samlesa 3.4.3 → 3.5.0

package/build/src/binding-artifact.js

@@ -1,7 +1,8 @@
 /**
- * @file binding-post.ts
+ * @file binding-artifact.ts
  * @author tngan
- * @desc Binding-level API, declare the functions using POST binding
+ * @desc Binding-level API for SAML 2.0 Artifact Binding
+ * @see https://docs.oasis-open.org/security/saml/v2.0/saml-bind-2.0-os.pdf
  */
 import { checkStatus } from "./flow.js";
 import { ParserType, StatusCode, wording } from './urn.js';
@@ -9,23 +10,21 @@ import * as crypto from "node:crypto";
 import libsaml from './libsaml.js';
 import libsamlSoap from './libsamlSoap.js';
 import utility, { get } from './utility.js';
-import { fileURLToPath } from "node:url";
 import { randomUUID } from 'node:crypto';
 import postBinding from './binding-post.js';
 import { artifactResolveFields, extract, loginRequestFields, loginResponseFields, logoutRequestFields, logoutResponseFields } from "./extractor.js";
 import { verifyTime } from "./validator.js";
 import { sendArtifactResolve } from "./soap.js";
-import path from "node:path";
-const __filename = fileURLToPath(import.meta.url);
-const __dirname = path.dirname(__filename);
-// get the default extractor fields based on the parserType
+const binding = wording.binding;
+/**
+ * Get default extractor fields based on parser type
+ */
 function getDefaultExtractorFields(parserType, assertion) {
     switch (parserType) {
         case ParserType.SAMLRequest:
             return loginRequestFields;
         case ParserType.SAMLResponse:
             if (!assertion) {
-                // unexpected hit
                 throw new Error('ERR_EMPTY_ASSERTION');
             }
             return loginResponseFields(assertion);
@@ -37,25 +36,46 @@ function getDefaultExtractorFields(parserType, assertion) {
             throw new Error('ERR_UNDEFINED_PARSERTYPE');
     }
 }
-const binding = wording.binding;
 /**
- * @desc Generate a base64 encoded login request
- * @param  {string} referenceTagXPath           reference uri
- * @param  {object} entity                      object includes both idp and sp
- * @param customTagReplacement
+ * Generate a SAML 2.0 compliant Artifact ID
+ * Format: [TypeCode: 2 bytes] + [EndpointIndex: 2 bytes] + [SourceID: 20 bytes] + [MessageHandle: 20 bytes]
+ * @param issuerId The entity ID of the issuing party (IdP)
+ * @param endpointIndex The index of the destination endpoint (default is 1 for Artifact Resolution Service)
+ * @returns The Base64 encoded Artifact ID string
+ */
+export function generateArtifactId(issuerId, endpointIndex = 1) {
+    // SourceID: 20 bytes SHA-1 of issuer ID
+    const issuerHash = crypto.createHash('sha1').update(issuerId).digest();
+    const sourceId = issuerHash.subarray(0, 20);
+    // TypeCode: 0x0004 (SAML 2.0 Artifact Type)
+    const typeCode = Buffer.from([0x00, 0x04]);
+    // EndpointIndex: 2 bytes Big Endian
+    const indexBuffer = Buffer.alloc(2);
+    indexBuffer.writeUInt16BE(endpointIndex, 0);
+    // MessageHandle: 20 random bytes
+    const messageHandle = crypto.randomBytes(20);
+    // Concatenate: 2 + 2 + 20 + 20 = 44 bytes
+    const artifactBytes = Buffer.concat([typeCode, indexBuffer, sourceId, messageHandle]);
+    // Base64 encode
+    return artifactBytes.toString('base64');
+}
+/**
+ * @desc Generate a SOAP-encoded login request for Artifact binding
+ * @param {string} referenceTagXPath           reference uri
+ * @param {object} entity                      object includes both idp and sp
+ * @param {function} customTagReplacement     used when developers have their own login request template
+ * @returns {BindingContext}
  */
 function soapLoginRequest(referenceTagXPath, entity, customTagReplacement) {
     const metadata = {
         idp: entity.idp.entityMeta,
         sp: entity.sp.entityMeta,
-        inResponse: entity?.inResponse,
-        relayState: entity?.relayState
+        inResponse: entity.inResponse,
+        relayState: entity.relayState
