samlesa 3.4.2 → 3.5.0

package/build/src/binding-artifact.js

@@ -1,29 +1,30 @@
 /**
- * @file binding-post.ts
+ * @file binding-artifact.ts
  * @author tngan
- * @desc Binding-level API, declare the functions using POST binding
+ * @desc Binding-level API for SAML 2.0 Artifact Binding
+ * @see https://docs.oasis-open.org/security/saml/v2.0/saml-bind-2.0-os.pdf
  */
 import { checkStatus } from "./flow.js";
 import { ParserType, StatusCode, wording } from './urn.js';
+import * as crypto from "node:crypto";
 import libsaml from './libsaml.js';
 import libsamlSoap from './libsamlSoap.js';
 import utility, { get } from './utility.js';
-import { fileURLToPath } from "node:url";
 import { randomUUID } from 'node:crypto';
+import postBinding from './binding-post.js';
 import { artifactResolveFields, extract, loginRequestFields, loginResponseFields, logoutRequestFields, logoutResponseFields } from "./extractor.js";
 import { verifyTime } from "./validator.js";
 import { sendArtifactResolve } from "./soap.js";
-import path from "node:path";
-const __filename = fileURLToPath(import.meta.url);
-const __dirname = path.dirname(__filename);
-// get the default extractor fields based on the parserType
+const binding = wording.binding;
+/**
+ * Get default extractor fields based on parser type
+ */
 function getDefaultExtractorFields(parserType, assertion) {
     switch (parserType) {
         case ParserType.SAMLRequest:
             return loginRequestFields;
         case ParserType.SAMLResponse:
             if (!assertion) {
-                // unexpected hit
                 throw new Error('ERR_EMPTY_ASSERTION');
             }
             return loginResponseFields(assertion);
@@ -35,25 +36,46 @@ function getDefaultExtractorFields(parserType, assertion) {
             throw new Error('ERR_UNDEFINED_PARSERTYPE');
     }
 }
-const binding = wording.binding;
 /**
- * @desc Generate a base64 encoded login request
- * @param  {string} referenceTagXPath           reference uri
- * @param  {object} entity                      object includes both idp and sp
- * @param customTagReplacement
+ * Generate a SAML 2.0 compliant Artifact ID
+ * Format: [TypeCode: 2 bytes] + [EndpointIndex: 2 bytes] + [SourceID: 20 bytes] + [MessageHandle: 20 bytes]
+ * @param issuerId The entity ID of the issuing party (IdP)
+ * @param endpointIndex The index of the destination endpoint (default is 1 for Artifact Resolution Service)
+ * @returns The Base64 encoded Artifact ID string
+ */
+export function generateArtifactId(issuerId, endpointIndex = 1) {
+    // SourceID: 20 bytes SHA-1 of issuer ID
+    const issuerHash = crypto.createHash('sha1').update(issuerId).digest();
+    const sourceId = issuerHash.subarray(0, 20);
+    // TypeCode: 0x0004 (SAML 2.0 Artifact Type)
+    const typeCode = Buffer.from([0x00, 0x04]);
+    // EndpointIndex: 2 bytes Big Endian
+    const indexBuffer = Buffer.alloc(2);
+    indexBuffer.writeUInt16BE(endpointIndex, 0);
+    // MessageHandle: 20 random bytes
+    const messageHandle = crypto.randomBytes(20);
+    // Concatenate: 2 + 2 + 20 + 20 = 44 bytes
+    const artifactBytes = Buffer.concat([typeCode, indexBuffer, sourceId, messageHandle]);
+    // Base64 encode
+    return artifactBytes.toString('base64');
+}
+/**
+ * @desc Generate a SOAP-encoded login request for Artifact binding
+ * @param {string} referenceTagXPath           reference uri
+ * @param {object} entity                      object includes both idp and sp
+ * @param {function} customTagReplacement     used when developers have their own login request template
+ * @returns {BindingContext}
  */
 function soapLoginRequest(referenceTagXPath, entity, customTagReplacement) {
     const metadata = {
         idp: entity.idp.entityMeta,
         sp: entity.sp.entityMeta,
-        inResponse: entity?.inResponse,
-        relayState: entity?.relayState
+        inResponse: entity.inResponse,
+        relayState: entity.relayState
     };
     const spSetting = entity.sp.entitySetting;
     let id = '';
