samlesa 4.3.5 → 4.4.0

package/build/src/binding-artifact.js

@@ -1,424 +1,538 @@
 /**
  * @file binding-artifact.ts
- * @author tngan
- * @desc Binding-level API for SAML 2.0 Artifact Binding
- * @see https://docs.oasis-open.org/security/saml/v2.0/saml-bind-2.0-os.pdf
+ * @desc Binding-level API for SAML 2.0 HTTP-Artifact Binding
+ *
+ * The Artifact binding has two distinct layers:
+ * 1. Front-channel delivery of `SAMLart`
+ * 2. Back-channel SOAP `ArtifactResolve` / `ArtifactResponse`
  */
-import { checkStatus } from "./flow.js";
-import { ParserType, StatusCode, wording } from './urn.js';
-import * as crypto from "node:crypto";
+import { ParserType, StatusCode, namespace, wording } from './urn.js';
 import libsaml from './libsaml.js';
 import libsamlSoap from './libsamlSoap.js';
 import utility, { get } from './utility.js';
-import { randomUUID } from 'node:crypto';
 import postBinding from './binding-post.js';
-import { artifactResolveFields, extract, loginRequestFields, loginResponseFields, logoutRequestFields, logoutResponseFields } from "./extractor.js";
-import { verifyTime } from "./validator.js";
-import { sendArtifactResolve } from "./soap.js";
+import { artifactResolveFields, artifactResponseFields, extract, loginRequestFields, } from './extractor.js';
+import { verifyTime } from './validator.js';
+import { sendArtifactResolve } from './soap.js';
+import { generateArtifactId as generateArtifactIdUtil, validateArtifact, } from './artifact.js';
 import { applyAuthnRequestEnhancements } from './saml2-enhancements-integration.js';
+import { flow } from './flow.js';
 const binding = wording.binding;
-/**
- * Get default extractor fields based on parser type
- */
-function getDefaultExtractorFields(parserType, assertion) {
-    switch (parserType) {
-        case ParserType.SAMLRequest:
-            return loginRequestFields;
-        case ParserType.SAMLResponse:
-            if (!assertion) {
-                throw new Error('ERR_EMPTY_ASSERTION');
+const SAML_ARTIFACT_PARAM = 'SAMLart';
+function fail(code) {
+    throw code;
+}
+function normalizeBoolean(value) {
+    if (typeof value === 'boolean') {
+        return value;
+    }
+    if (typeof value === 'string') {
+        const lowered = value.trim().toLowerCase();
+        if (lowered === 'true') {
+            return true;
+        }
+        if (lowered === 'false') {
+            return false;
+        }
+    }
+    return null;
+}
+function normalizeIndex(value, fallback) {
+    const parsed = Number.parseInt(String(value ?? fallback), 10);
+    return Number.isNaN(parsed) ? fallback : parsed;
+}
+function getServiceCandidates(entityMeta, key) {
+    const rawValue = entityMeta?.meta?.[key];
+    if (!rawValue) {
+        return [];
+    }
+    const normalizeRecord = (item, order, bindingKey) => {
+        if (item == null) {
+            return null;
+        }
+        if (typeof item === 'string') {
+            return {
+                binding: String(bindingKey || ''),
+                location: item,
+                index: order,
+                isDefault: order === 0 ? true : null,
+                order,
+            };
+        }
+        const location = String(item.location ??
+            item.Location ??
+            item.responseLocation ??
+            item.ResponseLocation ??
+            '').trim();
+        if (!location) {
+            return null;
+        }
+        return {
+            binding: String(item.binding ?? item.Binding ?? bindingKey ?? '').trim(),
+            location,
+            index: normalizeIndex(item.index ?? item.Index, order),
+            isDefault: normalizeBoolean(item.isDefault ?? item.IsDefault ?? item.default),
+            order,
+        };
+    };
+    if (Array.isArray(rawValue)) {
+        return rawValue
+            .map((item, index) => normalizeRecord(item, index))
+            .filter((item) => item !== null);
+    }
+    if (typeof rawValue === 'object') {
+        const looksLikeSingleRecord = ('location' in rawValue ||
+            'Location' in rawValue ||
+            'binding' in rawValue ||
+            'Binding' in rawValue);
+        if (looksLikeSingleRecord) {
+            const record = normalizeRecord(rawValue, 0);
+            return record ? [record] : [];
+        }
+        return Object.entries(rawValue)
+            .map(([candidateBinding, candidateLocation], index) => normalizeRecord(candidateLocation, index, candidateBinding))
+            .filter((item) => item !== null);
+    }
+    return [];
+}
+function resolveBindingUri(bindingName) {
+    if (!bindingName) {
+        return null;
+    }
+    const mapped = namespace.binding[bindingName];
+    if (typeof mapped === 'string') {
+        return mapped;
+    }
+    return bindingName;
+}
+function pickPreferredService(entityMeta, key, bindingName) {
+    const candidates = getServiceCandidates(entityMeta, key);
