samlesa 4.3.1 → 4.3.3

package/build/src/binding-redirect.js

@@ -50,7 +50,10 @@ function buildRedirectURL(opts) {
         const octetString = samlRequest + relayState + sigAlg;
         return baseUrl
             + pvPair(queryParam, octetString, noParams)
-            + pvPair(urlParams.signature, encodeURIComponent(libsaml.constructMessageSignature(queryParam + '=' + octetString, entitySetting.privateKey, entitySetting.privateKeyPass, undefined, entitySetting.requestSignatureAlgorithm).toString()));
+            + pvPair(urlParams.signature, encodeURIComponent(libsaml.constructMessageSignature(queryParam + '=' + octetString, entitySetting.privateKey, entitySetting.privateKeyPass, undefined, entitySetting.requestSignatureAlgorithm, {
+                strictSecurity: entitySetting.strictSecurity,
+                allowLegacySha1: entitySetting.allowLegacySha1,
+            }).toString()));
     }
     return baseUrl + pvPair(queryParam, samlRequest + relayState, noParams);
 }

package/build/src/binding-simplesign.js

@@ -36,7 +36,10 @@ function buildSimpleSignature(opts) {
     }
     const sigAlg = pvPair(urlParams.sigAlg, entitySetting.requestSignatureAlgorithm);
     const octetString = context + relayState + sigAlg;
-    return libsaml.constructMessageSignature(queryParam + '=' + octetString, entitySetting.privateKey, entitySetting.privateKeyPass, undefined, entitySetting.requestSignatureAlgorithm).toString();
+    return libsaml.constructMessageSignature(queryParam + '=' + octetString, entitySetting.privateKey, entitySetting.privateKeyPass, undefined, entitySetting.requestSignatureAlgorithm, {
+        strictSecurity: entitySetting.strictSecurity,
+        allowLegacySha1: entitySetting.allowLegacySha1,
+    }).toString();
 }
 /**
 * @desc Generate a base64 encoded login request

package/build/src/entity-sp.js

@@ -42,7 +42,8 @@ export class ServiceProvider extends Entity {
     createLoginRequest(idp, binding = 'redirect', customTagReplacement) {
         const nsBinding = namespace.binding;
         const protocol = nsBinding[binding];
-        if (this.entityMeta.isAuthnRequestSigned() !== idp.entityMeta.isWantAuthnRequestsSigned()) {
+        const strictSecurity = this.entitySetting.strictSecurity !== false;
+        if (strictSecurity && this.entityMeta.isAuthnRequestSigned() !== idp.entityMeta.isWantAuthnRequestsSigned()) {
             throw new Error('ERR_METADATA_CONFLICT_REQUEST_SIGNED_FLAG');
         }
         let context = null;

package/build/src/entity.js

@@ -16,6 +16,8 @@ const keyEncryptionAlgorithm = algorithms.encryption.key;
 const signatureAlgorithms = algorithms.signature;
 const messageSigningOrders = messageConfigurations.signingOrder;
 const defaultEntitySetting = {
+    strictSecurity: true,
+    allowLegacySha1: false,
     wantLogoutResponseSigned: false,
     messageSigningOrder: messageSigningOrders.SIGN_THEN_ENCRYPT,
     wantLogoutRequestSigned: false,
@@ -34,6 +36,10 @@ export default class Entity {
     */
     constructor(entitySetting, entityType) {
         this.entitySetting = Object.assign({}, defaultEntitySetting, entitySetting);
+        const rawEntitySetting = entitySetting;
+        if (this.entitySetting.strictSecurity === false && rawEntitySetting.allowLegacySha1 === undefined) {
+            this.entitySetting.allowLegacySha1 = true;
+        }
         const metadata = entitySetting.metadata || entitySetting;
         switch (entityType) {
             case 'idp':