     };
     const spSetting = entity.sp.entitySetting;
     let id = '';
-    let id2 = spSetting.generateID();
-    let soapTemplate = '';
-    let Response = '';
+    let soapId = spSetting.generateID();
     if (metadata && metadata.idp && metadata.sp) {
         const base = metadata.idp.getSingleSignOnService(binding.post);
         let rawSamlRequest;
@@ -80,12 +100,13 @@ function soapLoginRequest(referenceTagXPath, entity, customTagReplacement) {
             });
         }
         const { privateKey, privateKeyPass, requestSignatureAlgorithm: signatureAlgorithm, transformationAlgorithms } = spSetting;
+        let signedAuthnRequest;
         if (metadata.idp.isWantAuthnRequestsSigned()) {
-            Response = libsaml.constructSAMLSignature({
+            signedAuthnRequest = libsaml.constructSAMLSignature({
                 referenceTagXPath,
-                privateKey,
+                privateKey: privateKey,
                 privateKeyPass,
-                signatureAlgorithm,
+                signatureAlgorithm: signatureAlgorithm,
                 transformationAlgorithms,
                 rawSamlMessage: rawSamlRequest,
                 isBase64Output: false,
@@ -93,35 +114,29 @@ function soapLoginRequest(referenceTagXPath, entity, customTagReplacement) {
                 signatureConfig: spSetting.signatureConfig || {
                     prefix: 'ds',
                     location: {
-                        reference: "/*[local-name(.)='AuthnRequest']/!*[local-name(.)='Issuer']",
+                        reference: "/*[local-name(.)='AuthnRequest']/*[local-name(.)='Issuer']",
                         action: 'after'
                     },
                 }
             });
-            soapTemplate = libsaml.replaceTagsByValue(libsaml.defaultArtAuthnRequestTemplate.context, {
-                ID: id2,
-                IssueInstant: new Date().toISOString(),
-                InResponseTo: metadata.inResponse ?? "",
-                Issuer: metadata.sp.getEntityID(),
-                AuthnRequest: Response
-            });
         }
         else {
-            soapTemplate = libsaml.replaceTagsByValue(libsaml.defaultArtAuthnRequestTemplate.context, {
-                ID: id2,
-                IssueInstant: new Date().toISOString(),
-                InResponseTo: metadata.inResponse ?? "",
-                Issuer: metadata.sp.getEntityID(),
-                AuthnRequest: rawSamlRequest
-            });
+            signedAuthnRequest = rawSamlRequest;
         }
-        /** 构建响应签名*/
-        // No need to embeded XML signature
-        return libsaml.constructSAMLSignature({
+        // Construct SOAP envelope with ArtifactResponse containing AuthnRequest
+        const soapTemplate = libsaml.replaceTagsByValue(libsaml.defaultArtAuthnRequestTemplate.context, {
+            ID: soapId,
+            IssueInstant: new Date().toISOString(),
+            InResponseTo: metadata.inResponse ?? "",
+            Issuer: metadata.sp.getEntityID(),
+            AuthnRequest: signedAuthnRequest
+        });
+        // Sign the SOAP envelope
+        const signedSoap = libsaml.constructSAMLSignature({
             referenceTagXPath: "/*[local-name(.)='Envelope']/*[local-name(.)='Body']/*[local-name(.)='ArtifactResponse']",
-            privateKey,
+            privateKey: privateKey,
             privateKeyPass,
-            signatureAlgorithm,
+            signatureAlgorithm: signatureAlgorithm,
             transformationAlgorithms,
             rawSamlMessage: soapTemplate,
             isBase64Output: false,
@@ -135,37 +150,18 @@ function soapLoginRequest(referenceTagXPath, entity, customTagReplacement) {
                 }
             },
         });
+        return {
+            id: soapId,
+            context: signedSoap,
+        };
     }
     throw new Error('ERR_GENERATE_POST_LOGIN_REQUEST_MISSING_METADATA');
 }
 /**
- * Generates a SAML 2.0 compliant Artifact ID.
