samlesa 2.16.6 → 2.17.1

package/README.md

@@ -1,64 +1,44 @@
-# samlify · [![构建状态](https://img.shields.io/circleci/build/github/tngan/samlify?style=for-the-badge&logo=circleci)](https://app.circleci.com/pipelines/github/tngan/samlify) [![npm 版本](https://img.shields.io/npm/v/samlify.svg?style=for-the-badge&logo=npm)](https://www.npmjs.com/package/samlify) [![下载量](https://img.shields.io/npm/dm/samlify.svg?style=for-the-badge&logo=npm)](https://www.npmjs.com/package/samlify) [![覆盖率](https://img.shields.io/coveralls/tngan/samlify/master.svg?style=for-the-badge&logo=coveralls)](https://coveralls.io/github/tngan/samlify?branch=master)
-
-高度可配置的 Node.js SAML 2.0 单点登录库
-Highly configurable Node.js SAML 2.0 library for Single Sign On
+# samlify · [![构建状态](https://img.shields.io/circleci/build/github/tngan/samlify?style=for-the-badge&logo=circleci)](https://app.circleci.com/pipelines/github/tngan/samlify) [![npm 版本](https://img.shields.io/npm/v/samlify.svg?style=for-the-badge&logo=npm)](https://www.npmjs.com/package/samlify) [![下载量](https://img.shields.io/npm/dm/samlify.svg?style=for-the-badge&logo=npm)](https://www.npmjs.com/package/samlify) [![覆盖率](https://img.shields.io/coveralls/tngan/samlify/master.svg?style=for-the-badge&logo=coveralls)](https://coveralls.io/github/tngan/samlify?branch=master)
 
 ---
-
-## 🔄 本仓库为 [samlify](https://github.com/tngan/samlify) 的改进分支版本，原作者[tngan](https://github.com/tngan)
-
-### 主要改进 / Key Improvements
-
-- 📦 将 CJS模块打包转为 ESModule
-
-- ✅ 将依赖包 `@authenio/xml-encryption` 替换为 `xml-encryption` 并升级版本对 sha256/512 加密密钥 OAEP 摘要方法的支持
-
-- 🛠️ 修复加密断言验证签名函数 verifySignature 提取`Assertion` 字段的错误，增加对加密断言  `EncryptedAssertion` 字段提取逻辑
-
-- 📦 ServiceProvider实例化函数 attributeConsumingService字段参函数， 生成默认的 `AttributeConsumingService` 元素和属性值
-
-- 🗑️ 移除作为Idp使用 IdentityProvider 函数自定义函数模板loginResponseTemplate字段的支持，并改进了自定义函数替换。
-  改进createLoginResponse函数签名改为对象的传参方式
-
-- 🔒 默认签名算法升级为 SHA-256，Idp默认加密算法为 AES_256_GCM
-
-- ⬆️ 升级所有能够升级的依赖版本，移除 `node-rsa`/`node-forge` 模块儿,改用原生nodejs `crypto` 模块实现。
-
-- 🌐 将 `url` 库替换为 `URL` 原生 API
-- 改进了如果响应为的绑定`urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect`,某些情况下未能DEFLATE压缩导致不能提取xml的异常情况的处理
-- 现在如果遇到加密响应无需显示传递 `isAssertionEncrypted` 字段,也无需传递 `MessageSignatureOrder`
-  字段。因为我认为是否加密应该是可以自动判断的，MessageSignatureOrder我修改了判断逻辑并在Keycloak 验证可以通过。使用前你应该自行验证这其中的风险
-- 默认 elementsOrder 增加了 AttributeConsumingService 适配
-- 我已经使用 Burp SAML Raider测试了 八种XSW都能良好的应对，以及XXE。你应该自行验证
+[English Version](#README.md) | [中文版本](#readmeCN.md)
+## 🔄 This repository is an improved fork of [samlify](https://github.com/tngan/samlify) by [tngan](https://github.com/tngan)
+
+### Key Improvements
+
+- 📦 Converted from CJS to ESModule
+- ✅ Replaced `@authenio/xml-encryption` with `xml-encryption` and added support for sha256/512 encryption key OAEP digest methods
+- ✅ Upgraded `@xmldom/xmldom` to the latest version
+- 🛠️ Fixed encrypted assertion signature verification by adding `EncryptedAssertion` field extraction logic
+- 📦 Added default `AttributeConsumingService` element generation for ServiceProvider
+- 📦 Added partial Artifact binding support
+- 🗑️ Removed custom template support for IdentityProvider and improved parameter passing
+- 🔒 Upgraded default signature algorithm to SHA-256 and default encryption to AES_256_GCM
+- 🧪 Added built-in XML XSD validator
+- 🐛 Improved handling of HTTP-Redirect binding without DEFLATE compression
+- 🔓 Automatic detection of encrypted assertions without explicit flags
+- 📝 Added AttributeConsumingService to default elementsOrder
+- ✅ Tested against Burp SAML Raider (XSW and XXE attacks)
+- ⚡ Migrated tests to Vitest
 