package/build/src/flow.js

@@ -77,7 +77,10 @@ async function redirectFlow(options) {
         // put the below two assignments into verifyMessageSignature function
         const base64Signature = Buffer.from(decodeURIComponent(signature), 'base64');
         const decodeSigAlg = decodeURIComponent(sigAlg);
-        const verified = libsaml.verifyMessageSignature(targetEntityMetadata, octetString, base64Signature, sigAlg);
+        const verified = libsaml.verifyMessageSignature(targetEntityMetadata, octetString, base64Signature, sigAlg, {
+            strictSecurity: self?.entitySetting?.strictSecurity,
+            allowLegacySha1: self?.entitySetting?.allowLegacySha1,
+        });
         if (!verified) {
             // Fail to verify message signature
             return Promise.reject('ERR_FAILED_MESSAGE_SIGNATURE_VERIFICATION');
@@ -478,7 +481,10 @@ async function postSimpleSignFlow(options) {
         }
         // put the below two assignments into verifyMessageSignature function
         const base64Signature = Buffer.from(signature, 'base64');
-        const verified = libsaml.verifyMessageSignature(targetEntityMetadata, octetString, base64Signature, sigAlg);
+        const verified = libsaml.verifyMessageSignature(targetEntityMetadata, octetString, base64Signature, sigAlg, {
+            strictSecurity: self?.entitySetting?.strictSecurity,
+            allowLegacySha1: self?.entitySetting?.allowLegacySha1,
+        });
         if (!verified) {
             // Fail to verify message signature
             return Promise.reject('ERR_FAILED_MESSAGE_SIGNATURE_VERIFICATION');