+    if (candidates.length === 0) {
+        return null;
+    }
+    const expectedBinding = resolveBindingUri(bindingName);
+    const filtered = expectedBinding
+        ? candidates.filter((item) => item.binding === expectedBinding)
+        : candidates;
+    const pool = filtered.length > 0 ? filtered : candidates;
+    return [...pool].sort((left, right) => {
+        const leftScore = left.isDefault === true ? 0 : (left.isDefault === null ? 1 : 2);
+        const rightScore = right.isDefault === true ? 0 : (right.isDefault === null ? 1 : 2);
+        if (leftScore !== rightScore) {
+            return leftScore - rightScore;
+        }
+        if (left.index !== right.index) {
+            return left.index - right.index;
+        }
+        return left.order - right.order;
+    })[0] ?? null;
+}
+function ensureServiceLocation(entityMeta, key, bindingName, errorCode) {
+    const expectedBinding = resolveBindingUri(bindingName);
+    const candidates = getServiceCandidates(entityMeta, key);
+    const filtered = expectedBinding
+        ? candidates.filter((item) => item.binding === expectedBinding)
+        : candidates;
+    const candidate = filtered.length > 0
+        ? [...filtered].sort((left, right) => {
+            const leftScore = left.isDefault === true ? 0 : (left.isDefault === null ? 1 : 2);
+            const rightScore = right.isDefault === true ? 0 : (right.isDefault === null ? 1 : 2);
+            if (leftScore !== rightScore) {
+                return leftScore - rightScore;
+            }
+            if (left.index !== right.index) {
+                return left.index - right.index;
             }
-            return loginResponseFields(assertion);
-        case ParserType.LogoutRequest:
-            return logoutRequestFields;
-        case ParserType.LogoutResponse:
-            return logoutResponseFields;
-        default:
-            throw new Error('ERR_UNDEFINED_PARSERTYPE');
+            return left.order - right.order;
+        })[0]
+        : null;
+    if (!candidate?.location) {
+        fail(errorCode);
     }
+    return candidate.location;
 }
-/**
- * Generate a SAML 2.0 compliant Artifact ID
- * Format: [TypeCode: 2 bytes] + [EndpointIndex: 2 bytes] + [SourceID: 20 bytes] + [MessageHandle: 20 bytes]
- * @param issuerId The entity ID of the issuing party (IdP)
- * @param endpointIndex The index of the destination endpoint (default is 1 for Artifact Resolution Service)
- * @returns The Base64 encoded Artifact ID string
- */
-export function generateArtifactId(issuerId, endpointIndex = 1) {
-    // SourceID: 20 bytes SHA-1 of issuer ID
-    const issuerHash = crypto.createHash('sha1').update(issuerId).digest();
-    const sourceId = issuerHash.subarray(0, 20);
-    // TypeCode: 0x0004 (SAML 2.0 Artifact Type)
-    const typeCode = Buffer.from([0x00, 0x04]);
-    // EndpointIndex: 2 bytes Big Endian
-    const indexBuffer = Buffer.alloc(2);
-    indexBuffer.writeUInt16BE(endpointIndex, 0);
-    // MessageHandle: 20 random bytes
-    const messageHandle = crypto.randomBytes(20);
-    // Concatenate: 2 + 2 + 20 + 20 = 44 bytes
-    const artifactBytes = Buffer.concat([typeCode, indexBuffer, sourceId, messageHandle]);
-    // Base64 encode
-    return artifactBytes.toString('base64');
+function ensureValidDestination(entityMeta, key, destination, bindingName, errorCode) {
+    if (!destination) {
+        return;
+    }
+    const expectedBinding = resolveBindingUri(bindingName);
+    const candidates = getServiceCandidates(entityMeta, key);
+    const matched = candidates.some((item) => {
+        if (expectedBinding && item.binding && item.binding !== expectedBinding) {
+            return false;
+        }
+        return item.location === destination;
+    });
+    if (!matched) {
+        fail(errorCode);
+    }
 }
-/**
- * @desc Generate a SOAP-encoded login request for Artifact binding
- * @param {string} referenceTagXPath           reference uri
- * @param {object} entity                      object includes both idp and sp
- * @param {function} customTagReplacement     used when developers have their own login request template
- * @returns {BindingContext}
- */
-function soapLoginRequest(referenceTagXPath, entity, customTagReplacement) {
+function getArtifactEndpointIndex(entityMeta) {
+    return pickPreferredService(entityMeta, 'artifactResolutionService', binding.soap)?.index ?? 0;
+}
+function getArtifactFromRequest(request) {
+    const artifact = request?.query?.[SAML_ARTIFACT_PARAM] ?? request?.body?.[SAML_ARTIFACT_PARAM];
+    if (typeof artifact !== 'string' || artifact.trim() === '') {
+        fail('ERR_MISSING_ARTIFACT');
+    }
+    const relayState = request?.query?.RelayState ?? request?.body?.RelayState ?? '';
+    return {
+        artifact,
+        relayState,
+    };
+}
+function ensureArtifactResolveIssueInstant(issueInstant, clockDrifts) {
+    if (!issueInstant) {