- * Format: [4-byte source ID][2-byte endpoint index][20-byte sequence value]
- * @param issuerId The entity ID of the issuing party (IdP).
- * @param endpointIndex The index of the destination endpoint (default is '0004' for Artifact Resolution Service).
- * @returns The Base64 encoded Artifact ID string.
- */
-/**
- * 生成符合 SAML 2.0 规范的 Artifact
- * 结构: [TypeCode: 2 bytes] + [EndpointIndex: 2 bytes] + [SourceID: 20 bytes] + [MessageHandle: 20 bytes]
+ * @desc Generate a SOAP-encoded login response for Artifact binding
+ * @param {Base64LoginResponseParams} params  parameters for generating login response
+ * @returns {BindingContext}
  */
-function generateArtifactId(issuerId, endpointIndex = 1) {
-    // 1. SourceID: 20 bytes SHA-1
-    const issuerHash = crypto.createHash('sha1').update(issuerId).digest();
-    const sourceId = issuerHash.subarray(0, 20); // 必须 20 字节
-    // 2. TypeCode: 0x0004
-    const typeCode = Buffer.from([0x00, 0x04]);
-    // 3. EndpointIndex: 2 bytes Big Endian
-    const indexBuffer = Buffer.alloc(2);
-    indexBuffer.writeUInt16BE(endpointIndex, 0);
-    // 4. MessageHandle: 20 random bytes
-    const messageHandle = crypto.randomBytes(20);
-    // 5. Concat: 2 + 2 + 20 + 20 = 44 bytes
-    const artifactBytes = Buffer.concat([typeCode, indexBuffer, sourceId, messageHandle]);
-    // 6. Base64
-    return artifactBytes.toString('base64');
-}
-// Initial response that sends only the artifact ID
 async function soapLoginResponse(params) {
     const { entity } = params;
     const metadata = {
@@ -175,21 +171,12 @@ async function soapLoginResponse(params) {
     if (!metadata.idp || !metadata.sp) {
         throw new Error('ERR_GENERATE_ARTIFACT_MISSING_METADATA');
     }
-    // 1. Generate the base SAML Response (Base64 encoded)
+    // Generate the base SAML Response using POST binding logic
     const samlResponseResult = await postBinding.base64LoginResponse(params);
     const samlResponseXml = utility.base64Decode(samlResponseResult.context);
-    console.log(samlResponseXml);
-    console.log("我日你妈==");
-    // 2. Generate the SAML 2.0 Artifact ID
+    // Generate the SAML 2.0 Artifact ID
     const artifactId = generateArtifactId(metadata.idp.getEntityID());
-    // 3. Cache the SAML Response XML using the artifactId as the key
-    // TODO: Implement your Redis caching logic here
-    // Example:
-    // const redisExpirySeconds = 300; // e.g., expire after 5 minutes
-    // await redis.setex(`artifact_cache:${artifactId}`, redisExpirySeconds, samlResponseXml);
-    // --- INSERT YOUR REDIS LOGIC HERE ---
-    // Example: await cacheInRedis(artifactId, samlResponseXml);
-    // 4. Prepare config for SOAP signing (reusing IDP settings)
+    // Prepare config for SOAP signing
     const idpSetting = entity.idp.entitySetting;
     const spSetting = entity.sp.entitySetting;
     const config = {
@@ -199,31 +186,26 @@ async function soapLoginResponse(params) {
         signingCert: metadata.idp.getX509Certificate('signing'),
         isBase64Output: false,
     };
-    // 5. Construct the SOAP Envelope containing the Artifact ID
-    // This is CORRECT - in the initial response we only send the artifact ID
-    // The actual SAML response will be retrieved by the SP using the artifact resolution service
+    // Construct the SOAP Envelope containing the ArtifactResponse with SAML Response
     const soapBodyContent = `<samlp:ArtifactResponse
-                     xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
-                                  xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-                                  ID="${samlResponseResult.id}_artifact_resp"
-                                  InResponseTo="${params.requestInfo?.extract?.request?.id || ''}"
-                                  Version="2.0"
-                                  IssueInstant="${new Date().toISOString()}">
-                                       <saml2:Issuer>${metadata.idp.getEntityID()}</saml2:Issuer>