package/build/src/libsaml.js

@@ -67,6 +67,44 @@ const libSaml = () => {
             unsafeSignatureAlgorithm: isUnsafe ? signatureAlgorithm : null
         };
     }
+    function getEnvironmentBoolean(name) {
+        const rawValue = process.env[name];
+        if (rawValue === undefined) {
+            return undefined;
+        }
+        const normalized = rawValue.trim().toLowerCase();
+        if (['1', 'true', 'yes', 'on'].includes(normalized)) {
+            return true;
+        }
+        if (['0', 'false', 'no', 'off'].includes(normalized)) {
+            return false;
+        }
+        return undefined;
+    }
+    function resolveAllowLegacySha1(securityOptions, self) {
+        if (securityOptions?.allowLegacySha1 !== undefined) {
+            return securityOptions.allowLegacySha1;
+        }
+        if (securityOptions?.strictSecurity !== undefined) {
+            return securityOptions.strictSecurity === false;
+        }
+        const envAllowLegacy = getEnvironmentBoolean('SAMLIFY_ALLOW_LEGACY_SHA1');
+        if (envAllowLegacy !== undefined) {
+            return envAllowLegacy;
+        }
+        const envStrictSecurity = getEnvironmentBoolean('SAMLIFY_STRICT_SECURITY');
+        if (envStrictSecurity !== undefined) {
+            return envStrictSecurity === false;
+        }
+        const entitySetting = self?.entitySetting;
+        if (entitySetting?.allowLegacySha1 !== undefined) {
+            return entitySetting.allowLegacySha1 === true;
+        }
+        if (entitySetting?.strictSecurity !== undefined) {
+            return entitySetting.strictSecurity === false;
+        }
+        return false;
+    }
     /**
      * @desc Default login request template
      * @type {LoginRequestTemplate}
@@ -166,14 +204,17 @@ xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="{ID}"
         'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384': 'sha384',
         'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512': 'sha512',
     };
-    function getSigningAlgorithm(sigAlg) {
-        if (sigAlg) {
-            const algAlias = cryptoAlgorithmMapping[sigAlg];
-            if (algAlias !== undefined) {
-                return algAlias;
-            }
+    function getSigningAlgorithm(sigAlg, securityOptions, self) {
+        const algorithm = sigAlg ?? signatureAlgorithms.RSA_SHA256;
+        const safetyCheck = checkUnsafeSignatureAlgorithm(algorithm);
+        if (safetyCheck.hasUnsafeSignatureAlgorithm && !resolveAllowLegacySha1(securityOptions, self)) {
+            throw new Error('ERR_UNSAFE_SIGNATURE_ALGORITHM');
+        }
+        const algAlias = cryptoAlgorithmMapping[algorithm];
+        if (algAlias !== undefined) {
+            return algAlias;
         }
-        return cryptoAlgorithmMapping[signatureAlgorithms.RSA_SHA1];
+        throw new Error('ERR_UNSUPPORTED_SIGNATURE_ALGORITHM');
     }
     function validateAndInflateSamlResponse(urlEncodedResponse) {
         // 3. 尝试DEFLATE解压（SAML规范要求使用原始DEFLATE）
@@ -514,6 +555,9 @@ xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="{ID}"
                     const checkResult = checkUnsafeSignatureAlgorithm(signatureAlgorithm);
                     hasUnsafeSignatureAlgorithm = checkResult.hasUnsafeSignatureAlgorithm;
                     unsafeSignatureAlgorithm = checkResult.unsafeSignatureAlgorithm ?? "";
+                    if (checkResult.hasUnsafeSignatureAlgorithm && !resolveAllowLegacySha1(opts, self)) {
+                        throw new Error('ERR_UNSAFE_SIGNATURE_ALGORITHM');
+                    }
                     const sig = new SignedXml();
                     if (!opts.keyFile && !opts.metadata) {
                         throw new Error('ERR_UNDEFINED_SIGNATURE_VERIFIER_OPTIONS');
@@ -565,6 +609,9 @@ xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="{ID}"
                 const checkResult = checkUnsafeSignatureAlgorithm(signatureAlgorithm);
                 hasUnsafeSignatureAlgorithm = checkResult.hasUnsafeSignatureAlgorithm;
                 unsafeSignatureAlgorithm = checkResult.unsafeSignatureAlgorithm ?? "";
+                if (checkResult.hasUnsafeSignatureAlgorithm && !resolveAllowLegacySha1(opts, self)) {
+                    throw new Error('ERR_UNSAFE_SIGNATURE_ALGORITHM');
+                }
                 const sig = new SignedXml();
                 if (!opts.keyFile && !opts.metadata) {
                     throw new Error('ERR_UNDEFINED_SIGNATURE_VERIFIER_OPTIONS');
@@ -605,6 +652,9 @@ xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="{ID}"
                 const checkResult = checkUnsafeSignatureAlgorithm(signatureAlgorithm);
                 hasUnsafeSignatureAlgorithm = checkResult.hasUnsafeSignatureAlgorithm;
                 unsafeSignatureAlgorithm = checkResult.unsafeSignatureAlgorithm ?? "";
+                if (checkResult.hasUnsafeSignatureAlgorithm && !resolveAllowLegacySha1(opts, self)) {
+                    throw new Error('ERR_UNSAFE_SIGNATURE_ALGORITHM');
