samlesa 2.17.0 → 2.17.2

package/build/index.js

@@ -9,11 +9,12 @@ export { default as SamlLib } from './src/libsaml.js';
 // new name convention in version >= 3.0
 import * as Constants from './src/urn.js';
 import * as Extractor from './src/extractor.js';
-import { validate } from './src/schemaValidator.js';
+import * as Soap from './src/soap.js';
+import { validate, validateMetadata } from './src/schemaValidator.js';
 // exposed methods for customizing samlify
 import { setSchemaValidator, setDOMParserOptions } from './src/api.js';
 export { Constants, Extractor, 
 // temp: resolve the conflict after version >= 3.0
 IdentityProvider, IdentityProviderInstance, ServiceProvider, ServiceProviderInstance, 
 // set context
-setSchemaValidator, setDOMParserOptions, validate };
+setSchemaValidator, setDOMParserOptions, validate, validateMetadata, Soap };

package/build/src/binding-artifact.js

@@ -3,20 +3,57 @@
  * @author tngan
  * @desc Binding-level API, declare the functions using POST binding
  */
-import { wording, StatusCode } from './urn.js';
+import { checkStatus } from "./flow.js";
+import { ParserType, StatusCode, wording } from './urn.js';
 import libsaml from './libsaml.js';
+import libsamlSoap from './libsamlSoap.js';
 import utility, { get } from './utility.js';
+import { fileURLToPath } from "node:url";
+import * as uuid from 'uuid';
+import { artifactResolveFields, extract, loginRequestFields, loginResponseFields, logoutRequestFields, logoutResponseFields } from "./extractor.js";
+import { verifyTime } from "./validator.js";
+import { sendArtifactResolve } from "./soap.js";
+import path from "node:path";
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+// get the default extractor fields based on the parserType
+function getDefaultExtractorFields(parserType, assertion) {
+    switch (parserType) {
+        case ParserType.SAMLRequest:
+            return loginRequestFields;
+        case ParserType.SAMLResponse:
+            if (!assertion) {
+                // unexpected hit
+                throw new Error('ERR_EMPTY_ASSERTION');
+            }
+            return loginResponseFields(assertion);
+        case ParserType.LogoutRequest:
+            return logoutRequestFields;
+        case ParserType.LogoutResponse:
+            return logoutResponseFields;
+        default:
+            throw new Error('ERR_UNDEFINED_PARSERTYPE');
+    }
+}
 const binding = wording.binding;
 /**
  * @desc Generate a base64 encoded login request
  * @param  {string} referenceTagXPath           reference uri
  * @param  {object} entity                      object includes both idp and sp
- * @param  {function} customTagReplacement     used when developers have their own login response template
+ * @param customTagReplacement
  */
-function base64LoginRequest(referenceTagXPath, entity, customTagReplacement) {
-    const metadata = { idp: entity.idp.entityMeta, sp: entity.sp.entityMeta };
+function soapLoginRequest(referenceTagXPath, entity, customTagReplacement) {
+    const metadata = {
+        idp: entity.idp.entityMeta,
+        sp: entity.sp.entityMeta,
+        inResponse: entity?.inResponse,
+        relayState: entity?.relayState
+    };
     const spSetting = entity.sp.entitySetting;
     let id = '';
+    let id2 = spSetting.generateID();
+    let soapTemplate = '';
+    let Response = '';
     if (metadata && metadata.idp && metadata.sp) {
         const base = metadata.idp.getSingleSignOnService(binding.post);
         let rawSamlRequest;
@@ -40,30 +77,59 @@ function base64LoginRequest(referenceTagXPath, entity, customTagReplacement) {
                 NameIDFormat: selectedNameIDFormat
             });
         }
+        const { privateKey, privateKeyPass, requestSignatureAlgorithm: signatureAlgorithm, transformationAlgorithms } = spSetting;
         if (metadata.idp.isWantAuthnRequestsSigned()) {
-            const { privateKey, privateKeyPass, requestSignatureAlgorithm: signatureAlgorithm, transformationAlgorithms } = spSetting;
-            return {
-                id,
