samlify 2.11.0 → 2.13.0

package/types/src/metadata-idp.d.ts

@@ -1,24 +1,40 @@
 /**
-* @file metadata-idp.ts
-* @author tngan
-* @desc  Metadata of identity provider
-*/
+ * @file metadata-idp.ts
+ * @author tngan
+ * @desc Metadata of an identity provider (IdP). Accepts either a raw XML
+ * document or a structured options object and presents a normalised API.
+ */
 import Metadata, { MetadataInterface } from './metadata';
 import { MetadataIdpConstructor } from './types';
+/** Public interface exposed by IdP metadata instances. */
 export interface IdpMetadataInterface extends MetadataInterface {
 }
+/**
+ * Factory returning a new {@link IdpMetadata} instance.
+ *
+ * @param meta XML metadata document or structured options
+ * @returns fresh IdpMetadata
+ */
 export default function (meta: MetadataIdpConstructor): IdpMetadata;
 export declare class IdpMetadata extends Metadata {
+    /**
+     * Build IdP metadata from XML or programmatic options.
+     *
+     * @param meta XML string/Buffer or {@link MetadataIdpOptions}
+     */
     constructor(meta: MetadataIdpConstructor);
     /**
-    * @desc Get the preference whether it wants a signed request
-    * @return {boolean} WantAuthnRequestsSigned
-    */
+     * Return whether the IdP requires signed `AuthnRequest` messages.
+     *
+     * @returns true when the metadata advertises `WantAuthnRequestsSigned="true"`
+     */
     isWantAuthnRequestsSigned(): boolean;
     /**
-    * @desc Get the entity endpoint for single sign on service
-    * @param  {string} binding      protocol binding (e.g. redirect, post)
-    * @return {string/object} location
-    */
+     * Return the single sign-on endpoint URL for the given binding, or the
+     * full service map when the binding isn't a string.
+     *
+     * @param binding protocol binding key (`redirect`, `post`, etc.)
+     * @returns endpoint URL or raw service map
+     */
     getSingleSignOnService(binding: string): string | object;
 }

package/types/src/metadata-sp.d.ts

@@ -1,36 +1,46 @@
 /**
-* @file metadata-sp.ts
-* @author tngan
-* @desc  Metadata of service provider
-*/
+ * @file metadata-sp.ts
+ * @author tngan
+ * @desc Metadata of a service provider (SP). Accepts either a raw XML
+ * document or a structured options object and presents a normalised API.
+ */
 import Metadata, { MetadataInterface } from './metadata';
 import { MetadataSpConstructor } from './types';
+/** Public interface exposed by SP metadata instances. */
 export interface SpMetadataInterface extends MetadataInterface {
 }
+/**
+ * Factory returning a new {@link SpMetadata} instance.
+ *
+ * @param meta XML metadata document or structured options
+ * @returns fresh SpMetadata
+ */
 export default function (meta: MetadataSpConstructor): SpMetadata;
 /**
-* @desc SP Metadata is for creating Service Provider, provides a set of API to manage the actions in SP.
-*/
+ * SP metadata abstraction — constructs a valid EntityDescriptor/SPSSODescriptor
+ * from options, and exposes inspection helpers used by the flow layer.
+ */
 export declare class SpMetadata extends Metadata {
     /**
-    * @param  {object/string} meta (either xml string or configuration in object)
-    * @return {object} prototypes including public functions
-    */
+     * Build SP metadata from XML or programmatic options.
+     *
+     * @param meta XML string/Buffer or {@link MetadataSpOptions}
+     */
     constructor(meta: MetadataSpConstructor);
     /**
-    * @desc Get the preference whether it wants a signed assertion response
-    * @return {boolean} Wantassertionssigned
-    */
+     * Return whether the SP requires signed assertions.
+     */
     isWantAssertionsSigned(): boolean;
     /**
-    * @desc Get the preference whether it signs request
-    * @return {boolean} Authnrequestssigned
-    */
+     * Return whether the SP signs its `AuthnRequest` messages.
+     */
     isAuthnRequestSigned(): boolean;
     /**
-    * @desc Get the entity endpoint for assertion consumer service
-    * @param  {string} binding         protocol binding (e.g. redirect, post)
-    * @return {string/[string]} URL of endpoint(s)
-    */
+     * Return the AssertionConsumerService endpoint URL(s) for the requested
+     * binding.
+     *
+     * @param binding protocol binding key (`redirect`, `post`, etc.)
+     * @returns endpoint URL, list of URLs, or raw service list
+     */
     getAssertionConsumerService(binding: string): string | string[];
 }