-    let id2 = spSetting.generateID();
-    let soapTemplate = '';
-    let Response = '';
+    let soapId = spSetting.generateID();
     if (metadata && metadata.idp && metadata.sp) {
         const base = metadata.idp.getSingleSignOnService(binding.post);
         let rawSamlRequest;
@@ -78,12 +100,13 @@ function soapLoginRequest(referenceTagXPath, entity, customTagReplacement) {
             });
         }
         const { privateKey, privateKeyPass, requestSignatureAlgorithm: signatureAlgorithm, transformationAlgorithms } = spSetting;
+        let signedAuthnRequest;
         if (metadata.idp.isWantAuthnRequestsSigned()) {
-            Response = libsaml.constructSAMLSignature({
+            signedAuthnRequest = libsaml.constructSAMLSignature({
                 referenceTagXPath,
-                privateKey,
+                privateKey: privateKey,
                 privateKeyPass,
-                signatureAlgorithm,
+                signatureAlgorithm: signatureAlgorithm,
                 transformationAlgorithms,
                 rawSamlMessage: rawSamlRequest,
                 isBase64Output: false,
@@ -91,35 +114,29 @@ function soapLoginRequest(referenceTagXPath, entity, customTagReplacement) {
                 signatureConfig: spSetting.signatureConfig || {
                     prefix: 'ds',
                     location: {
-                        reference: "/*[local-name(.)='AuthnRequest']/!*[local-name(.)='Issuer']",
+                        reference: "/*[local-name(.)='AuthnRequest']/*[local-name(.)='Issuer']",
                         action: 'after'
                     },
                 }
             });
-            soapTemplate = libsaml.replaceTagsByValue(libsaml.defaultArtAuthnRequestTemplate.context, {
-                ID: id2,
-                IssueInstant: new Date().toISOString(),
-                InResponseTo: metadata.inResponse ?? "",
-                Issuer: metadata.sp.getEntityID(),
-                AuthnRequest: Response
-            });
         }
         else {
-            soapTemplate = libsaml.replaceTagsByValue(libsaml.defaultArtAuthnRequestTemplate.context, {
-                ID: id2,
-                IssueInstant: new Date().toISOString(),
-                InResponseTo: metadata.inResponse ?? "",
-                Issuer: metadata.sp.getEntityID(),
-                AuthnRequest: rawSamlRequest
-            });
+            signedAuthnRequest = rawSamlRequest;
         }
-        /** 构建响应签名*/
-        // No need to embeded XML signature
-        return libsaml.constructSAMLSignature({
+        // Construct SOAP envelope with ArtifactResponse containing AuthnRequest
+        const soapTemplate = libsaml.replaceTagsByValue(libsaml.defaultArtAuthnRequestTemplate.context, {
+            ID: soapId,
+            IssueInstant: new Date().toISOString(),
+            InResponseTo: metadata.inResponse ?? "",
+            Issuer: metadata.sp.getEntityID(),
+            AuthnRequest: signedAuthnRequest
+        });
+        // Sign the SOAP envelope
+        const signedSoap = libsaml.constructSAMLSignature({
             referenceTagXPath: "/*[local-name(.)='Envelope']/*[local-name(.)='Body']/*[local-name(.)='ArtifactResponse']",
-            privateKey,
+            privateKey: privateKey,
             privateKeyPass,
-            signatureAlgorithm,
+            signatureAlgorithm: signatureAlgorithm,
             transformationAlgorithms,
             rawSamlMessage: soapTemplate,
             isBase64Output: false,
@@ -133,161 +150,105 @@ function soapLoginRequest(referenceTagXPath, entity, customTagReplacement) {
                 }
             },
         });
+        return {
+            id: soapId,
+            context: signedSoap,
+        };
     }
     throw new Error('ERR_GENERATE_POST_LOGIN_REQUEST_MISSING_METADATA');
 }
 /**
- * @desc Generate a base64 encoded login response
- * @param  {object} requestInfo                 corresponding request, used to obtain the id
- * @param  {object} entity                      object includes both idp and sp