+                }
                 const sig = new SignedXml();
                 if (!opts.keyFile && !opts.metadata) {
                     throw new Error('ERR_UNDEFINED_SIGNATURE_VERIFIER_OPTIONS');
@@ -762,6 +812,9 @@ xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="{ID}"
                 let verified = false;
                 // 检测不安全的签名算法
                 const { hasUnsafeSignatureAlgorithm, unsafeSignatureAlgorithm } = checkUnsafeSignatureAlgorithm(opts.signatureAlgorithm || '');
+                if (hasUnsafeSignatureAlgorithm && !resolveAllowLegacySha1(opts)) {
+                    throw new Error('ERR_UNSAFE_SIGNATURE_ALGORITHM');
+                }
                 sig.signatureAlgorithm = opts.signatureAlgorithm;
                 if (!opts.keyFile && !opts.metadata) {
                     throw new Error('ERR_UNDEFINED_SIGNATURE_VERIFIER_OPTIONS');
@@ -866,9 +919,9 @@ xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="{ID}"
          * @param signingAlgorithm - 签名算法 (默认 'rsa-sha256')
          * @returns 消息签名
          */
-        constructMessageSignature(octetString, key, passphrase, isBase64, signingAlgorithm) {
+        constructMessageSignature(octetString, key, passphrase, isBase64, signingAlgorithm, securityOptions) {
             try {
-                const algorithm = getSigningAlgorithm(signingAlgorithm ?? signatureAlgorithms.RSA_SHA256);
+                const algorithm = getSigningAlgorithm(signingAlgorithm ?? signatureAlgorithms.RSA_SHA256, securityOptions);
                 const privateKeyPem = utility.readPrivateKey(key, passphrase); // 假设utility对象存在
                 const signer = crypto.createSign(algorithm);
                 signer.update(octetString, 'utf8');
@@ -893,10 +946,10 @@ xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="{ID}"
          * @return {boolean} verification result
          */
         verifyMessageSignature(metadata, // 假设metadata对象有getX509Certificate方法
-        octetString, signature, verifyAlgorithm) {
+        octetString, signature, verifyAlgorithm, securityOptions) {
             try {
                 const signCert = metadata.getX509Certificate('signing'); // 假设certUse.signing是'signing'
-                const algorithm = getSigningAlgorithm(verifyAlgorithm);
+                const algorithm = getSigningAlgorithm(verifyAlgorithm, securityOptions);
                 const publicKeyPem = utility.getPublicKeyPemFromCertificate(signCert); // 假设utility对象存在
                 const verifier = crypto.createVerify(algorithm);
                 verifier.update(octetString, 'utf8');
@@ -960,7 +1013,7 @@ xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="{ID}"
                         pem: Buffer.from(`-----BEGIN CERTIFICATE-----${encryptPem}-----END CERTIFICATE-----`),
                         encryptionAlgorithm: sourceEntitySetting.dataEncryptionAlgorithm,
                         keyEncryptionAlgorithm: sourceEntitySetting.keyEncryptionAlgorithm,
-                        keyEncryptionDigest: sourceEntitySetting.keyEncryptionDigest ?? 'sha1', //default sha256
+                        keyEncryptionDigest: sourceEntitySetting.keyEncryptionDigest ?? 'sha256', // default sha256
                         keyEncryptionMgf1: sourceEntitySetting.keyEncryptionMgf1 ?? 'sha256',
                         disallowEncryptionWithInsecureAlgorithm: sourceEntitySetting.disallowEncryptionWithInsecureAlgorithm, // 禁止使用rsa-1_5  tripledes-cbc
                         disallowInsecureEncryption: sourceEntitySetting.disallowInsecureEncryption, //禁aes cbc系列加密算法
@@ -1031,6 +1084,9 @@ xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="{ID}"
                 let checkResult = checkUnsafeSignatureAlgorithm(signatureAlgorithm.value || '');
                 hasUnsafeSignatureAlgorithm = checkResult.hasUnsafeSignatureAlgorithm;
                 unsafeSignatureAlgorithm = checkResult.unsafeSignatureAlgorithm ?? "";
+                if (checkResult.hasUnsafeSignatureAlgorithm && !resolveAllowLegacySha1(opts, here)) {
+                    throw new Error('ERR_UNSAFE_SIGNATURE_ALGORITHM');
+                }
                 const sig = new SignedXml();
                 if (!opts.keyFile && !opts.metadata) {
                     throw new Error('ERR_UNDEFINED_SIGNATURE_VERIFIER_OPTIONS');
@@ -1061,6 +1117,9 @@ xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="{ID}"
                 let checkSafeResult = checkUnsafeSignatureAlgorithm(opts.signatureAlgorithm || '');
                 hasUnsafeSignatureAlgorithm = checkSafeResult.hasUnsafeSignatureAlgorithm;
                 unsafeSignatureAlgorithm = checkSafeResult.unsafeSignatureAlgorithm ?? "";
+                if (checkSafeResult.hasUnsafeSignatureAlgorithm && !resolveAllowLegacySha1(opts, here)) {
+                    throw new Error('ERR_UNSAFE_SIGNATURE_ALGORITHM');
+                }
                 sig.signatureAlgorithm = opts.signatureAlgorithm;
                 sig.loadSignature(signatureNode);
                 // 验证解密后断言的签名