-                context: libsaml.constructSAMLSignature({
-                    referenceTagXPath,
-                    privateKey,
-                    privateKeyPass,
-                    signatureAlgorithm,
-                    transformationAlgorithms,
-                    rawSamlMessage: rawSamlRequest,
-                    signingCert: metadata.sp.getX509Certificate('signing'),
-                    signatureConfig: spSetting.signatureConfig || {
-                        prefix: 'ds',
-                        location: { reference: "/*[local-name(.)='AuthnRequest']/*[local-name(.)='Issuer']", action: 'after' },
-                    }
-                }),
-            };
+            Response = libsaml.constructSAMLSignature({
+                referenceTagXPath,
+                privateKey,
+                privateKeyPass,
+                signatureAlgorithm,
+                transformationAlgorithms,
+                rawSamlMessage: rawSamlRequest,
+                isBase64Output: false,
+                signingCert: metadata.sp.getX509Certificate('signing'),
+                signatureConfig: spSetting.signatureConfig || {
+                    prefix: 'ds',
+                    location: { reference: "/*[local-name(.)='AuthnRequest']/!*[local-name(.)='Issuer']", action: 'after' },
+                }
+            });
+            soapTemplate = libsaml.replaceTagsByValue(libsaml.defaultArtAuthnRequestTemplate.context, {
+                ID: id2,
+                IssueInstant: new Date().toISOString(),
+                InResponseTo: metadata.inResponse ?? "",
+                Issuer: metadata.sp.getEntityID(),
+                AuthnRequest: Response
+            });
+        }
+        else {
+            soapTemplate = libsaml.replaceTagsByValue(libsaml.defaultArtAuthnRequestTemplate.context, {
+                ID: id2,
+                IssueInstant: new Date().toISOString(),
+                InResponseTo: metadata.inResponse ?? "",
+                Issuer: metadata.sp.getEntityID(),
+                AuthnRequest: rawSamlRequest
+            });
         }
+        /** 构建响应签名*/
         // No need to embeded XML signature
-        return {
-            id,
-            context: utility.base64Encode(rawSamlRequest),
-        };
+        return libsaml.constructSAMLSignature({
+            referenceTagXPath: "/*[local-name(.)='Envelope']/*[local-name(.)='Body']/*[local-name(.)='ArtifactResponse']",
+            privateKey,
+            privateKeyPass,
+            signatureAlgorithm,
+            transformationAlgorithms,
+            rawSamlMessage: soapTemplate,
+            isBase64Output: false,
+            isMessageSigned: false,
+            signingCert: metadata.sp.getX509Certificate('signing'),
+            signatureConfig: {
+                prefix: 'ds',
+                location: {
+                    reference: "/*[local-name(.)='Envelope']/*[local-name(.)='Body']/*[local-name(.)='ArtifactResponse']/*[local-name(.)='Issuer']",
+                    action: 'after'
+                }
+            },
+        });
     }
     throw new Error('ERR_GENERATE_POST_LOGIN_REQUEST_MISSING_METADATA');
 }
@@ -76,7 +142,7 @@ function base64LoginRequest(referenceTagXPath, entity, customTagReplacement) {
  * @param  {boolean}  encryptThenSign           whether or not to encrypt then sign first (if signing). Defaults to sign-then-encrypt
  * @param AttributeStatement
  */
-async function base64LoginResponse(requestInfo = {}, entity, user = {}, customTagReplacement, encryptThenSign = false, AttributeStatement = []) {
+async function soapLoginResponse(requestInfo = {}, entity, user = {}, customTagReplacement, encryptThenSign = false, AttributeStatement = []) {
     const idpSetting = entity.idp.entitySetting;
     const spSetting = entity.sp.entitySetting;
     const id = idpSetting.generateID();
@@ -141,7 +207,6 @@ async function base64LoginResponse(requestInfo = {}, entity, user = {}, customTa
         };
         // step: sign assertion ? -> encrypted ? -> sign message ?