+        xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
+        xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+        ID="${samlResponseResult.id}_artifact_resp"
+        InResponseTo="${params.requestInfo?.extract?.request?.id || ''}"
+        Version="2.0"
+        IssueInstant="${new Date().toISOString()}">
+        <saml2:Issuer>${metadata.idp.getEntityID()}</saml2:Issuer>
         <samlp:Status>
             <samlp:StatusCode Value="${StatusCode.Success}"/>
         </samlp:Status>
-       ${samlResponseXml}
+        ${samlResponseXml}
     </samlp:ArtifactResponse>`;
     const soapEnvelope = `
 <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
     <soap:Header/>
     <soap:Body>${soapBodyContent}</soap:Body>
 </soap:Envelope>`;
-    // 6. Sign the SOAP Envelope
-    // Reference the Body element for signature
-    // @ts-ignore
-    // @ts-ignore
+    // Sign the SOAP Envelope
     const signedSoapEnvelope = libsaml.constructSAMLSignature({
         ...config,
         rawSamlMessage: soapEnvelope,
@@ -233,33 +215,40 @@ async function soapLoginResponse(params) {
         signatureConfig: {
             prefix: 'ds',
             location: {
-                // Place signature inside the ArtifactResponse element, before the Status element
                 reference: "/*[local-name(.)='Envelope']/*[local-name(.)='Body']/*[local-name(.)='ArtifactResponse']/*[local-name(.)='Status']",
                 action: 'before'
             },
         },
     });
-    // 7. Return the Artifact ID and the Base64 encoded signed SOAP message
+    // Return the Artifact ID and the Base64 encoded signed SOAP message
     return {
-        id: artifactId, // This is the key you'll need for resolving the artifact later
-        context: utility.base64Encode(signedSoapEnvelope), // The SOAP message to send back
+        id: artifactId,
+        context: utility.base64Encode(signedSoapEnvelope),
     };
 }
+/**
+ * @desc Parse and validate Artifact Resolve request
+ * @param {object} params
+ * @param {IdentityProvider} params.idp Identity Provider instance
+ * @param {ServiceProvider} params.sp Service Provider instance
+ * @param {string} params.xml SOAP request XML string
+ * @returns {Promise}
+ */
 async function parseLoginRequestResolve(params) {
-    let { idp, sp, xml, } = params;
+    const { idp, sp, xml } = params;
     const verificationOptions = {
         metadata: idp.entityMeta,
         signatureAlgorithm: idp.entitySetting.requestSignatureAlgorithm,
     };
-    let res = await libsaml.isValidXml(xml, true).catch((error) => {
+    // Validate XML
+    let res = await libsaml.isValidXml(xml, true).catch(() => {
         return Promise.reject('ERR_EXCEPTION_VALIDATE_XML');
     });
     if (res !== true) {
         return Promise.reject('ERR_EXCEPTION_VALIDATE_XML');
     }
-    /** 首先先验证签名*/
-    // @ts-ignore
-    let [verify, xmlString, isEncrypted, noSignature] = await libsamlSoap.verifyAndDecryptSoapMessage(xml, verificationOptions);
+    // Verify and decrypt SOAP message
+    let [verify, xmlString] = await libsamlSoap.verifyAndDecryptSoapMessage(xml, verificationOptions);
     if (!verify) {
         return Promise.reject('ERR_FAIL_TO_VERIFY_SIGNATURE');
     }
@@ -267,25 +256,32 @@ async function parseLoginRequestResolve(params) {
         samlContent: xmlString,
         extract: extract(xmlString, artifactResolveFields),
     };
-    /**
-     *  Validation part: validate the context of response after signature is verified and decrypted (optional)
-     */
+    // Validation
     const targetEntityMetadata = sp.entityMeta;
     const issuer = targetEntityMetadata.getEntityID();
     const extractedProperties = parseResult.extract;
-    // unmatched issuer
+    // Check issuer
     if (extractedProperties.issuer !== issuer) {
         return Promise.reject('ERR_UNMATCH_ISSUER');
     }
-    // invalid session time
-    // only run the verifyTime when `SessionNotOnOrAfter` exists