- * @param  {object} user                        current logged user (e.g. req.user)
- * @param  {function} customTagReplacement     used when developers have their own login response template
- * @param  {boolean}  encryptThenSign           whether or not to encrypt then sign first (if signing). Defaults to sign-then-encrypt
- * @param AttributeStatement
+ * @desc Generate a SOAP-encoded login response for Artifact binding
+ * @param {Base64LoginResponseParams} params  parameters for generating login response
+ * @returns {BindingContext}
  */
-async function soapLoginResponse(requestInfo = {}, entity, user = {}, customTagReplacement, encryptThenSign = false, AttributeStatement = []) {
-    const idpSetting = entity.idp.entitySetting;
-    const spSetting = entity.sp.entitySetting;
-    const id = idpSetting.generateID();
+async function soapLoginResponse(params) {
+    const { entity } = params;
     const metadata = {
         idp: entity.idp.entityMeta,
         sp: entity.sp.entityMeta,
     };
-    const nameIDFormat = idpSetting.nameIDFormat;
-    const selectedNameIDFormat = Array.isArray(nameIDFormat) ? nameIDFormat[0] : nameIDFormat;
-    if (metadata && metadata.idp && metadata.sp) {
-        const base = metadata.sp.getAssertionConsumerService(binding.post);
-        let rawSamlResponse;
-        const nowTime = new Date();
-        const spEntityID = metadata.sp.getEntityID();
-        const oneMinutesLaterTime = new Date(nowTime.getTime());
-        oneMinutesLaterTime.setMinutes(oneMinutesLaterTime.getMinutes() + 5);
-        const OneMinutesLater = oneMinutesLaterTime.toISOString();
-        const now = nowTime.toISOString();
-        const acl = metadata.sp.getAssertionConsumerService(binding.post);
-        const sessionIndex = 'session' + idpSetting.generateID(); // 这个是当前系统的会话索引，用于单点注销
-        const tenHoursLaterTime = new Date(nowTime.getTime());
-        tenHoursLaterTime.setHours(tenHoursLaterTime.getHours() + 10);
-        const tenHoursLater = tenHoursLaterTime.toISOString();
-        const tvalue = {
-            ID: id,
-            AssertionID: idpSetting.generateID(),
-            Destination: base,
-            Audience: spEntityID,
-            EntityID: spEntityID,
-            SubjectRecipient: acl,
-            Issuer: metadata.idp.getEntityID(),
-            IssueInstant: now,
-            AssertionConsumerServiceURL: acl,
-            StatusCode: StatusCode.Success,
-            // can be customized
-            ConditionsNotBefore: now,
-            ConditionsNotOnOrAfter: OneMinutesLater,
-            SubjectConfirmationDataNotOnOrAfter: OneMinutesLater,
-            NameIDFormat: selectedNameIDFormat,
-            NameID: user?.NameID || '',
-            InResponseTo: get(requestInfo, 'extract.request.id', ''),
-            AuthnStatement: `<saml:AuthnStatement AuthnInstant="${now}" SessionNotOnOrAfter="${tenHoursLater}" SessionIndex="${sessionIndex}"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement>`,
-            AttributeStatement: libsaml.attributeStatementBuilder(AttributeStatement),
-        };
-        if (idpSetting.loginResponseTemplate && customTagReplacement) {
-            const template = customTagReplacement(idpSetting.loginResponseTemplate.context);
-            rawSamlResponse = get(template, 'context', null);
-        }
-        else {
-            if (requestInfo !== null) {
-                tvalue.InResponseTo = requestInfo?.extract?.request?.id ?? '';
-            }
-            rawSamlResponse = libsaml.replaceTagsByValue(libsaml.defaultLoginResponseTemplate.context, tvalue);
-        }
-        const { privateKey, privateKeyPass, requestSignatureAlgorithm: signatureAlgorithm } = idpSetting;
-        const config = {
-            privateKey,
-            privateKeyPass,
-            signatureAlgorithm,
-            signingCert: metadata.idp.getX509Certificate('signing'),
-            isBase64Output: false,
-        };
-        // step: sign assertion ? -> encrypted ? -> sign message ?