         if (metadata.sp.isWantAssertionsSigned()) {
-            // console.debug('sp wants assertion signed');
             rawSamlResponse = libsaml.constructSAMLSignature({
                 ...config,
                 rawSamlMessage: rawSamlResponse,
@@ -149,7 +214,10 @@ async function base64LoginResponse(requestInfo = {}, entity, user = {}, customTa
                 referenceTagXPath: "/*[local-name(.)='Response']/*[local-name(.)='Assertion']",
                 signatureConfig: {
                     prefix: 'ds',
-                    location: { reference: "/*[local-name(.)='Response']/*[local-name(.)='Assertion']/*[local-name(.)='Issuer']", action: 'after' },
+                    location: {
+                        reference: "/*[local-name(.)='Response']/*[local-name(.)='Assertion']/*[local-name(.)='Issuer']",
+                        action: 'after'
+                    },
                 },
             });
         }
@@ -200,134 +268,250 @@ async function base64LoginResponse(requestInfo = {}, entity, user = {}, customTa
     }
     throw new Error('ERR_GENERATE_POST_LOGIN_RESPONSE_MISSING_METADATA');
 }
-/**
- * @desc Generate a base64 encoded logout request
- * @param  {object} user                         current logged user (e.g. req.user)
- * @param  {string} referenceTagXPath            reference uri
- * @param  {object} entity                       object includes both idp and sp
- * @param  {function} customTagReplacement      used when developers have their own login response template
- * @return {string} base64 encoded request
- */
-function base64LogoutRequest(user, referenceTagXPath, entity, customTagReplacement) {
-    const metadata = { init: entity.init.entityMeta, target: entity.target.entityMeta };
-    const initSetting = entity.init.entitySetting;
-    const nameIDFormat = initSetting.nameIDFormat;
-    const selectedNameIDFormat = Array.isArray(nameIDFormat) ? nameIDFormat[0] : nameIDFormat;
-    let id = '';
-    if (metadata && metadata.init && metadata.target) {
-        let rawSamlRequest;
-        if (initSetting.logoutRequestTemplate && customTagReplacement) {
-            const template = customTagReplacement(initSetting.logoutRequestTemplate.context);
-            id = get(template, 'id', null);
-            rawSamlRequest = get(template, 'context', null);
-        }
-        else {
-            id = initSetting.generateID();
-            const tvalue = {
-                ID: id,
-                Destination: metadata.target.getSingleLogoutService(binding.post),
-                Issuer: metadata.init.getEntityID(),
-                IssueInstant: new Date().toISOString(),
-                EntityID: metadata.init.getEntityID(),
-                NameIDFormat: selectedNameIDFormat,
-                NameID: user.NameID || '',
-            };
-            rawSamlRequest = libsaml.replaceTagsByValue(libsaml.defaultLogoutRequestTemplate.context, tvalue);
-        }
-        if (entity.target.entitySetting.wantLogoutRequestSigned) {
-            // Need to embeded XML signature
-            const { privateKey, privateKeyPass, requestSignatureAlgorithm: signatureAlgorithm, transformationAlgorithms } = initSetting;
-            return {
-                id,
-                context: libsaml.constructSAMLSignature({
-                    referenceTagXPath,
-                    privateKey,
-                    privateKeyPass,
-                    signatureAlgorithm,
-                    transformationAlgorithms,
-                    rawSamlMessage: rawSamlRequest,
-                    signingCert: metadata.init.getX509Certificate('signing'),
-                    signatureConfig: initSetting.signatureConfig || {
-                        prefix: 'ds',
-                        location: { reference: "/*[local-name(.)='LogoutRequest']/*[local-name(.)='Issuer']", action: 'after' },
-                    }
-                }),
-            };
-        }
-        return {
-            id,
-            context: utility.base64Encode(rawSamlRequest),
-        };
+async function parseLoginRequestResolve(params) {
+    let { idp, sp, xml, } = params;
+    const verificationOptions = {
+        metadata: idp.entityMeta,
+        signatureAlgorithm: idp.entitySetting.requestSignatureAlgorithm,
+    };
+    let res = await libsaml.isValidXml(xml, true).catch((error) => {
+        return Promise.reject('ERR_EXCEPTION_VALIDATE_XML');
+    });
+    if (res !== true) {
+        return Promise.reject('ERR_EXCEPTION_VALIDATE_XML');
     }
-    throw new Error('ERR_GENERATE_POST_LOGOUT_REQUEST_MISSING_METADATA');
+    /** 首先先验证签名*/
+    // @ts-ignore
+    let [verify, xmlString, isEncrypted, noSignature] = await libsamlSoap.verifyAndDecryptSoapMessage(xml, verificationOptions);
+    if (!verify) {