package/build/src/metadata-idp.js

@@ -18,7 +18,10 @@ export class IdpMetadata extends Metadata {
     constructor(meta) {
         const isFile = isString(meta) || meta instanceof Buffer;
         if (!isFile) {
-            const { entityID, signingCert, encryptCert, wantAuthnRequestsSigned = false, nameIDFormat = [], singleSignOnService = [], singleLogoutService = [], artifactResolutionService = [] } = meta;
+            const settings = meta;
+            const strictSecurity = settings.strictSecurity === true;
+            const { entityID, signingCert, encryptCert, nameIDFormat = [], singleSignOnService = [], singleLogoutService = [], artifactResolutionService = [] } = settings;
+            const wantAuthnRequestsSigned = settings.wantAuthnRequestsSigned ?? strictSecurity;
             const IDPSSODescriptor = [{
                     _attr: {
                         WantAuthnRequestsSigned: String(wantAuthnRequestsSigned),

package/build/src/metadata-sp.js

@@ -26,7 +26,11 @@ export class SpMetadata extends Metadata {
         const isFile = isString(meta) || meta instanceof Buffer;
         // use object configuration instead of importing metadata file directly
         if (!isFile) {
-            const { elementsOrder = order.default, entityID, signingCert, encryptCert, authnRequestsSigned = false, wantAssertionsSigned = false, wantMessageSigned = false, signatureConfig, nameIDFormat = [], singleLogoutService = [], assertionConsumerService = [], attributeConsumingService = [], artifactResolutionService = [] } = meta;
+            const settings = meta;
+            const strictSecurity = settings.strictSecurity === true;
+            const { elementsOrder = order.default, entityID, signingCert, encryptCert, wantMessageSigned = false, signatureConfig, nameIDFormat = [], singleLogoutService = [], assertionConsumerService = [], attributeConsumingService = [], artifactResolutionService = [] } = settings;
+            const authnRequestsSigned = settings.authnRequestsSigned ?? strictSecurity;
+            const wantAssertionsSigned = settings.wantAssertionsSigned ?? strictSecurity;
             const descriptors = {
                 KeyDescriptor: [],
                 NameIDFormat: [],
@@ -217,186 +221,153 @@ export class SpMetadata extends Metadata {
     * @return {boolean} Wantassertionssigned
     */
     isWantAssertionsSigned() {
-        return this.meta.spSSODescriptor.wantAssertionsSigned === 'true';
+        const value = this.meta.spSSODescriptor.wantAssertionsSigned;
+        if (value === undefined) {
+            return false;
+        }
+        return value === 'true';
     }
     /**
     * @desc Get the preference whether it signs request
     * @return {boolean} Authnrequestssigned
     */
     isAuthnRequestSigned() {
-        return this.meta.spSSODescriptor.authnRequestsSigned === 'true';
+        const value = this.meta.spSSODescriptor.authnRequestsSigned;
+        if (value === undefined) {
+            return false;
+        }
+        return value === 'true';
     }
-    /**
-    * @desc Get the entity endpoint for assertion consumer service
-    * @param  {string} binding         protocol binding (e.g. redirect, post)
-    * @return {string/[string]} URL of endpoint(s)
-    */
-    getAssertionConsumerService(binding) {
-        // 1. 预处理 binding 参数
-        // 如果 binding 不是字符串，视为“未指定 Binding 偏好”，直接进入全局兜底逻辑 (Fallback Mode)
-        let targetBindingName = null;
-        let useFallbackMode = false;
-        if (typeof binding === 'string') {
-            const resolved = namespace.binding[binding];
-            if (resolved) {
-                targetBindingName = resolved;
+    getAssertionConsumerService(binding, options = {}) {
+        const mode = options.mode ?? 'lenient';
+        const normalizeBinding = (value) => String(value ?? '').trim().toLowerCase();
+        const normalizeLocation = (value) => String(value ?? '').trim();
+        const parseBool = (value) => {
+            if (typeof value === 'boolean')
+                return value;
+            if (typeof value === 'string') {
+                const t = value.trim().toLowerCase();
