+            targetDoc = dom.parseFromString(shortcut, 'application/xml');
         }
         // special case: multiple path
         /*
@@ -229,6 +229,7 @@ export function extract(context, fields) {
                 .join(' | ');
             return {
                 ...result,
+                // @ts-expect-error misssing Node properties are not needed
                 [key]: uniq(select(multiXPaths, targetDoc).map((n) => n.nodeValue).filter(notEmpty))
             };
         }
@@ -249,8 +250,10 @@ export function extract(context, fields) {
             // find the index in localpath
             const indexPath = buildAttributeXPath(index);
             const fullLocalXPath = `${baseXPath}${indexPath}`;
+            // @ts-expect-error misssing Node properties are not needed
             const parentNodes = select(baseXPath, targetDoc);
             // [uid, mail, edupersonaffiliation], ready for aggregate
+            // @ts-expect-error misssing Node properties are not needed
             const parentAttributes = select(fullLocalXPath, targetDoc).map((n) => n.value);
             // [attribute, attributevalue]
             const childXPath = buildAbsoluteXPath([last(localPath)].concat(attributePath));
@@ -258,8 +261,9 @@ export function extract(context, fields) {
             const fullChildXPath = `${childXPath}${childAttributeXPath}`;
             // [ 'test', 'test@example.com', [ 'users', 'examplerole1' ] ]
             const childAttributes = parentNodes.map(node => {
-                const nodeDoc = dom.parseFromString(node.toString());
+                const nodeDoc = dom.parseFromString(node.toString(), 'application/xml');
                 if (attributes.length === 0) {
+                    // @ts-ignore
                     const childValues = select(fullChildXPath, nodeDoc).map((n) => n.nodeValue);
                     if (childValues.length === 1) {
                         return childValues[0];
@@ -267,6 +271,7 @@ export function extract(context, fields) {
                     return childValues;
                 }
                 if (attributes.length > 0) {
+                    // @ts-ignore
                     const childValues = select(fullChildXPath, nodeDoc).map((n) => n.value);
                     if (childValues.length === 1) {
                         return childValues[0];
@@ -292,6 +297,7 @@ export function extract(context, fields) {
           }
         */
         if (isEntire) {
+            // @ts-expect-error misssing Node properties are not needed
             const node = select(baseXPath, targetDoc);
             let value = null;
             if (node.length === 1) {
@@ -314,10 +320,13 @@ export function extract(context, fields) {
           }
         */
         if (attributes.length > 1) {
+            // @ts-ignore
             const baseNode = select(baseXPath, targetDoc).map(n => n.toString());
             const childXPath = `${buildAbsoluteXPath([last(localPath)])}${attributeXPath}`;
             const attributeValues = baseNode.map((node) => {
-                const nodeDoc = dom.parseFromString(node);
+                // @ts-ignore
+                const nodeDoc = dom.parseFromString(node, 'application/xml');
+                // @ts-ignore
                 const values = select(childXPath, nodeDoc).reduce((r, n) => {
                     r[camelCase(n.name, { locale: 'en-us' })] = n.value;
                     return r;
@@ -339,6 +348,7 @@ export function extract(context, fields) {
         */
         if (attributes.length === 1) {
             const fullPath = `${baseXPath}${attributeXPath}`;
+            // @ts-ignore
             const attributeValues = select(fullPath, targetDoc).map((n) => n.value);
             return {
                 ...result,
@@ -355,9 +365,11 @@ export function extract(context, fields) {
         */
         if (attributes.length === 0) {
             let attributeValue = null;
+            // @ts-expect-error misssing Node properties are not needed
             const node = select(baseXPath, targetDoc);