+        fail('ERR_INVALID_ISSUE_INSTANT');
+    }
+    const issuedAt = new Date(issueInstant);
+    if (Number.isNaN(issuedAt.getTime())) {
+        fail('ERR_INVALID_ISSUE_INSTANT');
+    }
+    const expiry = new Date(issuedAt.getTime() + 5 * 60 * 1000).toISOString();
+    if (!verifyTime(undefined, expiry, clockDrifts)) {
+        fail('ERR_EXPIRED_SESSION');
+    }
+}
+function buildRawLoginRequest(referenceTagXPath, entity, customTagReplacement) {
     const metadata = {
         idp: entity.idp.entityMeta,
         sp: entity.sp.entityMeta,
-        inResponse: entity.inResponse,
-        relayState: entity.relayState
     };
     const spSetting = entity.sp.entitySetting;
     let id = '';
-    let soapId = spSetting.generateID();
-    if (metadata && metadata.idp && metadata.sp) {
-        const base = metadata.idp.getSingleSignOnService(binding.post);
-        let rawSamlRequest;
-        if (spSetting.loginRequestTemplate && customTagReplacement) {
-            const info = customTagReplacement(spSetting.loginRequestTemplate.context);
-            id = get(info, 'id', null);
-            rawSamlRequest = get(info, 'context', null);
-        }
-        else {
-            const nameIDFormat = spSetting.nameIDFormat;
-            const selectedNameIDFormat = Array.isArray(nameIDFormat) ? nameIDFormat[0] : nameIDFormat;
-            id = spSetting.generateID();
-            rawSamlRequest = libsaml.replaceTagsByValue(libsaml.defaultLoginRequestTemplate.context, {
-                ID: id,
-                Destination: base,
-                Issuer: metadata.sp.getEntityID(),
-                IssueInstant: new Date().toISOString(),
-                AssertionConsumerServiceURL: metadata.sp.getAssertionConsumerService(binding.post),
-                EntityID: metadata.sp.getEntityID(),
-                AllowCreate: spSetting.allowCreate,
-                NameIDFormat: selectedNameIDFormat
-            });
-        }
-        // 应用 AuthnRequest 增强功能
-        if (spSetting.authnRequestEnhancements) {
-            rawSamlRequest = applyAuthnRequestEnhancements(rawSamlRequest, spSetting.authnRequestEnhancements);
-        }
-        const { privateKey, privateKeyPass, requestSignatureAlgorithm: signatureAlgorithm, transformationAlgorithms } = spSetting;
-        let signedAuthnRequest;
-        if (metadata.idp.isWantAuthnRequestsSigned()) {
-            signedAuthnRequest = libsaml.constructSAMLSignature({
-                referenceTagXPath,
-                privateKey: privateKey,
-                privateKeyPass,
-                signatureAlgorithm: signatureAlgorithm,
-                transformationAlgorithms,
-                rawSamlMessage: rawSamlRequest,
-                isBase64Output: false,
-                signingCert: metadata.sp.getX509Certificate('signing'),
-                signatureConfig: spSetting.signatureConfig || {
-                    prefix: 'ds',
-                    location: {
-                        reference: "/*[local-name(.)='AuthnRequest']/*[local-name(.)='Issuer']",
-                        action: 'after'
-                    },
-                }
-            });
-        }
-        else {
-            signedAuthnRequest = rawSamlRequest;
-        }
-        // Construct SOAP envelope with ArtifactResponse containing AuthnRequest
-        const soapTemplate = libsaml.replaceTagsByValue(libsaml.defaultArtAuthnRequestTemplate.context, {
-            ID: soapId,
-            IssueInstant: new Date().toISOString(),
-            InResponseTo: metadata.inResponse ?? "",
+    if (!metadata.idp || !metadata.sp) {
+        fail('ERR_GENERATE_ARTIFACT_LOGIN_REQUEST_MISSING_METADATA');
+    }
+    const destination = ensureServiceLocation(metadata.idp, 'singleSignOnService', binding.artifact, 'ERR_MISSING_IDP_ARTIFACT_ENDPOINT');
+    const artifactAcs = pickPreferredService(metadata.sp, 'assertionConsumerService', binding.artifact)?.location;
+    if (!artifactAcs) {
+        fail('ERR_MISSING_SP_ARTIFACT_ACS');
+    }
+    let rawSamlRequest;
+    if (spSetting.loginRequestTemplate && customTagReplacement) {
+        const info = customTagReplacement(spSetting.loginRequestTemplate.context);
+        id = get(info, 'id', '');
+        rawSamlRequest = get(info, 'context', '');
+    }
+    else {
+        const nameIDFormat = spSetting.nameIDFormat;
+        const selectedNameIDFormat = Array.isArray(nameIDFormat) ? nameIDFormat[0] : nameIDFormat;
+        id = spSetting.generateID();
+        rawSamlRequest = libsaml.replaceTagsByValue(libsaml.defaultLoginRequestTemplate.context, {
+            ID: id,
+            Destination: destination,
             Issuer: metadata.sp.getEntityID(),
-            AuthnRequest: signedAuthnRequest
+            IssueInstant: new Date().toISOString(),
+            AssertionConsumerServiceURL: artifactAcs,
+            EntityID: metadata.sp.getEntityID(),
+            AllowCreate: spSetting.allowCreate,