+        return Promise.reject('ERR_FAIL_TO_VERIFY_SIGNATURE');
+    }
+    const parseResult = {
+        samlContent: xmlString,
+        extract: extract(xmlString, artifactResolveFields),
+    };
+    /**
+     *  Validation part: validate the context of response after signature is verified and decrypted (optional)
+     */
+    const targetEntityMetadata = sp.entityMeta;
+    const issuer = targetEntityMetadata.getEntityID();
+    const extractedProperties = parseResult.extract;
+    // unmatched issuer
+    if (extractedProperties.issuer !== issuer) {
+        return Promise.reject('ERR_UNMATCH_ISSUER');
+    }
+    // invalid session time
+    // only run the verifyTime when `SessionNotOnOrAfter` exists
+    if (!verifyTime(undefined, new Date(new Date(extractedProperties.request.issueInstant).getTime() + 5 * 60 * 1000).toISOString(), sp.entitySetting.clockDrifts)) {
+        return Promise.reject('ERR_EXPIRED_SESSION');
+    }
+    return Promise.resolve(parseResult);
 }
-/**
- * @desc Generate a base64 encoded logout response
- * @param  {object} requestInfo                 corresponding request, used to obtain the id
- * @param  {string} referenceTagXPath           reference uri
- * @param  {object} entity                      object includes both idp and sp
- * @param  {function} customTagReplacement     used when developers have their own login response template
- */
-function base64LogoutResponse(requestInfo, entity, customTagReplacement) {
+async function parseLoginResponseResolve(params) {
+    let { idp, sp, art } = params;
     const metadata = {
-        init: entity.init.entityMeta,
-        target: entity.target.entityMeta,
+        idp: idp.entityMeta,
+        sp: sp.entityMeta,
     };
-    let id = '';
-    const initSetting = entity.init.entitySetting;
-    if (metadata && metadata.init && metadata.target) {
-        let rawSamlResponse;
-        if (initSetting.logoutResponseTemplate) {
-            const template = customTagReplacement(initSetting.logoutResponseTemplate.context);
-            id = template.id;
-            rawSamlResponse = template.context;
+    const verificationOptions = {
+        metadata: idp.entityMeta,
+        signatureAlgorithm: idp.entitySetting.requestSignatureAlgorithm,
+    };
+    let parserType = 'SAMLResponse';
+    /** 断言是否加密应根据响应里面的字段判断*/
+    let decryptRequired = idp.entitySetting.isAssertionEncrypted;
+    let extractorFields = [];
+    let samlContent = '';
+    const spSetting = sp.entitySetting;
+    let ID = '_' + uuid.v4();
+    let url = metadata.idp.getArtifactResolutionService('soap');
+    let samlSoapRaw = libsaml.replaceTagsByValue(libsaml.defaultArtifactResolveTemplate.context, {
+        ID: ID,
+        Destination: url,
+        Issuer: metadata.sp.getEntityID(),
+        IssueInstant: new Date().toISOString(),
+        Art: art
+    });
+    if (!metadata.idp.isWantAuthnRequestsSigned()) {
+        samlContent = await sendArtifactResolve(url, samlSoapRaw);
+        // check status based on different scenarios
+        // validate the xml
+        try {
+            await libsaml.isValidXml(samlContent, true);
         }
-        else {
-            id = initSetting.generateID();
-            const tvalue = {
-                ID: id,
-                Destination: metadata.target.getSingleLogoutService(binding.post),
-                EntityID: metadata.init.getEntityID(),
-                Issuer: metadata.init.getEntityID(),
-                IssueInstant: new Date().toISOString(),
-                StatusCode: StatusCode.Success,
-                InResponseTo: get(requestInfo, 'extract.request.id', '')
-            };
-            rawSamlResponse = libsaml.replaceTagsByValue(libsaml.defaultLogoutResponseTemplate.context, tvalue);
+        catch (e) {
+            return Promise.reject('ERR_INVALID_XML');
         }
-        if (entity.target.entitySetting.wantLogoutResponseSigned) {
-            const { privateKey, privateKeyPass, requestSignatureAlgorithm: signatureAlgorithm, transformationAlgorithms } = initSetting;
-            return {
-                id,
-                context: libsaml.constructSAMLSignature({
-                    isMessageSigned: true,
-                    transformationAlgorithms: transformationAlgorithms,
-                    privateKey,
-                    privateKeyPass,
-                    signatureAlgorithm,
-                    rawSamlMessage: rawSamlResponse,
-                    signingCert: metadata.init.getX509Certificate('signing'),
-                    signatureConfig: {
-                        prefix: 'ds',
-                        location: {
-                            reference: "/*[local-name(.)='LogoutResponse']/*[local-name(.)='Issuer']",
-                            action: 'after'