             if (node.length === 1) {
                 const fullPath = `string(${baseXPath}${attributeXPath})`;
+                // @ts-expect-error misssing Node properties are not needed
                 attributeValue = select(fullPath, targetDoc);
             }
             if (node.length > 1) {

package/build/src/flow.js

@@ -131,7 +131,7 @@ async function postFlow(options) {
     const direction = libsaml.getQueryParamByType(parserType);
     let encodedRequest = '';
     let samlContent = '';
-    if (soap === false) {
+    if (!soap) {
         encodedRequest = body[direction];
         // @ts-ignore
         samlContent = String(base64Decode(encodedRequest));
@@ -186,7 +186,7 @@ async function postFlow(options) {
     let decryptRequired = from.entitySetting.isAssertionEncrypted;
     let extractorFields = [];
     // validate the xml first
-    let res = await libsaml.isValidXml(samlContent).catch((error) => {
+    let res = await libsaml.isValidXml(samlContent, soap).catch((error) => {
         return Promise.reject('ERR_EXCEPTION_VALIDATE_XML');
     });
     if (res !== true) {
@@ -198,23 +198,7 @@ async function postFlow(options) {
     // check status based on different scenarios
     await checkStatus(samlContent, parserType, soap);
     /**检查签名顺序 */
-    /*  if (
-        checkSignature &&
-        from.entitySetting.messageSigningOrder === MessageSignatureOrder.ETS
-      ) {
-        console.log("===============我走的这里=========================")
-        const [verified, verifiedAssertionNode,isDecryptRequired] = libsaml.verifySignature(samlContent, verificationOptions);
-        console.log(verified);
-        console.log("verified")
-        decryptRequired = isDecryptRequired
-        if (!verified) {
-          return Promise.reject('ERR_FAIL_TO_VERIFY_ETS_SIGNATURE');
-        }
-        if (!decryptRequired) {
-          extractorFields = getDefaultExtractorFields(parserType, verifiedAssertionNode);
-        }
-      }*/
-    if (soap === true) {
+    if (soap) {
         const [verified, verifiedAssertionNode, isDecryptRequired] = libsaml.verifySignatureSoap(samlContent, verificationOptions);
         decryptRequired = isDecryptRequired;
         if (!verified) {
@@ -227,7 +211,8 @@ async function postFlow(options) {
             // 1. 解密断言
             const [decryptedSAML, decryptedAssertion] = await libsaml.decryptAssertionSoap(self, samlContent);
             // 2. 检查解密后的断言是否包含签名
-            const assertionDoc = new DOMParser().parseFromString(decryptedAssertion, 'text/xml');
+            const assertionDoc = new DOMParser().parseFromString(decryptedAssertion, 'application/xml');
+            // @ts-ignore
             const assertionSignatureNodes = select("./*[local-name()='Signature']", assertionDoc.documentElement);
             // 3. 如果存在签名则验证
             if (assertionSignatureNodes.length > 0) {
@@ -239,7 +224,6 @@ async function postFlow(options) {
                 // 3.2 验证断言签名
                 const [assertionVerified, result] = libsaml.verifySignatureSoap(decryptedAssertion, assertionVerificationOptions);
                 if (!assertionVerified) {
-                    console.error("解密后的断言签名验证失败");
                     return Promise.reject('ERR_FAIL_TO_VERIFY_ASSERTION_SIGNATURE');
                 }
                 if (assertionVerified) {
@@ -254,34 +238,26 @@ async function postFlow(options) {
             }
         }
     }
-    if (soap === false) {
-        const [verified, verifiedAssertionNode, isDecryptRequired] = libsaml.verifySignature(samlContent, verificationOptions);
+    if (!soap) {
+        const [verified, verifiedAssertionNode, isDecryptRequired, noSignature] = libsaml.verifySignature(samlContent, verificationOptions);
         decryptRequired = isDecryptRequired;
-        if (!verified) {
+        if (isDecryptRequired && noSignature) {
+            const result = await libsaml.decryptAssertion(self, samlContent);
+            samlContent = result[0];
+            extractorFields = getDefaultExtractorFields(parserType, result[1]);
+        }