-    if (!verifyTime(undefined, new Date(new Date(extractedProperties.request.issueInstant).getTime() + 5 * 60 * 1000).toISOString(), sp.entitySetting.clockDrifts)) {
+    // Check time validity (5 minutes from issue instant)
+    const issueInstant = new Date(extractedProperties.request.issueInstant);
+    const expiryTime = new Date(issueInstant.getTime() + 5 * 60 * 1000);
+    if (!verifyTime(undefined, expiryTime.toISOString(), sp.entitySetting.clockDrifts)) {
         return Promise.reject('ERR_EXPIRED_SESSION');
     }
     return Promise.resolve(parseResult);
 }
+/**
+ * @desc Parse and validate Artifact Resolve response
+ * @param {object} params
+ * @param {IdentityProvider} params.idp Identity Provider instance
+ * @param {ServiceProvider} params.sp Service Provider instance
+ * @param {string} params.art Artifact string
+ * @returns {Promise}
+ */
 async function parseLoginResponseResolve(params) {
-    let { idp, sp, art } = params;
+    const { idp, sp, art } = params;
     const metadata = {
         idp: idp.entityMeta,
         sp: sp.entityMeta,
@@ -294,14 +290,11 @@ async function parseLoginResponseResolve(params) {
         metadata: idp.entityMeta,
         signatureAlgorithm: idp.entitySetting.requestSignatureAlgorithm,
     };
-    let parserType = 'SAMLResponse';
-    /** 断言是否加密应根据响应里面的字段判断*/
-    let decryptRequired = idp.entitySetting.isAssertionEncrypted;
-    let extractorFields = [];
-    let samlContent = '';
+    const parserType = ParserType.SAMLResponse;
     const spSetting = sp.entitySetting;
-    let ID = '_' + randomUUID();
-    let url = metadata.idp.getArtifactResolutionService('soap');
+    const ID = '_' + randomUUID();
+    const url = metadata.idp.getArtifactResolutionService('soap');
+    // Construct ArtifactResolve request
     let samlSoapRaw = libsaml.replaceTagsByValue(libsaml.defaultArtifactResolveTemplate.context, {
         ID: ID,
         Destination: url,
@@ -309,31 +302,36 @@ async function parseLoginResponseResolve(params) {
         IssueInstant: new Date().toISOString(),
         Art: art
     });
+    let samlContent;
+    // Send signed or unsigned ArtifactResolve based on IdP configuration
     if (!metadata.idp.isWantAuthnRequestsSigned()) {
         samlContent = await sendArtifactResolve(url, samlSoapRaw);
-        // check status based on different scenarios
-        // validate the xml
+        // Validate XML
         try {
             await libsaml.isValidXml(samlContent, true);
         }
-        catch (e) {
+        catch {
             return Promise.reject('ERR_INVALID_XML');
         }
         await checkStatus(samlContent, parserType, true);
+        // Verify and decrypt SOAP response
+        const [verified, verifiedAssertionNode, isDecryptRequired] = await libsamlSoap.verifyAndDecryptSoapMessage(samlContent, verificationOptions);
+        if (!verified) {
+            return Promise.reject('ERR_FAIL_TO_VERIFY_ETS_SIGNATURE');
+        }
+        samlContent = verifiedAssertionNode;
     }
-    if (metadata.idp.isWantAuthnRequestsSigned()) {
+    else {
         const { privateKey, privateKeyPass, requestSignatureAlgorithm: signatureAlgorithm, transformationAlgorithms } = spSetting;
-        //@ts-ignore
-        let signatureSoap = libsaml.constructSAMLSignature({
+        // Sign the ArtifactResolve request
+        const signatureSoap = libsaml.constructSAMLSignature({
             referenceTagXPath: "//*[local-name(.)='ArtifactResolve']",
             isMessageSigned: false,
             isBase64Output: false,
             transformationAlgorithms: transformationAlgorithms,
-            //@ts-ignore
-            privateKey,
+            privateKey: privateKey,
             privateKeyPass,
-            //@ts-ignore
-            signatureAlgorithm,
+            signatureAlgorithm: signatureAlgorithm,
             rawSamlMessage: samlSoapRaw,
             signingCert: metadata.sp.getX509Certificate('signing'),
             signatureConfig: {
@@ -345,26 +343,23 @@ async function parseLoginResponseResolve(params) {
             }
         });