 ---
 
-## 欢迎 PR / Welcome PRs
+## Welcome PRs
 
-欢迎贡献代码或提供与其他框架集成的用例  
-Welcome contributions or integration examples with frameworks
+Contributions are welcome! Please feel free to submit pull requests or provide integration examples with other frameworks.
 
 ---
 
-## 安装 / Installation
-您应该在使用的前提下首先设置验证其
-```js
+## How to use?
 
-import * as validator from '@authenio/samlify-xsd-schema-validator';
-import * as Saml from "samlesa";
-import {Extractor,} from "samlesa";
-import validator from '@authenio/samlify-node-xmllint'
-// 设置模式验证器 / Set schema validator
-Saml.setSchemaValidator(validator);
+Refer to the `type/flows.test.ts` test cases and the original documentation at [https://samlify.js.org](https://samlify.js.org). Note that some parameters have been changed in this fork.
 
+---
 
-```
-
-## 生成密钥
-
-我们使用 openssl 生成密钥和证书用于测试。私钥可以使用密码保护，这是可选的。以下是生成私钥和自签名证书的命令。
+## Generating Keys
 
-> openssl genrsa -passout pass:foobar -out encryptKey.pem 4096
-> openssl req -new -x509 -key encryptKey.pem -out encryptionCert.cer -days 3650
+Use OpenSSL to generate keys and certificates for testing. Private keys can be password-protected (optional). Here are the commands:
 
-#
+```bash
+openssl genrsa -passout pass:foobar -out encryptKey.pem 4096
+openssl req -new -x509 -key encryptKey.pem -out encryptionCert.cer -days 3650

package/build/index.js

@@ -9,6 +9,7 @@ export { default as SamlLib } from './src/libsaml.js';
 // new name convention in version >= 3.0
 import * as Constants from './src/urn.js';
 import * as Extractor from './src/extractor.js';
+import * as Soap from './src/soap.js';
 import { validate } from './src/schemaValidator.js';
 // exposed methods for customizing samlify
 import { setSchemaValidator, setDOMParserOptions } from './src/api.js';
@@ -16,4 +17,4 @@ export { Constants, Extractor,
 // temp: resolve the conflict after version >= 3.0
 IdentityProvider, IdentityProviderInstance, ServiceProvider, ServiceProviderInstance, 
 // set context
-setSchemaValidator, setDOMParserOptions, validate };
+setSchemaValidator, setDOMParserOptions, validate, Soap };