+        if (!verified && !noSignature && !isDecryptRequired) {
             return Promise.reject('ERR_FAIL_TO_VERIFY_ETS_SIGNATURE');
         }
         if (!decryptRequired) {
             extractorFields = getDefaultExtractorFields(parserType, verifiedAssertionNode);
         }
-        if (parserType === 'SAMLResponse' && decryptRequired) {
+        if (parserType === 'SAMLResponse' && decryptRequired && !noSignature) {
             const result = await libsaml.decryptAssertion(self, samlContent);
             samlContent = result[0];
             extractorFields = getDefaultExtractorFields(parserType, result[1]);
         }
     }
-    // verify the signatures (the response is signed then encrypted, then decrypt first then verify)
-    /*  if (
-        checkSignature &&
-        from.entitySetting.messageSigningOrder === MessageSignatureOrder.STE
-      ) {
-        const [verified, verifiedAssertionNode,isDecryptRequired] = libsaml.verifySignature(samlContent, verificationOptions);
-        decryptRequired = isDecryptRequired
-        if (verified) {
-          extractorFields = getDefaultExtractorFields(parserType, verifiedAssertionNode);
-        } else {
-          return Promise.reject('ERR_FAIL_TO_VERIFY_STE_SIGNATURE');
-        }
-      }*/
     const parseResult = {
         samlContent: samlContent,
         extract: extract(samlContent, extractorFields),
@@ -351,29 +327,13 @@ async function postArtifactFlow(options) {
     let decryptRequired = from.entitySetting.isAssertionEncrypted;
     let extractorFields = [];
     // validate the xml first
-    let res = await libsaml.isValidXml(samlContent);
+    let res = await libsaml.isValidXml(samlContent, true);
     if (parserType !== urlParams.samlResponse) {
         extractorFields = getDefaultExtractorFields(parserType, null);
     }
     // check status based on different scenarios
     await checkStatus(samlContent, parserType);
     /**检查签名顺序 */
-    /*  if (
-        checkSignature &&
-        from.entitySetting.messageSigningOrder === MessageSignatureOrder.ETS
-      ) {
-        console.log("===============我走的这里=========================")
-        const [verified, verifiedAssertionNode,isDecryptRequired] = libsaml.verifySignature(samlContent, verificationOptions);
-        console.log(verified);
-        console.log("verified")
-        decryptRequired = isDecryptRequired
-        if (!verified) {
-          return Promise.reject('ERR_FAIL_TO_VERIFY_ETS_SIGNATURE');
-        }
-        if (!decryptRequired) {
-          extractorFields = getDefaultExtractorFields(parserType, verifiedAssertionNode);
-        }
-      }*/
     const [verified, verifiedAssertionNode, isDecryptRequired] = libsaml.verifySignature(samlContent, verificationOptions);
     decryptRequired = isDecryptRequired;
     if (!verified) {
@@ -387,19 +347,6 @@ async function postArtifactFlow(options) {
         samlContent = result[0];
         extractorFields = getDefaultExtractorFields(parserType, result[1]);
     }
-    // verify the signatures (the response is signed then encrypted, then decrypt first then verify)
-    /*  if (
-        checkSignature &&
-        from.entitySetting.messageSigningOrder === MessageSignatureOrder.STE
-      ) {
-        const [verified, verifiedAssertionNode,isDecryptRequired] = libsaml.verifySignature(samlContent, verificationOptions);
-        decryptRequired = isDecryptRequired
-        if (verified) {
-          extractorFields = getDefaultExtractorFields(parserType, verifiedAssertionNode);
-        } else {
-          return Promise.reject('ERR_FAIL_TO_VERIFY_STE_SIGNATURE');
-        }
-      }*/
     const parseResult = {
         samlContent: samlContent,
         extract: extract(samlContent, extractorFields),
@@ -469,7 +416,7 @@ async function postSimpleSignFlow(options) {
     const xmlString = String(base64Decode(encodedRequest));
     // validate the xml
     try {
-        await libsaml.isValidXml(xmlString);
+        await libsaml.isValidXml(xmlString, false);
     }
     catch (e) {
         return Promise.reject('ERR_INVALID_XML');