         samlContent = await sendArtifactResolve(url, signatureSoap);
-        // check status based on different scenarios
-        // validate the xml
+        // Validate XML
         try {
             await libsaml.isValidXml(samlContent, true);
         }
-        catch (e) {
+        catch {
             return Promise.reject('ERR_INVALID_XML');
         }
         await checkStatus(samlContent, parserType, true);
-        const [verified1, verifiedAssertionNode1, isDecryptRequired1, noSignature1] = await libsamlSoap.verifyAndDecryptSoapMessage(samlContent, verificationOptions);
-        /*            decryptRequired = isDecryptRequired*/
+        // Verify and decrypt SOAP response
+        const [verified1, verifiedAssertionNode1, isDecryptRequired1] = await libsamlSoap.verifyAndDecryptSoapMessage(samlContent, verificationOptions);
         if (!verified1) {
             return Promise.reject('ERR_FAIL_TO_VERIFY_ETS_SIGNATURE');
         }
         samlContent = verifiedAssertionNode1;
-        // 改进的postFlow函数中关于签名验证的部分
-        const verificationResult = await libsaml.verifySignature(samlContent, verificationOptions, self);
-        // 检查验证结果
+        // Verify SAML signature and decrypt if needed
+        const verificationResult = await libsaml.verifySignature(samlContent, verificationOptions, sp);
         if (!verificationResult.status) {
-            // 如果验证失败，根据具体情况返回错误
             if (verificationResult.isMessageSigned && !verificationResult.MessageSignatureStatus) {
                 return Promise.reject('ERR_FAIL_TO_VERIFY_MESSAGE_SIGNATURE');
             }
@@ -374,109 +369,51 @@ async function parseLoginResponseResolve(params) {
             if (verificationResult.encrypted && !verificationResult.decrypted) {
                 return Promise.reject('ERR_FAIL_TO_DECRYPT_ASSERTION');
             }
-            // 通用验证失败
             return Promise.reject('ERR_FAIL_TO_VERIFY_SIGNATURE_OR_DECRYPTION');
         }
-        // 更新samlContent为验证后的版本（可能已解密）
         samlContent = verificationResult.samlContent;
-        // 根据验证结果设置extractorFields
-        if (verificationResult.assertionContent) {
-            extractorFields = getDefaultExtractorFields(parserType, verificationResult.assertionContent);
-        }
-        else {
-            // 如果没有断言内容（例如注销请求/响应），使用适当的处理方式
-            extractorFields = getDefaultExtractorFields(parserType, null);
-        }
-        const parseResult = {
-            samlContent: samlContent,
-            extract: extract(samlContent, extractorFields),
-        };
-        /**
-         *  Validation part: validate the context of response after signature is verified and decrypted (optional)
-         */
-        const targetEntityMetadata = idp.entityMeta;
-        const issuer = targetEntityMetadata.getEntityID();
-        const extractedProperties = parseResult.extract;
-        // unmatched issuer
-        if ((parserType === 'LogoutResponse' || parserType === 'SAMLResponse')
-            && extractedProperties
-            && extractedProperties.issuer !== issuer) {
-            return Promise.reject('ERR_UNMATCH_ISSUER');
-        }
-        // invalid session time
-        // only run the verifyTime when `SessionNotOnOrAfter` exists
-        if (parserType === 'SAMLResponse'
-            && extractedProperties.sessionIndex.sessionNotOnOrAfter
-            && !verifyTime(undefined, extractedProperties.sessionIndex.sessionNotOnOrAfter, sp.entitySetting.clockDrifts)) {
-            return Promise.reject('ERR_EXPIRED_SESSION');
-        }
-        // invalid time
-        // 2.4.1.2 https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
-        if (parserType === 'SAMLResponse'
-            && extractedProperties.conditions
-            && !verifyTime(extractedProperties.conditions.notBefore, extractedProperties.conditions.notOnOrAfter, sp.entitySetting.clockDrifts)) {
-            return Promise.reject('ERR_SUBJECT_UNCONFIRMED');
-        }
-        return Promise.resolve(parseResult);
+    }