package/build/src/binding-artifact.js

@@ -3,20 +3,57 @@
  * @author tngan
  * @desc Binding-level API, declare the functions using POST binding
  */
-import { wording, StatusCode } from './urn.js';
+import { checkStatus } from "./flow.js";
+import { ParserType, StatusCode, wording } from './urn.js';
 import libsaml from './libsaml.js';
+import libsamlSoap from './libsamlSoap.js';
 import utility, { get } from './utility.js';
+import { fileURLToPath } from "node:url";
+import * as uuid from 'uuid';
+import { artifactResolveFields, extract, loginRequestFields, loginResponseFields, logoutRequestFields, logoutResponseFields } from "./extractor.js";
+import { verifyTime } from "./validator.js";
+import { sendArtifactResolve } from "./soap.js";
+import path from "node:path";
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+// get the default extractor fields based on the parserType
+function getDefaultExtractorFields(parserType, assertion) {
+    switch (parserType) {
+        case ParserType.SAMLRequest:
+            return loginRequestFields;
+        case ParserType.SAMLResponse:
+            if (!assertion) {
+                // unexpected hit
+                throw new Error('ERR_EMPTY_ASSERTION');
+            }
+            return loginResponseFields(assertion);
+        case ParserType.LogoutRequest:
+            return logoutRequestFields;
+        case ParserType.LogoutResponse:
+            return logoutResponseFields;
+        default:
+            throw new Error('ERR_UNDEFINED_PARSERTYPE');
+    }
+}
 const binding = wording.binding;
 /**
  * @desc Generate a base64 encoded login request
  * @param  {string} referenceTagXPath           reference uri
  * @param  {object} entity                      object includes both idp and sp
- * @param  {function} customTagReplacement     used when developers have their own login response template
+ * @param customTagReplacement
  */
-function base64LoginRequest(referenceTagXPath, entity, customTagReplacement) {
-    const metadata = { idp: entity.idp.entityMeta, sp: entity.sp.entityMeta };
+function soapLoginRequest(referenceTagXPath, entity, customTagReplacement) {
+    const metadata = {
+        idp: entity.idp.entityMeta,
+        sp: entity.sp.entityMeta,
+        inResponse: entity?.inResponse,
+        relayState: entity?.relayState
+    };
     const spSetting = entity.sp.entitySetting;
     let id = '';
+    let id2 = spSetting.generateID();
+    let soapTemplate = '';
+    let Response = '';
     if (metadata && metadata.idp && metadata.sp) {
         const base = metadata.idp.getSingleSignOnService(binding.post);
         let rawSamlRequest;
@@ -40,30 +77,59 @@ function base64LoginRequest(referenceTagXPath, entity, customTagReplacement) {
                 NameIDFormat: selectedNameIDFormat
             });
         }
+        const { privateKey, privateKeyPass, requestSignatureAlgorithm: signatureAlgorithm, transformationAlgorithms } = spSetting;
         if (metadata.idp.isWantAuthnRequestsSigned()) {
-            const { privateKey, privateKeyPass, requestSignatureAlgorithm: signatureAlgorithm, transformationAlgorithms } = spSetting;
-            return {
-                id,
-                context: libsaml.constructSAMLSignature({
-                    referenceTagXPath,
-                    privateKey,
-                    privateKeyPass,
-                    signatureAlgorithm,
-                    transformationAlgorithms,
-                    rawSamlMessage: rawSamlRequest,
-                    signingCert: metadata.sp.getX509Certificate('signing'),
-                    signatureConfig: spSetting.signatureConfig || {
-                        prefix: 'ds',
-                        location: { reference: "/*[local-name(.)='AuthnRequest']/*[local-name(.)='Issuer']", action: 'after' },
-                    }
-                }),
-            };
+            Response = libsaml.constructSAMLSignature({
+                referenceTagXPath,
+                privateKey,
+                privateKeyPass,
+                signatureAlgorithm,
+                transformationAlgorithms,
+                rawSamlMessage: rawSamlRequest,
+                isBase64Output: false,