+            NameIDFormat: selectedNameIDFormat,
         });
-        // Sign the SOAP envelope
-        const signedSoap = libsaml.constructSAMLSignature({
-            referenceTagXPath: "/*[local-name(.)='Envelope']/*[local-name(.)='Body']/*[local-name(.)='ArtifactResponse']",
-            privateKey: privateKey,
-            privateKeyPass,
-            signatureAlgorithm: signatureAlgorithm,
-            transformationAlgorithms,
-            rawSamlMessage: soapTemplate,
+        rawSamlRequest = rawSamlRequest.replace(`ProtocolBinding="${namespace.binding.post}"`, `ProtocolBinding="${namespace.binding.artifact}"`);
+    }
+    if (spSetting.authnRequestEnhancements) {
+        rawSamlRequest = applyAuthnRequestEnhancements(rawSamlRequest, spSetting.authnRequestEnhancements);
+    }
+    if (!metadata.idp.isWantAuthnRequestsSigned()) {
+        return {
+            id,
+            context: rawSamlRequest,
+        };
+    }
+    return {
+        id,
+        context: libsaml.constructSAMLSignature({
+            referenceTagXPath,
+            privateKey: spSetting.privateKey,
+            privateKeyPass: spSetting.privateKeyPass,
+            signatureAlgorithm: spSetting.requestSignatureAlgorithm,
+            transformationAlgorithms: spSetting.transformationAlgorithms,
+            rawSamlMessage: rawSamlRequest,
             isBase64Output: false,
-            isMessageSigned: false,
             signingCert: metadata.sp.getX509Certificate('signing'),
-            signatureConfig: {
+            signatureConfig: (spSetting.signatureConfig || {
                 prefix: 'ds',
                 location: {
-                    reference: "/*[local-name(.)='Envelope']/*[local-name(.)='Body']/*[local-name(.)='ArtifactResponse']/*[local-name(.)='Issuer']",
-                    action: 'after'
-                }
-            },
-        });
-        return {
-            id: soapId,
-            context: signedSoap,
-        };
-    }
-    throw new Error('ERR_GENERATE_POST_LOGIN_REQUEST_MISSING_METADATA');
+                    reference: "/*[local-name(.)='AuthnRequest']/*[local-name(.)='Issuer']",
+                    action: 'after',
+                },
+            }),
+        }),
+    };
 }
-/**
- * @desc Generate a SOAP-encoded login response for Artifact binding
- * @param {Base64LoginResponseParams} params  parameters for generating login response
- * @returns {BindingContext}
- */
-async function soapLoginResponse(params) {
-    const { entity } = params;
-    const metadata = {
-        idp: entity.idp.entityMeta,
-        sp: entity.sp.entityMeta,
+async function buildRawLoginResponse(params) {
+    if (!pickPreferredService(params.entity.sp.entityMeta, 'assertionConsumerService', binding.artifact)) {
+        fail('ERR_MISSING_SP_ARTIFACT_ACS');
+    }
+    const result = await postBinding.base64LoginResponse({
+        ...params,
+        destinationBinding: binding.artifact,
+    });
+    return {
+        id: result.id,
+        context: utility.base64Decode(result.context),
     };
-    if (!metadata.idp || !metadata.sp) {
-        throw new Error('ERR_GENERATE_ARTIFACT_MISSING_METADATA');
-    }
-    // Generate the base SAML Response using POST binding logic
-    const samlResponseResult = await postBinding.base64LoginResponse(params);
-    const samlResponseXml = utility.base64Decode(samlResponseResult.context);
-    // Generate the SAML 2.0 Artifact ID
-    const artifactId = generateArtifactId(metadata.idp.getEntityID());
-    // Prepare config for SOAP signing
-    const idpSetting = entity.idp.entitySetting;
-    const spSetting = entity.sp.entitySetting;
-    const config = {
-        privateKey: idpSetting.privateKey,
-        privateKeyPass: idpSetting.privateKeyPass,
-        signatureAlgorithm: idpSetting.requestSignatureAlgorithm,
-        signingCert: metadata.idp.getX509Certificate('signing'),
+}
+function signSoapEnvelope(message, referenceTagXPath, signatureReference, signer) {
+    const signerSetting = signer.entitySetting;
+    const signingCert = signer.entityMeta.getX509Certificate('signing');
+    if (!signerSetting.privateKey || !signingCert) {
+        fail('ERR_MISSING_ARTIFACT_RESOLVE_CREDENTIALS');
+    }
+    return libsaml.constructSAMLSignature({
+        referenceTagXPath,
+        privateKey: signerSetting.privateKey,
+        privateKeyPass: signerSetting.privateKeyPass,
+        signatureAlgorithm: signerSetting.requestSignatureAlgorithm,
+        transformationAlgorithms: signerSetting.transformationAlgorithms,
+        rawSamlMessage: message,
         isBase64Output: false,
-    };
-    // Construct the SOAP Envelope containing the ArtifactResponse with SAML Response
-    const soapBodyContent = `<samlp:ArtifactResponse
-        xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
-        xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-        ID="${samlResponseResult.id}_artifact_resp"