-        if (metadata.sp.isWantAssertionsSigned()) {
-            rawSamlResponse = libsaml.constructSAMLSignature({
-                ...config,
-                rawSamlMessage: rawSamlResponse,
-                transformationAlgorithms: spSetting.transformationAlgorithms,
-                referenceTagXPath: "/*[local-name(.)='Response']/*[local-name(.)='Assertion']",
-                signatureConfig: {
-                    prefix: 'ds',
-                    location: {
-                        reference: "/*[local-name(.)='Response']/*[local-name(.)='Assertion']/*[local-name(.)='Issuer']",
-                        action: 'after'
-                    },
-                },
-            });
-        }
-        // console.debug('after assertion signed', rawSamlResponse);
-        // SAML response must be signed sign message first, then encrypt
-        if (!encryptThenSign && (spSetting.wantMessageSigned || !metadata.sp.isWantAssertionsSigned())) {
-            // console.debug('sign then encrypt and sign entire message');
-            // @ts-ignore
-            rawSamlResponse = libsaml.constructSAMLSignature({
-                ...config,
-                rawSamlMessage: rawSamlResponse,
-                isMessageSigned: true,
-                transformationAlgorithms: spSetting.transformationAlgorithms,
-                signatureConfig: spSetting.signatureConfig || {
-                    prefix: 'ds',
-                    location: { reference: "/*[local-name(.)='Response']/*[local-name(.)='Issuer']", action: 'after' },
-                },
-            });
-        }
-        // console.debug('after message signed', rawSamlResponse);
-        if (idpSetting.isAssertionEncrypted) {
-            // console.debug('idp is configured to do encryption');
-            const context = await libsaml.encryptAssertion(entity.idp, entity.sp, rawSamlResponse);
-            if (encryptThenSign) {
-                //need to decode it
-                rawSamlResponse = utility.base64Decode(context);
-            }
-            else {
-                return Promise.resolve({ id, context });
-            }
-        }
-        //sign after encrypting
-        if (encryptThenSign && (spSetting.wantMessageSigned || !metadata.sp.isWantAssertionsSigned())) {
-            // @ts-ignore
-            rawSamlResponse = libsaml.constructSAMLSignature({
-                ...config,
-                rawSamlMessage: rawSamlResponse,
-                isMessageSigned: true,
-                transformationAlgorithms: spSetting.transformationAlgorithms,
-                signatureConfig: spSetting.signatureConfig || {
-                    prefix: 'ds',
-                    location: { reference: "/*[local-name(.)='Response']/*[local-name(.)='Issuer']", action: 'after' },
-                },
-            });
-        }
-        return Promise.resolve({
-            id,
-            context: utility.base64Encode(rawSamlResponse),
-        });
+    if (!metadata.idp || !metadata.sp) {
+        throw new Error('ERR_GENERATE_ARTIFACT_MISSING_METADATA');
     }
-    throw new Error('ERR_GENERATE_POST_LOGIN_RESPONSE_MISSING_METADATA');
+    // Generate the base SAML Response using POST binding logic
+    const samlResponseResult = await postBinding.base64LoginResponse(params);
+    const samlResponseXml = utility.base64Decode(samlResponseResult.context);
+    // Generate the SAML 2.0 Artifact ID
+    const artifactId = generateArtifactId(metadata.idp.getEntityID());
+    // Prepare config for SOAP signing
+    const idpSetting = entity.idp.entitySetting;
+    const spSetting = entity.sp.entitySetting;
+    const config = {
+        privateKey: idpSetting.privateKey,
+        privateKeyPass: idpSetting.privateKeyPass,
+        signatureAlgorithm: idpSetting.requestSignatureAlgorithm,