+                signingCert: metadata.sp.getX509Certificate('signing'),
+                signatureConfig: spSetting.signatureConfig || {
+                    prefix: 'ds',
+                    location: { reference: "/*[local-name(.)='AuthnRequest']/!*[local-name(.)='Issuer']", action: 'after' },
+                }
+            });
+            soapTemplate = libsaml.replaceTagsByValue(libsaml.defaultArtAuthnRequestTemplate.context, {
+                ID: id2,
+                IssueInstant: new Date().toISOString(),
+                InResponseTo: metadata.inResponse ?? "",
+                Issuer: metadata.sp.getEntityID(),
+                AuthnRequest: Response
+            });
+        }
+        else {
+            soapTemplate = libsaml.replaceTagsByValue(libsaml.defaultArtAuthnRequestTemplate.context, {
+                ID: id2,
+                IssueInstant: new Date().toISOString(),
+                InResponseTo: metadata.inResponse ?? "",
+                Issuer: metadata.sp.getEntityID(),
+                AuthnRequest: rawSamlRequest
+            });
         }
+        /** 构建响应签名*/
         // No need to embeded XML signature
-        return {
-            id,
-            context: utility.base64Encode(rawSamlRequest),
-        };
+        return libsaml.constructSAMLSignature({
+            referenceTagXPath: "/*[local-name(.)='Envelope']/*[local-name(.)='Body']/*[local-name(.)='ArtifactResponse']",
+            privateKey,
+            privateKeyPass,
+            signatureAlgorithm,
+            transformationAlgorithms,
+            rawSamlMessage: soapTemplate,
+            isBase64Output: false,
+            isMessageSigned: false,
+            signingCert: metadata.sp.getX509Certificate('signing'),
+            signatureConfig: {
+                prefix: 'ds',
+                location: {
+                    reference: "/*[local-name(.)='Envelope']/*[local-name(.)='Body']/*[local-name(.)='ArtifactResponse']/*[local-name(.)='Issuer']",
+                    action: 'after'
+                }
+            },
+        });
     }
     throw new Error('ERR_GENERATE_POST_LOGIN_REQUEST_MISSING_METADATA');
 }
@@ -76,7 +142,7 @@ function base64LoginRequest(referenceTagXPath, entity, customTagReplacement) {
  * @param  {boolean}  encryptThenSign           whether or not to encrypt then sign first (if signing). Defaults to sign-then-encrypt
  * @param AttributeStatement
  */
-async function base64LoginResponse(requestInfo = {}, entity, user = {}, customTagReplacement, encryptThenSign = false, AttributeStatement = []) {
+async function soapLoginResponse(requestInfo = {}, entity, user = {}, customTagReplacement, encryptThenSign = false, AttributeStatement = []) {
     const idpSetting = entity.idp.entitySetting;
     const spSetting = entity.sp.entitySetting;
     const id = idpSetting.generateID();
@@ -141,7 +207,6 @@ async function base64LoginResponse(requestInfo = {}, entity, user = {}, customTa
         };
         // step: sign assertion ? -> encrypted ? -> sign message ?
         if (metadata.sp.isWantAssertionsSigned()) {
-            // console.debug('sp wants assertion signed');
             rawSamlResponse = libsaml.constructSAMLSignature({
                 ...config,
                 rawSamlMessage: rawSamlResponse,
@@ -149,7 +214,10 @@ async function base64LoginResponse(requestInfo = {}, entity, user = {}, customTa
                 referenceTagXPath: "/*[local-name(.)='Response']/*[local-name(.)='Assertion']",
                 signatureConfig: {
                     prefix: 'ds',
-                    location: { reference: "/*[local-name(.)='Response']/*[local-name(.)='Assertion']/*[local-name(.)='Issuer']", action: 'after' },
+                    location: {
+                        reference: "/*[local-name(.)='Response']/*[local-name(.)='Assertion']/*[local-name(.)='Issuer']",
+                        action: 'after'
+                    },
                 },
             });
         }
@@ -200,134 +268,250 @@ async function base64LoginResponse(requestInfo = {}, entity, user = {}, customTa
     }
     throw new Error('ERR_GENERATE_POST_LOGIN_RESPONSE_MISSING_METADATA');
 }
-/**
- * @desc Generate a base64 encoded logout request