+                if (t === 'true')
+                    return true;
+                if (t === 'false')
+                    return false;
             }
-            else {
-                // 字符串传入了但 namespace 里没找到，也视为无效，进入兜底
-                //console.warn(`[ACS Selection] 未知的 binding 键值: ${binding}, 将启用全局兜底策略.`);
-                useFallbackMode = true;
+            return null;
+        };
+        const parseIndex = (value) => {
+            if (value === undefined || value === null || String(value).trim() === '')
+                return Number.POSITIVE_INFINITY;
+            const n = Number.parseInt(String(value), 10);
+            return Number.isNaN(n) ? Number.POSITIVE_INFINITY : n;
+        };
+        const indexHint = parseIndex(options.assertionConsumerServiceIndex);
+        const hasIndexHint = Number.isFinite(indexHint);
+        const toSafeLocation = (value) => {
+            const text = String(value || '').trim();
+            // 仅校验协议前缀，保持原始字符串不被规范化改写（兼容历史用例：如 "https:sp.example.org/..."）
+            if (/^https?:/i.test(text)) {
+                return text;
             }
-        }
-        else {
-            // 非字符串类型 (null, undefined, object 等)，直接启用兜底
-            // console.warn(`[ACS Selection] binding 参数类型错误 (${typeof binding}), 将启用全局兜底策略.`);
-            useFallbackMode = true;
-        }
-        const acsData = this.meta.assertionConsumerService;
-        // 2. 标准化数据为数组
-        let allCandidates = [];
-        if (Array.isArray(acsData)) {
-            allCandidates = acsData;
-        }
-        else if (acsData && typeof acsData === 'object') {
-            allCandidates = [acsData];
-        }
-        else {
-            // 数据源本身为空，直接报错
-            return "";
-            /*          throw new Error("SAML Metadata Error: No AssertionConsumerService definitions found in metadata.");*/
-        }
-        if (allCandidates.length === 0) {
-            return "";
-            /*  throw new Error("SAML Metadata Error: AssertionConsumerService list is empty.");*/
-        }
-        /**
-         * 核心排序与选择函数
-         * 输入一个候选数组，返回最佳的一个对象
-         */
-        const selectBestFromList = (list) => {
+            return '';
+        };
+        const resolveBindingUri = (input) => {
+            if (typeof input !== 'string')
+                return null;
+            const raw = input.trim();
+            if (!raw)
+                return null;
+            const byKey = namespace.binding[raw];
+            if (typeof byKey === 'string')
+                return byKey;
+            const lower = raw.toLowerCase();
+            const candidates = Object.values(namespace.binding).filter((v) => typeof v === 'string');
+            const byUri = candidates.find((v) => v.toLowerCase() === lower);
+            if (byUri)
+                return byUri;
+            const aliasMap = {
+                post: namespace.binding.post,
+                redirect: namespace.binding.redirect,
+                artifact: namespace.binding.artifact,
+                simplesign: namespace.binding.simpleSign,
+                'simple-sign': namespace.binding.simpleSign,
+                soap: namespace.binding.soap,
+            };
+            return aliasMap[lower] || null;
+        };
+        const sortCandidates = (list) => [...list].sort((a, b) => {
+            const score = (item) => item.isDefault === true ? 0 : (item.isDefault === null ? 1 : 2);
+            const sA = score(a);
+            const sB = score(b);
+            if (sA !== sB)
+                return sA - sB;
+            if (a.index !== b.index)
+                return a.index - b.index;
+            return a.order - b.order;
+        });
+        const pickBest = (list) => {
             if (list.length === 0)
-                return undefined;
-            if (list.length === 1)
-                return list[0];
-            const tier1 = []; // isDefault === 'true'
-            const tier2 = []; // isDefault 不存在 或 不为 'false'
-            const tier3 = []; // 明确 isDefault === 'false'
-            list.forEach((item, originalIndex) => {
-                const isDef = item.isDefault;