-                        }
-                    }
-                }),
-            };
+        await checkStatus(samlContent, parserType, true);
+    }
+    if (metadata.idp.isWantAuthnRequestsSigned()) {
+        const { privateKey, privateKeyPass, requestSignatureAlgorithm: signatureAlgorithm, transformationAlgorithms } = spSetting;
+        //@ts-ignore
+        let signatureSoap = libsaml.constructSAMLSignature({
+            referenceTagXPath: "//*[local-name(.)='ArtifactResolve']",
+            isMessageSigned: false,
+            isBase64Output: false,
+            transformationAlgorithms: transformationAlgorithms,
+            //@ts-ignore
+            privateKey,
+            privateKeyPass,
+            //@ts-ignore
+            signatureAlgorithm,
+            rawSamlMessage: samlSoapRaw,
+            signingCert: metadata.sp.getX509Certificate('signing'),
+            signatureConfig: {
+                prefix: 'ds',
+                location: {
+                    reference: "//*[local-name(.)='Issuer']",
+                    action: 'after'
+                }
+            }
+        });
+        samlContent = await sendArtifactResolve(url, signatureSoap);
+        // check status based on different scenarios
+        // validate the xml
+        try {
+            await libsaml.isValidXml(samlContent, true);
         }
-        return {
-            id,
-            context: utility.base64Encode(rawSamlResponse),
+        catch (e) {
+            return Promise.reject('ERR_INVALID_XML');
+        }
+        await checkStatus(samlContent, parserType, true);
+        const [verified1, verifiedAssertionNode1, isDecryptRequired1, noSignature1] = await libsamlSoap.verifyAndDecryptSoapMessage(samlContent, verificationOptions);
+        /*            decryptRequired = isDecryptRequired*/
+        if (!verified1) {
+            return Promise.reject('ERR_FAIL_TO_VERIFY_ETS_SIGNATURE');
+        }
+        samlContent = verifiedAssertionNode1;
+        const [verified, verifiedAssertionNode, isDecryptRequired, noSignature] = libsaml.verifySignature(samlContent, verificationOptions);
+        if (isDecryptRequired && noSignature) {
+            const result = await libsaml.decryptAssertion(sp, samlContent);
+            samlContent = result[0];
+            extractorFields = getDefaultExtractorFields(parserType, result[1]);
+        }
+        if (!verified && !noSignature && !isDecryptRequired) {
+            return Promise.reject('ERR_FAIL_TO_VERIFY_ETS_SIGNATURE');
+        }
+        if (!isDecryptRequired) {
+            extractorFields = getDefaultExtractorFields(parserType, verifiedAssertionNode);
+        }
+        if (parserType === 'SAMLResponse' && isDecryptRequired && !noSignature) {
+            const result = await libsaml.decryptAssertion(sp, samlContent);
+            samlContent = result[0];
+            extractorFields = getDefaultExtractorFields(parserType, result[1]);
+        }
+        const parseResult = {
+            samlContent: samlContent,
+            extract: extract(samlContent, extractorFields),
         };
+        /**
+         *  Validation part: validate the context of response after signature is verified and decrypted (optional)
+         */
+        const targetEntityMetadata = idp.entityMeta;
+        const issuer = targetEntityMetadata.getEntityID();
+        const extractedProperties = parseResult.extract;
+        // unmatched issuer
+        if ((parserType === 'LogoutResponse' || parserType === 'SAMLResponse')
+            && extractedProperties
+            && extractedProperties.issuer !== issuer) {
+            return Promise.reject('ERR_UNMATCH_ISSUER');
+        }
+        // invalid session time
+        // only run the verifyTime when `SessionNotOnOrAfter` exists
+        if (parserType === 'SAMLResponse'
+            && extractedProperties.sessionIndex.sessionNotOnOrAfter
+            && !verifyTime(undefined, extractedProperties.sessionIndex.sessionNotOnOrAfter, sp.entitySetting.clockDrifts)) {
+            return Promise.reject('ERR_EXPIRED_SESSION');
+        }
+        // invalid time
+        // 2.4.1.2 https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
+        if (parserType === 'SAMLResponse'
+            && extractedProperties.conditions
+            && !verifyTime(extractedProperties.conditions.notBefore, extractedProperties.conditions.notOnOrAfter, sp.entitySetting.clockDrifts)) {
+            return Promise.reject('ERR_SUBJECT_UNCONFIRMED');
+        }
+        //valid destination
+        //There is no validation of the response here. The upper-layer application
+        // should verify the result by itself to see if the destination is equal to the SP acs and
+        // whether the response.id is used to prevent replay attacks.