- * @param  {object} user                         current logged user (e.g. req.user)
- * @param  {string} referenceTagXPath            reference uri
- * @param  {object} entity                       object includes both idp and sp
- * @param  {function} customTagReplacement      used when developers have their own login response template
- * @return {string} base64 encoded request
- */
-function base64LogoutRequest(user, referenceTagXPath, entity, customTagReplacement) {
-    const metadata = { init: entity.init.entityMeta, target: entity.target.entityMeta };
-    const initSetting = entity.init.entitySetting;
-    const nameIDFormat = initSetting.nameIDFormat;
-    const selectedNameIDFormat = Array.isArray(nameIDFormat) ? nameIDFormat[0] : nameIDFormat;
-    let id = '';
-    if (metadata && metadata.init && metadata.target) {
-        let rawSamlRequest;
-        if (initSetting.logoutRequestTemplate && customTagReplacement) {
-            const template = customTagReplacement(initSetting.logoutRequestTemplate.context);
-            id = get(template, 'id', null);
-            rawSamlRequest = get(template, 'context', null);
-        }
-        else {
-            id = initSetting.generateID();
-            const tvalue = {
-                ID: id,
-                Destination: metadata.target.getSingleLogoutService(binding.post),
-                Issuer: metadata.init.getEntityID(),
-                IssueInstant: new Date().toISOString(),
-                EntityID: metadata.init.getEntityID(),
-                NameIDFormat: selectedNameIDFormat,
-                NameID: user.NameID || '',
-            };
-            rawSamlRequest = libsaml.replaceTagsByValue(libsaml.defaultLogoutRequestTemplate.context, tvalue);
-        }
-        if (entity.target.entitySetting.wantLogoutRequestSigned) {
-            // Need to embeded XML signature
-            const { privateKey, privateKeyPass, requestSignatureAlgorithm: signatureAlgorithm, transformationAlgorithms } = initSetting;
-            return {
-                id,
-                context: libsaml.constructSAMLSignature({
-                    referenceTagXPath,
-                    privateKey,
-                    privateKeyPass,
-                    signatureAlgorithm,
-                    transformationAlgorithms,
-                    rawSamlMessage: rawSamlRequest,
-                    signingCert: metadata.init.getX509Certificate('signing'),
-                    signatureConfig: initSetting.signatureConfig || {
-                        prefix: 'ds',
-                        location: { reference: "/*[local-name(.)='LogoutRequest']/*[local-name(.)='Issuer']", action: 'after' },
-                    }
-                }),
-            };
-        }
-        return {
-            id,
-            context: utility.base64Encode(rawSamlRequest),
-        };
+async function parseLoginRequestResolve(params) {
+    let { idp, sp, xml, } = params;
+    const verificationOptions = {
+        metadata: idp.entityMeta,
+        signatureAlgorithm: idp.entitySetting.requestSignatureAlgorithm,
+    };
+    let res = await libsaml.isValidXml(xml, true).catch((error) => {
+        return Promise.reject('ERR_EXCEPTION_VALIDATE_XML');
+    });
+    if (res !== true) {
+        return Promise.reject('ERR_EXCEPTION_VALIDATE_XML');
     }
-    throw new Error('ERR_GENERATE_POST_LOGOUT_REQUEST_MISSING_METADATA');
+    /** 首先先验证签名*/
+    // @ts-ignore
+    let [verify, xmlString, isEncrypted, noSignature] = await libsamlSoap.verifyAndDecryptSoapMessage(xml, verificationOptions);
+    if (!verify) {
+        return Promise.reject('ERR_FAIL_TO_VERIFY_SIGNATURE');
+    }
+    const parseResult = {
+        samlContent: xmlString,
+        extract: extract(xmlString, artifactResolveFields),
+    };
+    /**
+     *  Validation part: validate the context of response after signature is verified and decrypted (optional)
+     */
+    const targetEntityMetadata = sp.entityMeta;
+    const issuer = targetEntityMetadata.getEntityID();
+    const extractedProperties = parseResult.extract;
+    // unmatched issuer
+    if (extractedProperties.issuer !== issuer) {
+        return Promise.reject('ERR_UNMATCH_ISSUER');
+    }
+    // invalid session time