-        InResponseTo="${params.requestInfo?.extract?.request?.id || ''}"
-        Version="2.0"
-        IssueInstant="${new Date().toISOString()}">
-        <saml2:Issuer>${metadata.idp.getEntityID()}</saml2:Issuer>
-        <samlp:Status>
-            <samlp:StatusCode Value="${StatusCode.Success}"/>
-        </samlp:Status>
-        ${samlResponseXml}
-    </samlp:ArtifactResponse>`;
-    const soapEnvelope = `
-<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
-    <soap:Header/>
-    <soap:Body>${soapBodyContent}</soap:Body>
-</soap:Envelope>`;
-    // Sign the SOAP Envelope
-    const signedSoapEnvelope = libsaml.constructSAMLSignature({
-        ...config,
-        rawSamlMessage: soapEnvelope,
-        transformationAlgorithms: spSetting.transformationAlgorithms,
-        isMessageSigned: true,
-        referenceTagXPath: "/*[local-name(.)='Envelope']/*[local-name(.)='Body']/*[local-name(.)='ArtifactResponse']",
+        isMessageSigned: false,
+        signingCert,
         signatureConfig: {
             prefix: 'ds',
             location: {
-                reference: "/*[local-name(.)='Envelope']/*[local-name(.)='Body']/*[local-name(.)='ArtifactResponse']/*[local-name(.)='Status']",
-                action: 'before'
+                reference: signatureReference,
+                action: 'after',
             },
         },
     });
-    // Return the Artifact ID and the Base64 encoded signed SOAP message
+}
+function createArtifactResolveRequest(params) {
+    validateArtifact(params.artifact, params.responder.entityMeta.getEntityID());
+    const destination = ensureServiceLocation(params.responder.entityMeta, 'artifactResolutionService', binding.soap, 'ERR_MISSING_ARTIFACT_RESOLUTION_SERVICE');
+    const id = params.requester.entitySetting.generateID();
+    const soapResolve = libsaml.replaceTagsByValue(libsaml.defaultArtifactResolveTemplate.context, {
+        ID: id,
+        Destination: destination,
+        Issuer: params.requester.entityMeta.getEntityID(),
+        IssueInstant: new Date().toISOString(),
+        Art: params.artifact,
+    });
     return {
-        id: artifactId,
-        context: utility.base64Encode(signedSoapEnvelope),
+        id,
+        artifact: params.artifact,
+        entityEndpoint: destination,
+        type: 'ArtifactResolve',
+        context: signSoapEnvelope(soapResolve, "/*[local-name(.)='Envelope']/*[local-name(.)='Body']/*[local-name(.)='ArtifactResolve']", "/*[local-name(.)='Envelope']/*[local-name(.)='Body']/*[local-name(.)='ArtifactResolve']/*[local-name(.)='Issuer']", params.requester),
     };
 }
-/**
- * @desc Parse and validate Artifact Resolve request
- * @param {object} params
- * @param {IdentityProvider} params.idp Identity Provider instance
- * @param {ServiceProvider} params.sp Service Provider instance
- * @param {string} params.xml SOAP request XML string
- * @returns {Promise}
- */
-async function parseLoginRequestResolve(params) {
-    const { idp, sp, xml } = params;
-    const verificationOptions = {
-        metadata: idp.entityMeta,
-        signatureAlgorithm: idp.entitySetting.requestSignatureAlgorithm,
+async function parseArtifactResolveRequest(params) {
+    const { requester, responder, xml } = params;
+    const validXml = await libsaml.isValidXml(xml, true).catch(() => false);
+    if (validXml !== true) {
+        fail('ERR_EXCEPTION_VALIDATE_XML');
+    }
+    const verifiedSoap = await libsamlSoap.verifyAndDecryptSoapMessage(xml, {
+        metadata: requester.entityMeta,
+    });
+    if (!verifiedSoap.verified || verifiedSoap.type !== 'ArtifactResolve') {
+        fail('ERR_FAIL_TO_VERIFY_SIGNATURE');
+    }
+    const extracted = extract(xml, artifactResolveFields);
+    if (extracted?.request?.version && extracted.request.version !== '2.0') {
+        fail('ERR_UNSUPPORTED_SAML_VERSION');
+    }
+    if (extracted?.issuer !== requester.entityMeta.getEntityID()) {
+        fail('ERR_UNMATCH_ISSUER');
+    }
+    ensureValidDestination(responder.entityMeta, 'artifactResolutionService', extracted?.request?.destination, binding.soap, 'ERR_INVALID_ARTIFACT_RESOLVE_DESTINATION');
+    ensureArtifactResolveIssueInstant(extracted?.request?.issueInstant, responder.entitySetting.clockDrifts);
+    const artifactData = validateArtifact(extracted?.artifact, responder.entityMeta.getEntityID());
+    return {
+        soapContent: xml,
+        samlContent: verifiedSoap.message,
+        extract: extracted,
+        artifact: extracted.artifact,
+        artifactData,
     };
-    // Validate XML
-    let res = await libsaml.isValidXml(xml, true).catch(() => {
-        return Promise.reject('ERR_EXCEPTION_VALIDATE_XML');
+}
+function createArtifactResolveResponse(params) {
+    const { requester, responder } = params;
+    const id = responder.entitySetting.generateID();