+        signingCert: metadata.idp.getX509Certificate('signing'),
+        isBase64Output: false,
+    };
+    // Construct the SOAP Envelope containing the ArtifactResponse with SAML Response
+    const soapBodyContent = `<samlp:ArtifactResponse
+        xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
+        xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+        ID="${samlResponseResult.id}_artifact_resp"
+        InResponseTo="${params.requestInfo?.extract?.request?.id || ''}"
+        Version="2.0"
+        IssueInstant="${new Date().toISOString()}">
+        <saml2:Issuer>${metadata.idp.getEntityID()}</saml2:Issuer>
+        <samlp:Status>
+            <samlp:StatusCode Value="${StatusCode.Success}"/>
+        </samlp:Status>
+        ${samlResponseXml}
+    </samlp:ArtifactResponse>`;
+    const soapEnvelope = `
+<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+    <soap:Header/>
+    <soap:Body>${soapBodyContent}</soap:Body>
+</soap:Envelope>`;
+    // Sign the SOAP Envelope
+    const signedSoapEnvelope = libsaml.constructSAMLSignature({
+        ...config,
+        rawSamlMessage: soapEnvelope,
+        transformationAlgorithms: spSetting.transformationAlgorithms,
+        isMessageSigned: true,
+        referenceTagXPath: "/*[local-name(.)='Envelope']/*[local-name(.)='Body']/*[local-name(.)='ArtifactResponse']",
+        signatureConfig: {
+            prefix: 'ds',
+            location: {
+                reference: "/*[local-name(.)='Envelope']/*[local-name(.)='Body']/*[local-name(.)='ArtifactResponse']/*[local-name(.)='Status']",
+                action: 'before'
+            },
+        },
+    });
+    // Return the Artifact ID and the Base64 encoded signed SOAP message
+    return {
+        id: artifactId,
+        context: utility.base64Encode(signedSoapEnvelope),
+    };
 }
+/**
+ * @desc Parse and validate Artifact Resolve request
+ * @param {object} params
+ * @param {IdentityProvider} params.idp Identity Provider instance
+ * @param {ServiceProvider} params.sp Service Provider instance
+ * @param {string} params.xml SOAP request XML string
+ * @returns {Promise}
+ */
 async function parseLoginRequestResolve(params) {
-    let { idp, sp, xml, } = params;
+    const { idp, sp, xml } = params;
     const verificationOptions = {
         metadata: idp.entityMeta,
         signatureAlgorithm: idp.entitySetting.requestSignatureAlgorithm,
     };
-    let res = await libsaml.isValidXml(xml, true).catch((error) => {
+    // Validate XML
+    let res = await libsaml.isValidXml(xml, true).catch(() => {
         return Promise.reject('ERR_EXCEPTION_VALIDATE_XML');
     });
     if (res !== true) {
         return Promise.reject('ERR_EXCEPTION_VALIDATE_XML');
     }
-    /** 首先先验证签名*/
-    // @ts-ignore
-    let [verify, xmlString, isEncrypted, noSignature] = await libsamlSoap.verifyAndDecryptSoapMessage(xml, verificationOptions);
+    // Verify and decrypt SOAP message
+    let [verify, xmlString] = await libsamlSoap.verifyAndDecryptSoapMessage(xml, verificationOptions);
     if (!verify) {
         return Promise.reject('ERR_FAIL_TO_VERIFY_SIGNATURE');
     }
@@ -295,25 +256,32 @@ async function parseLoginRequestResolve(params) {
         samlContent: xmlString,
         extract: extract(xmlString, artifactResolveFields),
     };
-    /**
-     *  Validation part: validate the context of response after signature is verified and decrypted (optional)
-     */
+    // Validation
     const targetEntityMetadata = sp.entityMeta;
     const issuer = targetEntityMetadata.getEntityID();
     const extractedProperties = parseResult.extract;
-    // unmatched issuer
+    // Check issuer
     if (extractedProperties.issuer !== issuer) {
         return Promise.reject('ERR_UNMATCH_ISSUER');
     }
-    // invalid session time