+    // Extract fields
+    let extractorFields;
+    if (parserType === 'SAMLResponse') {
+        extractorFields = getDefaultExtractorFields(parserType, samlContent);
+    }
+    else {
+        extractorFields = getDefaultExtractorFields(parserType, null);
     }
     const parseResult = {
         samlContent: samlContent,
         extract: extract(samlContent, extractorFields),
     };
-    /**
-     *  Validation part: validate the context of response after signature is verified and decrypted (optional)
-     */
+    // Validation
     const targetEntityMetadata = idp.entityMeta;
     const issuer = targetEntityMetadata.getEntityID();
     const extractedProperties = parseResult.extract;
-    // unmatched issuer
-    if ((parserType === 'LogoutResponse' || parserType === 'SAMLResponse')
+    // Check issuer
+    if (parserType === ParserType.SAMLResponse
         && extractedProperties
         && extractedProperties.issuer !== issuer) {
         return Promise.reject('ERR_UNMATCH_ISSUER');
     }
-    // invalid session time
-    // only run the verifyTime when `SessionNotOnOrAfter` exists
+    // Check session time
     if (parserType === 'SAMLResponse'
         && extractedProperties.sessionIndex.sessionNotOnOrAfter
         && !verifyTime(undefined, extractedProperties.sessionIndex.sessionNotOnOrAfter, sp.entitySetting.clockDrifts)) {
         return Promise.reject('ERR_EXPIRED_SESSION');
     }
-    // invalid time
-    // 2.4.1.2 https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
+    // Check conditions time
     if (parserType === 'SAMLResponse'
         && extractedProperties.conditions
         && !verifyTime(extractedProperties.conditions.notBefore, extractedProperties.conditions.notOnOrAfter, sp.entitySetting.clockDrifts)) {
         return Promise.reject('ERR_SUBJECT_UNCONFIRMED');
     }
-    //valid destination
-    //There is no validation of the response here. The upper-layer application
-    // should verify the result by itself to see if the destination is equal to the SP acs and
-    // whether the response.id is used to prevent replay attacks.
-    /*
-        let destination = extractedProperties?.response?.destination
-        let isExit = self.entitySetting?.assertionConsumerService?.filter((item) => {
-            return item?.Location === destination
-        })
-        if (isExit?.length === 0) {
-            return Promise.reject('ERR_Destination_URL');
-        }
-        if (parserType === 'SAMLResponse') {
-            let destination = extractedProperties?.response?.destination
-            let isExit = self.entitySetting?.assertionConsumerService?.filter((item: { Location: any; }) => {
-                return item?.Location === destination
-            })
-            if (isExit?.length === 0) {
-                return Promise.reject('ERR_Destination_URL');
-            }
-        }
-    */
     return Promise.resolve(parseResult);
 }
-const artifactSignBinding = {
-    parseLoginRequestResolve,
+const artifactBinding = {
     soapLoginRequest,
-    parseLoginResponseResolve,
     soapLoginResponse,
+    parseLoginRequestResolve,
+    parseLoginResponseResolve,
+    generateArtifactId,
 };
-export default artifactSignBinding;
+export default artifactBinding;

package/build/src/entity-idp.js

@@ -68,7 +68,7 @@ export class IdentityProvider extends Entity {
                     sp,
                 }, user, relayState, customTagReplacement, AttributeStatement);
             case namespace.binding.artifact:
-                return artifactBinding.soapLoginResponse({
+                context = await artifactBinding.soapLoginResponse({
                     requestInfo,
                     entity: {
                         idp: this,
@@ -80,6 +80,7 @@ export class IdentityProvider extends Entity {
                     AttributeStatement,
                     idpInit,
                 });
+                break;
             default:
                 throw new Error('ERR_CREATE_RESPONSE_UNDEFINED_BINDING');
         }