-                const isTrue = (typeof isDef === 'string' && isDef.toLowerCase() === 'true');
-                const isFalse = (typeof isDef === 'string' && isDef.toLowerCase() === 'false');
-                if (isTrue) {
-                    tier1.push(item);
-                }
-                else if (!isFalse) {
-                    tier2.push(item);
-                }
-                else {
-                    tier3.push(item);
-                }
-            });
-            let selectedTier = [];
-            if (tier1.length > 0) {
-                selectedTier = tier1;
-            }
-            else if (tier2.length > 0) {
-                selectedTier = tier2;
-            }
-            else {
-                selectedTier = tier3;
-            }
-            // 二级排序：Index 升序 -> 原始顺序
-            const indexedTier = selectedTier.map((item, idx) => ({ item, originalIdx: idx }));
-            indexedTier.sort((a, b) => {
-                // 安全解析 index
-                let idxA = Infinity;
-                let idxB = Infinity;
-                if (a.item.index !== undefined && a.item.index !== null) {
-                    const parsed = parseInt(a.item.index, 10);
-                    if (!isNaN(parsed))
-                        idxA = parsed;
-                }
-                if (b.item.index !== undefined && b.item.index !== null) {
-                    const parsed = parseInt(b.item.index, 10);
-                    if (!isNaN(parsed))
-                        idxB = parsed;
-                }
-                if (idxA !== idxB) {
-                    return idxA - idxB;
-                }
-                return a.originalIdx - b.originalIdx;
-            });
-            return indexedTier[0].item;
+                return null;
+            return sortCandidates(list)[0] ?? null;
         };
-        let resultLocation = undefined;
-        // ==========================================
-        // 第一阶段：尝试在指定的 binding 中查找 (仅在非兜底模式下执行)
-        // ==========================================
-        if (!useFallbackMode && targetBindingName) {
-            const matchedByBinding = allCandidates.filter(obj => obj.binding === targetBindingName);
-            // console.log(`[ACS Selection] 目标 Binding: ${targetBindingName}`);
-            //console.log(`[ACS Selection] 匹配该 Binding 的数量: ${matchedByBinding.length}`);
-            if (matchedByBinding.length > 0) {
-                const bestInBinding = selectBestFromList(matchedByBinding);
-                if (bestInBinding) {
-                    // console.log(`[ACS Selection] ✅ (阶段1) 在指定 Binding 中找到最佳项: ${bestInBinding.location}`);
-                    resultLocation = bestInBinding.location;
-                }
-            }
+        const pickByIndex = (list) => {
+            if (!hasIndexHint)
+                return null;
+            const hit = list.filter((item) => item.index === indexHint);
+            return pickBest(hit);
+        };
+        const acsData = this.meta.assertionConsumerService;
+        const rawCandidates = Array.isArray(acsData) ? acsData : (acsData && typeof acsData === 'object' ? [acsData] : []);
+        if (rawCandidates.length === 0)
+            return '';
+        const normalizedCandidates = rawCandidates
+            .map((item, order) => ({
+            binding: String(item?.binding ?? item?.Binding ?? '').trim(),
+            location: toSafeLocation(normalizeLocation(item?.location ?? item?.Location ?? item?.responseLocation ?? item?.ResponseLocation ?? '')),
+            isDefault: parseBool(item?.isDefault ?? item?.IsDefault ?? item?.default),
+            index: parseIndex(item?.index ?? item?.Index),
+            order,
+        }))
+            .filter((item) => item.location);
+        if (normalizedCandidates.length === 0)
+            return '';
+        const dedupMap = new Map();
+        for (const item of normalizedCandidates) {
+            const key = `${normalizeBinding(item.binding)}|${item.location}|${Number.isFinite(item.index) ? item.index : 'NA'}`;
+            if (!dedupMap.has(key))
+                dedupMap.set(key, item);
         }
-        // ==========================================