-    // only run the verifyTime when `SessionNotOnOrAfter` exists
-    if (!verifyTime(undefined, new Date(new Date(extractedProperties.request.issueInstant).getTime() + 5 * 60 * 1000).toISOString(), sp.entitySetting.clockDrifts)) {
+    // Check time validity (5 minutes from issue instant)
+    const issueInstant = new Date(extractedProperties.request.issueInstant);
+    const expiryTime = new Date(issueInstant.getTime() + 5 * 60 * 1000);
+    if (!verifyTime(undefined, expiryTime.toISOString(), sp.entitySetting.clockDrifts)) {
         return Promise.reject('ERR_EXPIRED_SESSION');
     }
     return Promise.resolve(parseResult);
 }
+/**
+ * @desc Parse and validate Artifact Resolve response
+ * @param {object} params
+ * @param {IdentityProvider} params.idp Identity Provider instance
+ * @param {ServiceProvider} params.sp Service Provider instance
+ * @param {string} params.art Artifact string
+ * @returns {Promise}
+ */
 async function parseLoginResponseResolve(params) {
-    let { idp, sp, art } = params;
+    const { idp, sp, art } = params;
     const metadata = {
         idp: idp.entityMeta,
         sp: sp.entityMeta,
@@ -322,14 +290,11 @@ async function parseLoginResponseResolve(params) {
         metadata: idp.entityMeta,
         signatureAlgorithm: idp.entitySetting.requestSignatureAlgorithm,
     };
-    let parserType = 'SAMLResponse';
-    /** 断言是否加密应根据响应里面的字段判断*/
-    let decryptRequired = idp.entitySetting.isAssertionEncrypted;
-    let extractorFields = [];
-    let samlContent = '';
+    const parserType = ParserType.SAMLResponse;
     const spSetting = sp.entitySetting;
-    let ID = '_' + randomUUID();
-    let url = metadata.idp.getArtifactResolutionService('soap');
+    const ID = '_' + randomUUID();
+    const url = metadata.idp.getArtifactResolutionService('soap');
+    // Construct ArtifactResolve request
     let samlSoapRaw = libsaml.replaceTagsByValue(libsaml.defaultArtifactResolveTemplate.context, {
         ID: ID,
         Destination: url,
@@ -337,31 +302,36 @@ async function parseLoginResponseResolve(params) {
         IssueInstant: new Date().toISOString(),
         Art: art
     });
+    let samlContent;
+    // Send signed or unsigned ArtifactResolve based on IdP configuration
     if (!metadata.idp.isWantAuthnRequestsSigned()) {
         samlContent = await sendArtifactResolve(url, samlSoapRaw);
-        // check status based on different scenarios
-        // validate the xml
+        // Validate XML
         try {
             await libsaml.isValidXml(samlContent, true);
         }
-        catch (e) {
+        catch {
             return Promise.reject('ERR_INVALID_XML');
         }
         await checkStatus(samlContent, parserType, true);
+        // Verify and decrypt SOAP response
+        const [verified, verifiedAssertionNode, isDecryptRequired] = await libsamlSoap.verifyAndDecryptSoapMessage(samlContent, verificationOptions);
+        if (!verified) {
+            return Promise.reject('ERR_FAIL_TO_VERIFY_ETS_SIGNATURE');
+        }
+        samlContent = verifiedAssertionNode;
     }
-    if (metadata.idp.isWantAuthnRequestsSigned()) {
+    else {
         const { privateKey, privateKeyPass, requestSignatureAlgorithm: signatureAlgorithm, transformationAlgorithms } = spSetting;
-        //@ts-ignore
-        let signatureSoap = libsaml.constructSAMLSignature({
+        // Sign the ArtifactResolve request
+        const signatureSoap = libsaml.constructSAMLSignature({
             referenceTagXPath: "//*[local-name(.)='ArtifactResolve']",
             isMessageSigned: false,
             isBase64Output: false,
             transformationAlgorithms: transformationAlgorithms,
-            //@ts-ignore
-            privateKey,
+            privateKey: privateKey,
             privateKeyPass,