+    // only run the verifyTime when `SessionNotOnOrAfter` exists
+    if (!verifyTime(undefined, new Date(new Date(extractedProperties.request.issueInstant).getTime() + 5 * 60 * 1000).toISOString(), sp.entitySetting.clockDrifts)) {
+        return Promise.reject('ERR_EXPIRED_SESSION');
+    }
+    return Promise.resolve(parseResult);
 }
-/**
- * @desc Generate a base64 encoded logout response
- * @param  {object} requestInfo                 corresponding request, used to obtain the id
- * @param  {string} referenceTagXPath           reference uri
- * @param  {object} entity                      object includes both idp and sp
- * @param  {function} customTagReplacement     used when developers have their own login response template
- */
-function base64LogoutResponse(requestInfo, entity, customTagReplacement) {
+async function parseLoginResponseResolve(params) {
+    let { idp, sp, art } = params;
     const metadata = {
-        init: entity.init.entityMeta,
-        target: entity.target.entityMeta,
+        idp: idp.entityMeta,
+        sp: sp.entityMeta,
     };
-    let id = '';
-    const initSetting = entity.init.entitySetting;
-    if (metadata && metadata.init && metadata.target) {
-        let rawSamlResponse;
-        if (initSetting.logoutResponseTemplate) {
-            const template = customTagReplacement(initSetting.logoutResponseTemplate.context);
-            id = template.id;
-            rawSamlResponse = template.context;
+    const verificationOptions = {
+        metadata: idp.entityMeta,
+        signatureAlgorithm: idp.entitySetting.requestSignatureAlgorithm,
+    };
+    let parserType = 'SAMLResponse';
+    /** 断言是否加密应根据响应里面的字段判断*/
+    let decryptRequired = idp.entitySetting.isAssertionEncrypted;
+    let extractorFields = [];
+    let samlContent = '';
+    const spSetting = sp.entitySetting;
+    let ID = '_' + uuid.v4();
+    let url = metadata.idp.getArtifactResolutionService('soap');
+    let samlSoapRaw = libsaml.replaceTagsByValue(libsaml.defaultArtifactResolveTemplate.context, {
+        ID: ID,
+        Destination: url,
+        Issuer: metadata.sp.getEntityID(),
+        IssueInstant: new Date().toISOString(),
+        Art: art
+    });
+    if (!metadata.idp.isWantAuthnRequestsSigned()) {
+        samlContent = await sendArtifactResolve(url, samlSoapRaw);
+        // check status based on different scenarios
+        // validate the xml
+        try {
+            await libsaml.isValidXml(samlContent, true);
         }
-        else {
-            id = initSetting.generateID();
-            const tvalue = {
-                ID: id,
-                Destination: metadata.target.getSingleLogoutService(binding.post),
-                EntityID: metadata.init.getEntityID(),
-                Issuer: metadata.init.getEntityID(),
-                IssueInstant: new Date().toISOString(),
-                StatusCode: StatusCode.Success,
-                InResponseTo: get(requestInfo, 'extract.request.id', '')
-            };
-            rawSamlResponse = libsaml.replaceTagsByValue(libsaml.defaultLogoutResponseTemplate.context, tvalue);
+        catch (e) {
+            return Promise.reject('ERR_INVALID_XML');
         }
-        if (entity.target.entitySetting.wantLogoutResponseSigned) {
-            const { privateKey, privateKeyPass, requestSignatureAlgorithm: signatureAlgorithm, transformationAlgorithms } = initSetting;
-            return {
-                id,
-                context: libsaml.constructSAMLSignature({
-                    isMessageSigned: true,
-                    transformationAlgorithms: transformationAlgorithms,
-                    privateKey,
-                    privateKeyPass,
-                    signatureAlgorithm,
-                    rawSamlMessage: rawSamlResponse,
-                    signingCert: metadata.init.getX509Certificate('signing'),
-                    signatureConfig: {
-                        prefix: 'ds',
-                        location: {
-                            reference: "/*[local-name(.)='LogoutResponse']/*[local-name(.)='Issuer']",
-                            action: 'after'
-                        }
-                    }
-                }),
-            };