+        /*
+            let destination = extractedProperties?.response?.destination
+            let isExit = self.entitySetting?.assertionConsumerService?.filter((item) => {
+                return item?.Location === destination
+            })
+            if (isExit?.length === 0) {
+                return Promise.reject('ERR_Destination_URL');
+            }
+            if (parserType === 'SAMLResponse') {
+                let destination = extractedProperties?.response?.destination
+                let isExit = self.entitySetting?.assertionConsumerService?.filter((item: { Location: any; }) => {
+                    return item?.Location === destination
+                })
+                if (isExit?.length === 0) {
+                    return Promise.reject('ERR_Destination_URL');
+                }
+            }
+        */
+        return Promise.resolve(parseResult);
+    }
+    const parseResult = {
+        samlContent: samlContent,
+        extract: extract(samlContent, extractorFields),
+    };
+    /**
+     *  Validation part: validate the context of response after signature is verified and decrypted (optional)
+     */
+    const targetEntityMetadata = idp.entityMeta;
+    const issuer = targetEntityMetadata.getEntityID();
+    const extractedProperties = parseResult.extract;
+    // unmatched issuer
+    if ((parserType === 'LogoutResponse' || parserType === 'SAMLResponse')
+        && extractedProperties
+        && extractedProperties.issuer !== issuer) {
+        return Promise.reject('ERR_UNMATCH_ISSUER');
     }
-    throw new Error('ERR_GENERATE_POST_LOGOUT_RESPONSE_MISSING_METADATA');
+    // invalid session time
+    // only run the verifyTime when `SessionNotOnOrAfter` exists
+    if (parserType === 'SAMLResponse'
+        && extractedProperties.sessionIndex.sessionNotOnOrAfter
+        && !verifyTime(undefined, extractedProperties.sessionIndex.sessionNotOnOrAfter, sp.entitySetting.clockDrifts)) {
+        return Promise.reject('ERR_EXPIRED_SESSION');
+    }
+    // invalid time
+    // 2.4.1.2 https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
+    if (parserType === 'SAMLResponse'
+        && extractedProperties.conditions
+        && !verifyTime(extractedProperties.conditions.notBefore, extractedProperties.conditions.notOnOrAfter, sp.entitySetting.clockDrifts)) {
+        return Promise.reject('ERR_SUBJECT_UNCONFIRMED');
+    }
+    //valid destination
+    //There is no validation of the response here. The upper-layer application
+    // should verify the result by itself to see if the destination is equal to the SP acs and
+    // whether the response.id is used to prevent replay attacks.
+    /*
+        let destination = extractedProperties?.response?.destination
+        let isExit = self.entitySetting?.assertionConsumerService?.filter((item) => {
+            return item?.Location === destination
+        })
+        if (isExit?.length === 0) {
+            return Promise.reject('ERR_Destination_URL');
+        }
+        if (parserType === 'SAMLResponse') {
+            let destination = extractedProperties?.response?.destination
+            let isExit = self.entitySetting?.assertionConsumerService?.filter((item: { Location: any; }) => {
+                return item?.Location === destination
+            })
+            if (isExit?.length === 0) {
+                return Promise.reject('ERR_Destination_URL');
+            }
+        }
+    */
+    return Promise.resolve(parseResult);
 }
 const artifactSignBinding = {
-    base64LoginRequest,
-    base64LoginResponse,
-    base64LogoutRequest,
-    base64LogoutResponse,
+    parseLoginRequestResolve,
+    soapLoginRequest,
+    parseLoginResponseResolve,
+    soapLoginResponse,
 };
 export default artifactSignBinding;

package/build/src/binding-post.js

@@ -130,6 +130,8 @@ async function base64LoginResponse(requestInfo = {}, entity, user = {}, customTa
                 tvalue.InResponseTo = requestInfo?.extract?.request?.id ?? '';
             }
             rawSamlResponse = libsaml.replaceTagsByValue(libsaml.defaultLoginResponseTemplate.context, tvalue);
+            console.log(rawSamlResponse);
+            console.log("没有加密签名过的------------------------------------");
         }
         const { privateKey, privateKeyPass, requestSignatureAlgorithm: signatureAlgorithm } = idpSetting;
         const config = {