-            //@ts-ignore
-            signatureAlgorithm,
+            signatureAlgorithm: signatureAlgorithm,
             rawSamlMessage: samlSoapRaw,
             signingCert: metadata.sp.getX509Certificate('signing'),
             signatureConfig: {
@@ -373,26 +343,23 @@ async function parseLoginResponseResolve(params) {
             }
         });
         samlContent = await sendArtifactResolve(url, signatureSoap);
-        // check status based on different scenarios
-        // validate the xml
+        // Validate XML
         try {
             await libsaml.isValidXml(samlContent, true);
         }
-        catch (e) {
+        catch {
             return Promise.reject('ERR_INVALID_XML');
         }
         await checkStatus(samlContent, parserType, true);
-        const [verified1, verifiedAssertionNode1, isDecryptRequired1, noSignature1] = await libsamlSoap.verifyAndDecryptSoapMessage(samlContent, verificationOptions);
-        /*            decryptRequired = isDecryptRequired*/
+        // Verify and decrypt SOAP response
+        const [verified1, verifiedAssertionNode1, isDecryptRequired1] = await libsamlSoap.verifyAndDecryptSoapMessage(samlContent, verificationOptions);
         if (!verified1) {
             return Promise.reject('ERR_FAIL_TO_VERIFY_ETS_SIGNATURE');
         }
         samlContent = verifiedAssertionNode1;
-        // 改进的postFlow函数中关于签名验证的部分
-        const verificationResult = await libsaml.verifySignature(samlContent, verificationOptions, self);
-        // 检查验证结果
+        // Verify SAML signature and decrypt if needed
+        const verificationResult = await libsaml.verifySignature(samlContent, verificationOptions, sp);
         if (!verificationResult.status) {
-            // 如果验证失败，根据具体情况返回错误
             if (verificationResult.isMessageSigned && !verificationResult.MessageSignatureStatus) {
                 return Promise.reject('ERR_FAIL_TO_VERIFY_MESSAGE_SIGNATURE');
             }
@@ -402,109 +369,51 @@ async function parseLoginResponseResolve(params) {
             if (verificationResult.encrypted && !verificationResult.decrypted) {
                 return Promise.reject('ERR_FAIL_TO_DECRYPT_ASSERTION');
             }
-            // 通用验证失败
             return Promise.reject('ERR_FAIL_TO_VERIFY_SIGNATURE_OR_DECRYPTION');
         }
-        // 更新samlContent为验证后的版本（可能已解密）
         samlContent = verificationResult.samlContent;
-        // 根据验证结果设置extractorFields
-        if (verificationResult.assertionContent) {
-            extractorFields = getDefaultExtractorFields(parserType, verificationResult.assertionContent);
-        }
-        else {
-            // 如果没有断言内容（例如注销请求/响应），使用适当的处理方式
-            extractorFields = getDefaultExtractorFields(parserType, null);
-        }
-        const parseResult = {
-            samlContent: samlContent,
-            extract: extract(samlContent, extractorFields),
-        };
-        /**
-         *  Validation part: validate the context of response after signature is verified and decrypted (optional)
-         */
-        const targetEntityMetadata = idp.entityMeta;
-        const issuer = targetEntityMetadata.getEntityID();
-        const extractedProperties = parseResult.extract;
-        // unmatched issuer
-        if ((parserType === 'LogoutResponse' || parserType === 'SAMLResponse')
-            && extractedProperties
-            && extractedProperties.issuer !== issuer) {
-            return Promise.reject('ERR_UNMATCH_ISSUER');
-        }
-        // invalid session time
-        // only run the verifyTime when `SessionNotOnOrAfter` exists
-        if (parserType === 'SAMLResponse'
-            && extractedProperties.sessionIndex.sessionNotOnOrAfter
-            && !verifyTime(undefined, extractedProperties.sessionIndex.sessionNotOnOrAfter, sp.entitySetting.clockDrifts)) {