+        await checkStatus(samlContent, parserType, true);
+    }
+    if (metadata.idp.isWantAuthnRequestsSigned()) {
+        const { privateKey, privateKeyPass, requestSignatureAlgorithm: signatureAlgorithm, transformationAlgorithms } = spSetting;
+        //@ts-ignore
+        let signatureSoap = libsaml.constructSAMLSignature({
+            referenceTagXPath: "//*[local-name(.)='ArtifactResolve']",
+            isMessageSigned: false,
+            isBase64Output: false,
+            transformationAlgorithms: transformationAlgorithms,
+            //@ts-ignore
+            privateKey,
+            privateKeyPass,
+            //@ts-ignore
+            signatureAlgorithm,
+            rawSamlMessage: samlSoapRaw,
+            signingCert: metadata.sp.getX509Certificate('signing'),
+            signatureConfig: {
+                prefix: 'ds',
+                location: {
+                    reference: "//*[local-name(.)='Issuer']",
+                    action: 'after'
+                }
+            }
+        });
+        samlContent = await sendArtifactResolve(url, signatureSoap);
+        // check status based on different scenarios
+        // validate the xml
+        try {
+            await libsaml.isValidXml(samlContent, true);
         }
-        return {
-            id,
-            context: utility.base64Encode(rawSamlResponse),
+        catch (e) {
+            return Promise.reject('ERR_INVALID_XML');
+        }
+        await checkStatus(samlContent, parserType, true);
+        const [verified1, verifiedAssertionNode1, isDecryptRequired1, noSignature1] = await libsamlSoap.verifyAndDecryptSoapMessage(samlContent, verificationOptions);
+        /*            decryptRequired = isDecryptRequired*/
+        if (!verified1) {
+            return Promise.reject('ERR_FAIL_TO_VERIFY_ETS_SIGNATURE');
+        }
+        samlContent = verifiedAssertionNode1;
+        const [verified, verifiedAssertionNode, isDecryptRequired, noSignature] = libsaml.verifySignature(samlContent, verificationOptions);
+        if (isDecryptRequired && noSignature) {
+            const result = await libsaml.decryptAssertion(sp, samlContent);
+            samlContent = result[0];
+            extractorFields = getDefaultExtractorFields(parserType, result[1]);
+        }
+        if (!verified && !noSignature && !isDecryptRequired) {
+            return Promise.reject('ERR_FAIL_TO_VERIFY_ETS_SIGNATURE');
+        }
+        if (!isDecryptRequired) {
+            extractorFields = getDefaultExtractorFields(parserType, verifiedAssertionNode);
+        }
+        if (parserType === 'SAMLResponse' && isDecryptRequired && !noSignature) {
+            const result = await libsaml.decryptAssertion(sp, samlContent);
+            samlContent = result[0];
+            extractorFields = getDefaultExtractorFields(parserType, result[1]);
+        }
+        const parseResult = {
+            samlContent: samlContent,
+            extract: extract(samlContent, extractorFields),
         };
+        /**
+         *  Validation part: validate the context of response after signature is verified and decrypted (optional)
+         */
+        const targetEntityMetadata = idp.entityMeta;
+        const issuer = targetEntityMetadata.getEntityID();
+        const extractedProperties = parseResult.extract;
+        // unmatched issuer
+        if ((parserType === 'LogoutResponse' || parserType === 'SAMLResponse')
+            && extractedProperties
+            && extractedProperties.issuer !== issuer) {
+            return Promise.reject('ERR_UNMATCH_ISSUER');
+        }
+        // invalid session time
+        // only run the verifyTime when `SessionNotOnOrAfter` exists
+        if (parserType === 'SAMLResponse'
+            && extractedProperties.sessionIndex.sessionNotOnOrAfter
+            && !verifyTime(undefined, extractedProperties.sessionIndex.sessionNotOnOrAfter, sp.entitySetting.clockDrifts)) {
+            return Promise.reject('ERR_EXPIRED_SESSION');
+        }
+        // invalid time
+        // 2.4.1.2 https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
+        if (parserType === 'SAMLResponse'
+            && extractedProperties.conditions