package/types/src/metadata.d.ts

@@ -1,57 +1,82 @@
+import type { ExtractorFields } from './types';
+/** Public interface exposed by every metadata instance. */
 export interface MetadataInterface {
     xmlString: string;
     getMetadata: () => string;
     exportMetadata: (exportFile: string) => void;
     getEntityID: () => string;
     getX509Certificate: (certType: string) => string | string[];
-    getNameIDFormat: () => any[];
+    getNameIDFormat: () => string[];
     getSingleLogoutService: (binding: string | undefined) => string | object;
     getSupportBindings: (services: string[]) => string[];
 }
+/** Parsed metadata bag exposed under `meta`. */
+export interface MetadataBag {
+    [key: string]: unknown;
+    entityDescriptor?: string | string[];
+    entityID?: string;
+    sharedCertificate?: string;
+    certificate?: {
+        signing?: string | string[];
+        encryption?: string | string[];
+    } | Record<string, string | string[]>;
+    singleLogoutService?: Array<{
+        binding: string;
+        location: string;
+    }> | {
+        binding: string;
+        location: string;
+    };
+    nameIDFormat?: string | string[];
+}
 export default class Metadata implements MetadataInterface {
     xmlString: string;
-    meta: any;
+    meta: MetadataBag;
     /**
-    * @param  {string | Buffer} xml
-    * @param  {object} extraParse for custom metadata extractor
-    */
-    constructor(xml: string | Buffer, extraParse?: any);
+     * Parse a SAML metadata XML document and hydrate a typed `meta` bag.
+     *
+     * @param xml raw metadata XML (string or Buffer)
+     * @param extraParse additional extractor fields merged into the standard set
+     */
+    constructor(xml: string | Buffer, extraParse?: ExtractorFields);
     /**
-    * @desc Get the metadata in xml format
-    * @return {string} metadata in xml format
-    */
+     * Return the underlying metadata XML.
+     */
     getMetadata(): string;
     /**
-    * @desc Export the metadata to specific file
-    * @param {string} exportFile is the output file path
-    */
+     * Write the metadata XML to disk at the given path.
+     *
+     * @param exportFile absolute file path
+     */
     exportMetadata(exportFile: string): void;
     /**
-    * @desc Get the entityID in metadata
-    * @return {string} entityID
-    */
+     * Return the metadata `entityID`.
+     */
     getEntityID(): string;
     /**
-    * @desc Get the x509 certificate declared in entity metadata
-    * @param  {string} use declares the type of certificate
-    * @return {string} certificate in string format
-    */
-    getX509Certificate(use: string): any;
-    /**
-    * @desc Get the support NameID format declared in entity metadata
-    * @return {array} support NameID format
-    */
-    getNameIDFormat(): any;
-    /**
-    * @desc Get the entity endpoint for single logout service
-    * @param  {string} binding e.g. redirect, post
-    * @return {string/object} location
-    */
+     * Return the X.509 certificate(s) declared in metadata for a given use.
+     *
+     * @param use `signing` or `encryption`
+     * @returns certificate body or list, or `null` when missing
+     */
+    getX509Certificate(use: string): string | string[];
+    /**
+     * Return the supported NameID formats declared in metadata.
+     */
+    getNameIDFormat(): string[];
+    /**
+     * Return the single-logout service endpoint for the requested binding.
+     * When no binding is provided, returns the raw service list.
+     *
+     * @param binding `redirect`, `post`, etc.
+     * @returns endpoint URL or raw service list
+     */
     getSingleLogoutService(binding: string | undefined): string | object;
     /**
-    * @desc Get the support bindings
-    * @param  {[string]} services
-    * @return {[string]} support bindings
-    */
+     * Reduce a service descriptor array to the list of bindings it declares.
+     *
+     * @param services list of service descriptor objects
+     * @returns supported binding keys
+     */
     getSupportBindings(services: string[]): string[];
 }