-        // 第二阶段：降级/兜底策略
-        // 如果第一阶段没找到，或者一开始就进入了兜底模式 (useFallbackMode)
-        // ==========================================
-        if (!resultLocation) {
-            if (useFallbackMode) {
-                //console.log(`[ACS Selection] ⚠️ 启用全局兜底策略 (未指定有效 Binding)...`);
-            }
-            else {
-                //console.log(`[ACS Selection] ⚠️ 指定 Binding 未找到可用项，进入降级策略...`);
-            }
-            // 2.1 全局寻找 isDefault='true'
-            const globalDefaults = allCandidates.filter(obj => obj.isDefault && String(obj.isDefault).toLowerCase() === 'true');
-            if (globalDefaults.length > 0) {
-                const best = selectBestFromList(globalDefaults);
-                if (best) {
-                    //console.log(`[ACS Selection] ✅ (阶段2) 跨 Binding 找到 isDefault=true: ${best.location} (${best.binding})`);
-                    resultLocation = best.location;
-                }
-            }
-            // 2.2 全局寻找 isDefault 不为 'false' (隐式默认)
-            if (!resultLocation) {
-                const globalNonFalse = allCandidates.filter(obj => {
-                    const isDef = obj.isDefault;
-                    const isFalse = (typeof isDef === 'string' && isDef.toLowerCase() === 'false');
-                    return !isFalse;
-                });
-                if (globalNonFalse.length > 0) {
-                    const best = selectBestFromList(globalNonFalse);
-                    if (best) {
-                        //console.log(`[ACS Selection] ✅ (阶段3) 跨 Binding 找到隐式默认: ${best.location} (${best.binding})`);
-                        resultLocation = best.location;
-                    }
-                }
-            }
-            // 2.3 终极兜底：所有数据中 index 最小
-            if (!resultLocation) {
-                const best = selectBestFromList(allCandidates);
-                if (best) {
-                    //  console.log(`[ACS Selection] ✅ (阶段4) 终极兜底，选择 index 最小: ${best.location} (${best.binding})`);
-                    resultLocation = best.location;
-                }
+        const allCandidates = Array.from(dedupMap.values());
+        const targetBindingName = resolveBindingUri(binding);
+        const boundCandidates = targetBindingName
+            ? allCandidates.filter((item) => normalizeBinding(item.binding) === normalizeBinding(targetBindingName))
+            : [];
+        const warnDefaultConflict = (list, label) => {
+            const defaults = list.filter((item) => item.isDefault === true);
+            if (defaults.length > 1) {
+                console.warn(`[ACS Selection] Multiple isDefault=true found in ${label}; fallback to index/order.`);
             }
+        };
+        warnDefaultConflict(targetBindingName ? boundCandidates : allCandidates, targetBindingName ? `binding=${targetBindingName}` : 'all bindings');
+        // 1) index 优先：先同 binding，再全局(仅 lenient)
+        const indexedInBinding = pickByIndex(boundCandidates);
+        if (indexedInBinding)
+            return indexedInBinding.location;
+        if (targetBindingName && mode === 'strict' && boundCandidates.length === 0) {
+            return '';
         }
-        // ==========================================
-        // 最终检查：如果还是没找到，抛出错误
-        // ==========================================
-        if (!resultLocation) {
-            const errorMsg = "SAML Configuration Error: Unable to select any valid AssertionConsumerService URL. Metadata might be empty or malformed.";
-            console.error(`[ACS Selection] ❌ ${errorMsg}`);
-            throw new Error(errorMsg);
+        if (mode === 'lenient') {
+            const indexedGlobal = pickByIndex(allCandidates);
+            if (indexedGlobal)
+                return indexedGlobal.location;
         }
-        return resultLocation;
+        // 2) 绑定内最优
+        const bestBound = pickBest(boundCandidates);
+        if (bestBound)
+            return bestBound.location;
+        if (mode === 'strict' && targetBindingName)
+            return '';
+        // 3) 全局回退
+        const bestGlobal = pickBest(allCandidates);
+        return bestGlobal?.location ?? '';
     }
 }