+            && !verifyTime(extractedProperties.conditions.notBefore, extractedProperties.conditions.notOnOrAfter, sp.entitySetting.clockDrifts)) {
+            return Promise.reject('ERR_SUBJECT_UNCONFIRMED');
+        }
+        //valid destination
+        //There is no validation of the response here. The upper-layer application
+        // should verify the result by itself to see if the destination is equal to the SP acs and
+        // whether the response.id is used to prevent replay attacks.
+        /*
+            let destination = extractedProperties?.response?.destination
+            let isExit = self.entitySetting?.assertionConsumerService?.filter((item) => {
+                return item?.Location === destination
+            })
+            if (isExit?.length === 0) {
+                return Promise.reject('ERR_Destination_URL');
+            }
+            if (parserType === 'SAMLResponse') {
+                let destination = extractedProperties?.response?.destination
+                let isExit = self.entitySetting?.assertionConsumerService?.filter((item: { Location: any; }) => {
+                    return item?.Location === destination
+                })
+                if (isExit?.length === 0) {
+                    return Promise.reject('ERR_Destination_URL');
+                }
+            }
+        */
+        return Promise.resolve(parseResult);
+    }
+    const parseResult = {
+        samlContent: samlContent,
+        extract: extract(samlContent, extractorFields),
+    };
+    /**
+     *  Validation part: validate the context of response after signature is verified and decrypted (optional)
+     */
+    const targetEntityMetadata = idp.entityMeta;
+    const issuer = targetEntityMetadata.getEntityID();
+    const extractedProperties = parseResult.extract;
+    // unmatched issuer
+    if ((parserType === 'LogoutResponse' || parserType === 'SAMLResponse')
+        && extractedProperties
+        && extractedProperties.issuer !== issuer) {
+        return Promise.reject('ERR_UNMATCH_ISSUER');
     }
-    throw new Error('ERR_GENERATE_POST_LOGOUT_RESPONSE_MISSING_METADATA');
+    // invalid session time
+    // only run the verifyTime when `SessionNotOnOrAfter` exists
+    if (parserType === 'SAMLResponse'
+        && extractedProperties.sessionIndex.sessionNotOnOrAfter
+        && !verifyTime(undefined, extractedProperties.sessionIndex.sessionNotOnOrAfter, sp.entitySetting.clockDrifts)) {
+        return Promise.reject('ERR_EXPIRED_SESSION');
+    }
+    // invalid time
+    // 2.4.1.2 https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
+    if (parserType === 'SAMLResponse'
+        && extractedProperties.conditions
+        && !verifyTime(extractedProperties.conditions.notBefore, extractedProperties.conditions.notOnOrAfter, sp.entitySetting.clockDrifts)) {
+        return Promise.reject('ERR_SUBJECT_UNCONFIRMED');
+    }
+    //valid destination
+    //There is no validation of the response here. The upper-layer application
+    // should verify the result by itself to see if the destination is equal to the SP acs and
+    // whether the response.id is used to prevent replay attacks.
+    /*
+        let destination = extractedProperties?.response?.destination
+        let isExit = self.entitySetting?.assertionConsumerService?.filter((item) => {
+            return item?.Location === destination
+        })
+        if (isExit?.length === 0) {
+            return Promise.reject('ERR_Destination_URL');
+        }
+        if (parserType === 'SAMLResponse') {
+            let destination = extractedProperties?.response?.destination
+            let isExit = self.entitySetting?.assertionConsumerService?.filter((item: { Location: any; }) => {
+                return item?.Location === destination
+            })
+            if (isExit?.length === 0) {
+                return Promise.reject('ERR_Destination_URL');
+            }
+        }
+    */
+    return Promise.resolve(parseResult);
 }
 const artifactSignBinding = {
-    base64LoginRequest,
-    base64LoginResponse,
-    base64LogoutRequest,
-    base64LogoutResponse,
+    parseLoginRequestResolve,
+    soapLoginRequest,
+    parseLoginResponseResolve,
+    soapLoginResponse,
 };
 export default artifactSignBinding;