+    const destination = pickPreferredService(requester.entityMeta, 'artifactResolutionService', binding.soap)?.location || '';
+    const statusCode = params.statusCode || StatusCode.Success;
+    const template = `<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Header/><SOAP-ENV:Body><samlp:ArtifactResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="{ID}" InResponseTo="{InResponseTo}" Version="2.0" IssueInstant="{IssueInstant}"><saml:Issuer>{Issuer}</saml:Issuer><samlp:Status><samlp:StatusCode Value="{StatusCode}"/></samlp:Status>{SamlMessage}</samlp:ArtifactResponse></SOAP-ENV:Body></SOAP-ENV:Envelope>`;
+    let soapResponse = libsaml.replaceTagsByValue(template, {
+        ID: id,
+        InResponseTo: params.inResponseTo,
+        IssueInstant: new Date().toISOString(),
+        Issuer: responder.entityMeta.getEntityID(),
+        StatusCode: statusCode,
+        SamlMessage: params.samlMessage || '',
     });
-    if (res !== true) {
-        return Promise.reject('ERR_EXCEPTION_VALIDATE_XML');
+    if (destination) {
+        soapResponse = soapResponse.replace(/(<samlp:ArtifactResponse\b[^>]*IssueInstant="[^"]+")/, `$1 Destination="${destination}"`);
     }
-    // Verify and decrypt SOAP message
-    let [verify, xmlString] = await libsamlSoap.verifyAndDecryptSoapMessage(xml, verificationOptions);
-    if (!verify) {
-        return Promise.reject('ERR_FAIL_TO_VERIFY_SIGNATURE');
+    return {
+        id,
+        context: signSoapEnvelope(soapResponse, "/*[local-name(.)='Envelope']/*[local-name(.)='Body']/*[local-name(.)='ArtifactResponse']", "/*[local-name(.)='Envelope']/*[local-name(.)='Body']/*[local-name(.)='ArtifactResponse']/*[local-name(.)='Issuer']", responder),
+    };
+}
+async function parseArtifactResolveResponse(params) {
+    const validXml = await libsaml.isValidXml(params.xml, true).catch(() => false);
+    if (validXml !== true) {
+        fail('ERR_INVALID_XML');
     }
-    const parseResult = {
-        samlContent: xmlString,
-        extract: extract(xmlString, artifactResolveFields),
+    const verifiedSoap = await libsamlSoap.verifyAndDecryptSoapMessage(params.xml, {
+        metadata: params.responder.entityMeta,
+    });
+    if (!verifiedSoap.verified || verifiedSoap.type !== 'ArtifactResponse') {
+        fail('ERR_FAIL_TO_VERIFY_ETS_SIGNATURE');
+    }
+    const extracted = extract(params.xml, artifactResponseFields);
+    if (extracted?.response?.version && extracted.response.version !== '2.0') {
+        fail('ERR_UNSUPPORTED_SAML_VERSION');
+    }
+    if (extracted?.issuer !== params.responder.entityMeta.getEntityID()) {
+        fail('ERR_UNMATCH_ISSUER');
+    }
+    if (params.inResponseTo && extracted?.response?.inResponseTo !== params.inResponseTo) {
+        fail('ERR_UNMATCH_IN_RESPONSE_TO');
+    }
+    ensureValidDestination(params.requester.entityMeta, 'artifactResolutionService', extracted?.response?.destination, binding.soap, 'ERR_INVALID_ARTIFACT_RESPONSE_DESTINATION');
+    if (extracted?.status !== StatusCode.Success) {
+        fail('ERR_UNDEFINED_STATUS');
+    }
+    if (!verifiedSoap.resolvedMessage) {
+        fail('ERR_EMPTY_ARTIFACT_RESPONSE');
+    }
+    return {
+        soapContent: params.xml,
+        samlContent: verifiedSoap.resolvedMessage,
+        extract: extracted,
     };
-    // Validation
-    const targetEntityMetadata = sp.entityMeta;
-    const issuer = targetEntityMetadata.getEntityID();
-    const extractedProperties = parseResult.extract;
-    // Check issuer
-    if (extractedProperties.issuer !== issuer) {
-        return Promise.reject('ERR_UNMATCH_ISSUER');
-    }
-    // Check time validity (5 minutes from issue instant)
-    const issueInstant = new Date(extractedProperties.request.issueInstant);
-    const expiryTime = new Date(issueInstant.getTime() + 5 * 60 * 1000);
-    if (!verifyTime(undefined, expiryTime.toISOString(), sp.entitySetting.clockDrifts)) {
-        return Promise.reject('ERR_EXPIRED_SESSION');
-    }
-    return Promise.resolve(parseResult);
 }
-/**
- * @desc Parse and validate Artifact Resolve response
- * @param {object} params
- * @param {IdentityProvider} params.idp Identity Provider instance
- * @param {ServiceProvider} params.sp Service Provider instance
- * @param {string} params.art Artifact string
- * @returns {Promise}
- */
-async function parseLoginResponseResolve(params) {
-    const { idp, sp, art } = params;
-    const metadata = {
-        idp: idp.entityMeta,
-        sp: sp.entityMeta,
+function createLoginRequest(referenceTagXPath, entity, customTagReplacement) {
+    const request = buildRawLoginRequest(referenceTagXPath, entity, customTagReplacement);
+    const artifact = generateArtifactIdUtil(entity.sp.entityMeta.getEntityID(), getArtifactEndpointIndex(entity.sp.entityMeta));
+    return {
+        id: request.id,
+        artifact,
+        context: artifact,
+        samlContent: request.context,
     };
-    const verificationOptions = {