package/types/src/options.d.ts

@@ -0,0 +1,37 @@
+/**
+ * @file options.ts
+ * @desc Backwards-compatible discriminators for the options-bag /
+ * legacy-positional shapes accepted by the create* methods on
+ * Entity / IdentityProvider / ServiceProvider.
+ *
+ * Per `saml-bindings §3.4.3, §3.5.3`, RelayState is request-scoped.
+ * These helpers let callers pass it as part of an options bag while
+ * preserving the legacy callback-only / string-only positional shapes.
+ */
+import type { CreateLoginRequestOptions, CreateLoginResponseOptions, CreateLogoutRequestOptions, CreateLogoutResponseOptions, CustomTagReplacement } from './types';
+/**
+ * Resolve the 3rd-position parameter of `ServiceProvider#createLoginRequest`.
+ * Accepts a callback (legacy), an options bag, or undefined.
+ */
+export declare function normalizeCreateLoginRequestOptions(input: CreateLoginRequestOptions | CustomTagReplacement | undefined): CreateLoginRequestOptions;
+/**
+ * Resolve the 5th-position parameter of `IdentityProvider#createLoginResponse`.
+ * Accepts a callback (legacy), an options bag, or undefined.
+ *
+ * Legacy positional `encryptThenSign` (6th) and `relayState` (7th) are
+ * folded into the bag when the 5th argument is the legacy callback form.
+ */
+export declare function normalizeCreateLoginResponseOptions(optionsOrCallback: CreateLoginResponseOptions | CustomTagReplacement | undefined, legacyEncryptThenSign?: boolean, legacyRelayState?: string): CreateLoginResponseOptions;
+/**
+ * Resolve the 4th-position parameter of `Entity#createLogoutRequest`.
+ * Accepts a string (legacy `relayState`), an options bag, or undefined.
+ *
+ * Legacy positional `customTagReplacement` (5th) is folded into the bag
+ * when the 4th argument is the legacy string form.
+ */
+export declare function normalizeCreateLogoutRequestOptions(optionsOrRelayState: CreateLogoutRequestOptions | string | undefined, legacyCustomTagReplacement?: CustomTagReplacement): CreateLogoutRequestOptions;
+/**
+ * Resolve the 4th-position parameter of `Entity#createLogoutResponse`.
+ * Same dispatch rules as {@link normalizeCreateLogoutRequestOptions}.
+ */
+export declare function normalizeCreateLogoutResponseOptions(optionsOrRelayState: CreateLogoutResponseOptions | string | undefined, legacyCustomTagReplacement?: CustomTagReplacement): CreateLogoutResponseOptions;