-            return Promise.reject('ERR_EXPIRED_SESSION');
-        }
-        // invalid time
-        // 2.4.1.2 https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
-        if (parserType === 'SAMLResponse'
-            && extractedProperties.conditions
-            && !verifyTime(extractedProperties.conditions.notBefore, extractedProperties.conditions.notOnOrAfter, sp.entitySetting.clockDrifts)) {
-            return Promise.reject('ERR_SUBJECT_UNCONFIRMED');
-        }
-        return Promise.resolve(parseResult);
+    }
+    // Extract fields
+    let extractorFields;
+    if (parserType === 'SAMLResponse') {
+        extractorFields = getDefaultExtractorFields(parserType, samlContent);
+    }
+    else {
+        extractorFields = getDefaultExtractorFields(parserType, null);
     }
     const parseResult = {
         samlContent: samlContent,
         extract: extract(samlContent, extractorFields),
     };
-    /**
-     *  Validation part: validate the context of response after signature is verified and decrypted (optional)
-     */
+    // Validation
     const targetEntityMetadata = idp.entityMeta;
     const issuer = targetEntityMetadata.getEntityID();
     const extractedProperties = parseResult.extract;
-    // unmatched issuer
-    if ((parserType === 'LogoutResponse' || parserType === 'SAMLResponse')
+    // Check issuer
+    if (parserType === ParserType.SAMLResponse
         && extractedProperties
         && extractedProperties.issuer !== issuer) {
         return Promise.reject('ERR_UNMATCH_ISSUER');
     }
-    // invalid session time
-    // only run the verifyTime when `SessionNotOnOrAfter` exists
+    // Check session time
     if (parserType === 'SAMLResponse'
         && extractedProperties.sessionIndex.sessionNotOnOrAfter
         && !verifyTime(undefined, extractedProperties.sessionIndex.sessionNotOnOrAfter, sp.entitySetting.clockDrifts)) {
         return Promise.reject('ERR_EXPIRED_SESSION');
     }
-    // invalid time
-    // 2.4.1.2 https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
+    // Check conditions time
     if (parserType === 'SAMLResponse'
         && extractedProperties.conditions
         && !verifyTime(extractedProperties.conditions.notBefore, extractedProperties.conditions.notOnOrAfter, sp.entitySetting.clockDrifts)) {
         return Promise.reject('ERR_SUBJECT_UNCONFIRMED');
     }
-    //valid destination
-    //There is no validation of the response here. The upper-layer application
-    // should verify the result by itself to see if the destination is equal to the SP acs and
-    // whether the response.id is used to prevent replay attacks.
-    /*
-        let destination = extractedProperties?.response?.destination
-        let isExit = self.entitySetting?.assertionConsumerService?.filter((item) => {
-            return item?.Location === destination
-        })
-        if (isExit?.length === 0) {
-            return Promise.reject('ERR_Destination_URL');
-        }
-        if (parserType === 'SAMLResponse') {
-            let destination = extractedProperties?.response?.destination
-            let isExit = self.entitySetting?.assertionConsumerService?.filter((item: { Location: any; }) => {
-                return item?.Location === destination
-            })
-            if (isExit?.length === 0) {
-                return Promise.reject('ERR_Destination_URL');
-            }
-        }
-    */
     return Promise.resolve(parseResult);
 }
-const artifactSignBinding = {
-    parseLoginRequestResolve,
+const artifactBinding = {
     soapLoginRequest,
-    parseLoginResponseResolve,
     soapLoginResponse,
+    parseLoginRequestResolve,
+    parseLoginResponseResolve,
+    generateArtifactId,
 };
-export default artifactSignBinding;
+export default artifactBinding;