-        metadata: idp.entityMeta,
-        signatureAlgorithm: idp.entitySetting.requestSignatureAlgorithm,
+}
+async function createLoginResponse(params) {
+    const response = await buildRawLoginResponse(params);
+    const artifact = generateArtifactIdUtil(params.entity.idp.entityMeta.getEntityID(), getArtifactEndpointIndex(params.entity.idp.entityMeta));
+    return {
+        id: response.id,
+        artifact,
+        context: artifact,
+        samlContent: response.context,
     };
-    const parserType = ParserType.SAMLResponse;
-    const spSetting = sp.entitySetting;
-    const ID = '_' + randomUUID();
-    const url = metadata.idp.getArtifactResolutionService('soap');
-    // Construct ArtifactResolve request
-    let samlSoapRaw = libsaml.replaceTagsByValue(libsaml.defaultArtifactResolveTemplate.context, {
-        ID: ID,
-        Destination: url,
-        Issuer: metadata.sp.getEntityID(),
-        IssueInstant: new Date().toISOString(),
-        Art: art
+}
+async function resolveArtifact(params) {
+    const resolveRequest = createArtifactResolveRequest(params);
+    const responseXml = await sendArtifactResolve(resolveRequest.entityEndpoint, resolveRequest.context);
+    const resolved = await parseArtifactResolveResponse({
+        requester: params.requester,
+        responder: params.responder,
+        xml: responseXml,
+        inResponseTo: resolveRequest.id,
     });
-    let samlContent;
-    // Send signed or unsigned ArtifactResolve based on IdP configuration
-    if (!metadata.idp.isWantAuthnRequestsSigned()) {
-        samlContent = await sendArtifactResolve(url, samlSoapRaw);
-        // Validate XML
-        try {
-            await libsaml.isValidXml(samlContent, true);
-        }
-        catch {
-            return Promise.reject('ERR_INVALID_XML');
-        }
-        await checkStatus(samlContent, parserType, true);
-        // Verify and decrypt SOAP response
-        const [verified, verifiedAssertionNode, isDecryptRequired] = await libsamlSoap.verifyAndDecryptSoapMessage(samlContent, verificationOptions);
-        if (!verified) {
-            return Promise.reject('ERR_FAIL_TO_VERIFY_ETS_SIGNATURE');
-        }
-        samlContent = verifiedAssertionNode;
-    }
-    else {
-        const { privateKey, privateKeyPass, requestSignatureAlgorithm: signatureAlgorithm, transformationAlgorithms } = spSetting;
-        // Sign the ArtifactResolve request
-        const signatureSoap = libsaml.constructSAMLSignature({
-            referenceTagXPath: "//*[local-name(.)='ArtifactResolve']",
-            isMessageSigned: false,
-            isBase64Output: false,
-            transformationAlgorithms: transformationAlgorithms,
-            privateKey: privateKey,
-            privateKeyPass,
-            signatureAlgorithm: signatureAlgorithm,
-            rawSamlMessage: samlSoapRaw,
-            signingCert: metadata.sp.getX509Certificate('signing'),
-            signatureConfig: {
-                prefix: 'ds',
-                location: {
-                    reference: "//*[local-name(.)='Issuer']",
-                    action: 'after'
-                }
-            }
-        });
-        samlContent = await sendArtifactResolve(url, signatureSoap);
-        // Validate XML
-        try {
-            await libsaml.isValidXml(samlContent, true);
-        }
-        catch {
-            return Promise.reject('ERR_INVALID_XML');
-        }
-        await checkStatus(samlContent, parserType, true);
-        // Verify and decrypt SOAP response
-        const [verified1, verifiedAssertionNode1, isDecryptRequired1] = await libsamlSoap.verifyAndDecryptSoapMessage(samlContent, verificationOptions);
-        if (!verified1) {
-            return Promise.reject('ERR_FAIL_TO_VERIFY_ETS_SIGNATURE');
-        }
-        samlContent = verifiedAssertionNode1;
-        // Verify SAML signature and decrypt if needed
-        const verificationResult = await libsaml.verifySignature(samlContent, verificationOptions, sp);
+    return {
+        resolveRequest,
+        resolved,
+    };
+}
+async function parseResolvedLoginRequestXml(params) {
+    let samlContent = params.samlContent;
+    const verificationOptions = {
+        metadata: params.sp.entityMeta,
+        signatureAlgorithm: params.sp.entitySetting.requestSignatureAlgorithm,
+    };
+    const signatureLooksPresent = /<[^>]*:?Signature\b/.test(samlContent);
+    if (params.idp.entityMeta.isWantAuthnRequestsSigned() || signatureLooksPresent) {
+        const verificationResult = await libsaml.verifySignature(samlContent, verificationOptions, params.idp);
         if (!verificationResult.status) {
             if (verificationResult.isMessageSigned && !verificationResult.MessageSignatureStatus) {
-                return Promise.reject('ERR_FAIL_TO_VERIFY_MESSAGE_SIGNATURE');
+                fail('ERR_FAIL_TO_VERIFY_MESSAGE_SIGNATURE');
             }
             if (verificationResult.isAssertionSigned && !verificationResult.AssertionSignatureStatus) {
-                return Promise.reject('ERR_FAIL_TO_VERIFY_ASSERTION_SIGNATURE');
+                fail('ERR_FAIL_TO_VERIFY_ASSERTION_SIGNATURE');
             }
-            if (verificationResult.encrypted && !verificationResult.decrypted) {
-                return Promise.reject('ERR_FAIL_TO_DECRYPT_ASSERTION');
-            }
-            return Promise.reject('ERR_FAIL_TO_VERIFY_SIGNATURE_OR_DECRYPTION');
+            fail('ERR_FAIL_TO_VERIFY_SIGNATURE_OR_DECRYPTION');
         }
         samlContent = verificationResult.samlContent;
     }
-    // Extract fields
-    let extractorFields;
-    if (parserType === 'SAMLResponse') {
-        extractorFields = getDefaultExtractorFields(parserType, samlContent);
-    }
-    else {
-        extractorFields = getDefaultExtractorFields(parserType, null);
-    }
     const parseResult = {
-        samlContent: samlContent,
-        extract: extract(samlContent, extractorFields),
+        samlContent,
+        extract: extract(samlContent, loginRequestFields),
+    };
+    if (parseResult.extract?.issuer !== params.sp.entityMeta.getEntityID()) {
+        fail('ERR_UNMATCH_ISSUER');
+    }
+    return parseResult;
+}
+async function parseLoginRequest(params) {
+    const { artifact, relayState } = getArtifactFromRequest(params.request);
+    validateArtifact(artifact, params.sp.entityMeta.getEntityID());
+    const { resolveRequest, resolved } = await resolveArtifact({
+        requester: params.idp,
+        responder: params.sp,
+        artifact,
+    });
+    const parseResult = await parseResolvedLoginRequestXml({
+        idp: params.idp,
+        sp: params.sp,
+        samlContent: resolved.samlContent,
+    });
+    ensureValidDestination(params.idp.entityMeta, 'singleSignOnService', parseResult?.extract?.request?.destination, binding.artifact, 'ERR_INVALID_DESTINATION');
+    ensureValidDestination(params.sp.entityMeta, 'assertionConsumerService', parseResult?.extract?.request?.assertionConsumerServiceUrl || parseResult?.extract?.request?.assertionConsumerServiceURL, undefined, 'ERR_INVALID_ASSERTION_CONSUMER_SERVICE');
+    return {
+        ...parseResult,
+        artifact,
+        relayState,
+        artifactResolve: {
+            request: resolveRequest,
+            response: resolved.extract,
+        },
+    };
+}
+async function parseLoginResponse(params) {
+    const { artifact, relayState } = getArtifactFromRequest(params.request);
+    validateArtifact(artifact, params.idp.entityMeta.getEntityID());
+    const { resolveRequest, resolved } = await resolveArtifact({
+        requester: params.sp,
+        responder: params.idp,
+        artifact,
+    });
+    const parseResult = await flow({
+        from: params.idp,
+        self: params.sp,
+        checkSignature: true,
+        parserType: ParserType.SAMLResponse,
+        type: 'login',
+        binding: binding.post,
+        request: {
+            body: {
+                SAMLResponse: utility.base64Encode(resolved.samlContent),
+            },
+        },
+    });
+    return {
+        ...parseResult,
+        artifact,
+        relayState,
+        artifactResolve: {
+            request: resolveRequest,
+            response: resolved.extract,
+        },
     };
-    // Validation
-    const targetEntityMetadata = idp.entityMeta;
-    const issuer = targetEntityMetadata.getEntityID();
-    const extractedProperties = parseResult.extract;
-    // Check issuer
-    if (parserType === ParserType.SAMLResponse
-        && extractedProperties
-        && extractedProperties.issuer !== issuer) {
-        return Promise.reject('ERR_UNMATCH_ISSUER');
-    }
-    // Check session time
-    if (parserType === 'SAMLResponse'
-        && extractedProperties.sessionIndex.sessionNotOnOrAfter
-        && !verifyTime(undefined, extractedProperties.sessionIndex.sessionNotOnOrAfter, sp.entitySetting.clockDrifts)) {
-        return Promise.reject('ERR_EXPIRED_SESSION');
-    }
-    // Check conditions time
-    if (parserType === 'SAMLResponse'
-        && extractedProperties.conditions
-        && !verifyTime(extractedProperties.conditions.notBefore, extractedProperties.conditions.notOnOrAfter, sp.entitySetting.clockDrifts)) {
-        return Promise.reject('ERR_SUBJECT_UNCONFIRMED');
-    }
-    return Promise.resolve(parseResult);
 }
+export const generateArtifactId = generateArtifactIdUtil;
 const artifactBinding = {
-    soapLoginRequest,
-    soapLoginResponse,
-    parseLoginRequestResolve,
-    parseLoginResponseResolve,
+    createLoginRequest,
+    createLoginResponse,
+    parseLoginRequest,
+    parseLoginResponse,
+    createArtifactResolveRequest,
+    parseArtifactResolveRequest,
+    createArtifactResolveResponse,
+    parseArtifactResolveResponse,
     generateArtifactId,
 };
 export default artifactBinding;