package/types/src/types.d.ts

@@ -3,12 +3,188 @@ export { IdentityProvider as IdentityProviderConstructor } from './entity-idp';
 export { IdpMetadata as IdentityProviderMetadata } from './metadata-idp';
 export { ServiceProvider as ServiceProviderConstructor } from './entity-sp';
 export { SpMetadata as ServiceProviderMetadata } from './metadata-sp';
+/** Raw metadata payload: either the XML contents or a path. */
 export type MetadataFile = string | Buffer;
-type SSOService = {
+/** SAML SSO service endpoint descriptor. */
+export interface SSOService {
     isDefault?: boolean;
     Binding: string;
     Location: string;
-};
+}
+/** Primitive value types that appear inside XML attributes. */
+export type XmlAttributeValue = string | number | boolean | undefined;
+/** Attribute bag accepted by the `xml` module (element `_attr` slot). */
+export type XmlAttributeMap = Record<string, XmlAttributeValue>;
+/** An `{ _attr: {...} }` node accepted by the `xml` module. */
+export interface XmlAttrNode {
+    _attr: XmlAttributeMap;
+}
+/** Recursive node shape accepted by the `xml` module. */
+export type XmlNode = string | number | boolean | XmlAttrNode | {
+    [tagName: string]: unknown;
+} | XmlNode[];
+/** Element array for the `xml` module builder. */
+export type XmlElementArray = XmlNode[];
+/**
+ * Replacement map for template-tag interpolation.
+ * Values are stringified by the replacement routine.
+ */
+export type TagReplacementMap = Record<string, string | number | boolean | null | undefined>;
+/** Per-scalar value produced by the SAML XPath extractor. */
+export type ExtractorValue = string | string[] | number | boolean | null | Record<string, string | string[]>;
+/**
+ * Result object produced by `extract`. Keys depend on the fields requested;
+ * the documented members below cover the common SAML flows.
+ */
+export interface ExtractorResult {
+    [key: string]: ExtractorValue | undefined;
+    signature?: string | string[];
+    issuer?: string | string[];
+    nameID?: string;
+    conditions?: Record<string, string | string[]>;
+    sessionIndex?: Record<string, string | string[]>;
+    attributes?: Record<string, string | string[]>;
+    response?: Record<string, string | string[]>;
+    request?: Record<string, string | string[]>;
+    audience?: string | string[];
+    authnContextClassRef?: string | string[];
+    nameIDPolicy?: Record<string, string | string[]>;
+}
+/** Field definition consumed by `extract`. */
+export interface ExtractorField {
+    key: string;
+    localPath: string[] | string[][];
+    attributes: string[];
+    index?: string[];
+    attributePath?: string[];
+    context?: boolean;
+    shortcut?: string;
+}
+/** Array of extractor field definitions. */
+export type ExtractorFields = ExtractorField[];
+/**
+ * Minimal HTTP request shape the library consumes from the caller's web
+ * framework. Only the fields SAML needs are typed.
+ */
+export interface ESamlHttpRequest {
+    query?: Record<string, string | undefined>;
+    body?: Record<string, string | undefined>;
+    octetString?: string;
+}
+/**
+ * Parsed request snapshot passed around when building response messages
+ * so the response can include matching `InResponseTo` references.
+ */
+export interface RequestInfo {
+    extract: ExtractorResult;
+    [key: string]: unknown;
+}
+/**
+ * Authenticated user passed to the IdP when building a login/logout
+ * response. Additional custom claims are permitted via the index signature.
+ */
+export interface SAMLUser {
+    email?: string;
+    logoutNameID?: string;
+    sessionIndex?: string;
+    [key: string]: unknown;
+}
+/**
+ * Caller-supplied template transformer used by the create* methods.
+ * Receives the raw template string and returns the substituted result
+ * along with the SAML message ID.
+ */
+export type CustomTagReplacement = (template: string) => BindingContext;
+/**
+ * Per-request options accepted by `ServiceProvider#createLoginRequest`.
+ *
+ * `relayState` here takes precedence over `entitySetting.relayState`,
+ * which is deprecated for v3 — see `saml-bindings §3.4.3` and §3.5.3
+ * (RelayState is request-scoped, not entity-scoped).
+ */
+export interface CreateLoginRequestOptions {
+    relayState?: string;
+    customTagReplacement?: CustomTagReplacement;
+    /** saml-core §3.4.1 — when true, the IdP MUST re-authenticate the user. */
+    forceAuthn?: boolean;
+    /**
+     * saml-core §3.4.1 — `<samlp:AuthnRequest>` may identify the desired ACS
+     * endpoint either by URL+ProtocolBinding *or* by an index into the SP's
+     * metadata. The three attributes are mutually exclusive: "If the
+     * `<AssertionConsumerServiceIndex>` attribute is present, neither
+     * `<AssertionConsumerServiceURL>` nor `<ProtocolBinding>` may be set."
+     *
+     * When this option is set, samlify omits both `AssertionConsumerServiceURL`
+     * and `ProtocolBinding` from the rendered request — including any
+     * metadata-derived ACS URL the SP would otherwise inject. In other words,
+     * if the caller sets `assertionConsumerServiceIndex`, the index wins;
+     * mutual exclusion enforcement is the caller's responsibility.
+     *
+     * Useful for IdPs (legacy Shibboleth, certain ADFS configurations) that
+     * prefer the metadata-indexed form per saml-profiles §4.1.4.1.
+     */
+    assertionConsumerServiceIndex?: number;
+}
+/** Per-request options accepted by `IdentityProvider#createLoginResponse`. */
+export interface CreateLoginResponseOptions {
+    relayState?: string;
+    customTagReplacement?: CustomTagReplacement;
+    /** When true, encrypt the assertion before signing the message. */
+    encryptThenSign?: boolean;
+}
+/** Per-request options accepted by `Entity#createLogoutRequest`. */
+export interface CreateLogoutRequestOptions {
+    relayState?: string;
+    customTagReplacement?: CustomTagReplacement;
+}
+/** Per-request options accepted by `Entity#createLogoutResponse`. */
+export interface CreateLogoutResponseOptions {
+    relayState?: string;
+    customTagReplacement?: CustomTagReplacement;
+}
+/** Output of an XML-signature binding step (base64 SAML + request id). */
+export interface BindingContext {
+    context: string;
+    id: string;
+}
+/** Post-binding output extended with the endpoint, relay state, and kind. */
+export interface PostBindingContext extends BindingContext {
+    relayState?: string;
+    entityEndpoint: string;
+    type: string;
+}
+/** Simple-sign binding output. */
+export interface SimpleSignBindingContext extends PostBindingContext {
+    sigAlg?: string;
+    signature?: string;
+    keyInfo?: string;
+}
+/** Simple-sign computed output without the outer endpoint wrapper. */
+export interface SimpleSignComputedContext extends BindingContext {
+    sigAlg?: string;
+    signature?: string;
+}
+/** Parsed result emitted by SAML binding parsers. */
+export interface ParseResult {
+    samlContent: string;
+    extract: ExtractorResult;
+    sigAlg: string;
+}
+/** Options for `MetadataSpOptions#signatureConfig`. */
+export interface SignatureConfig {
+    prefix?: string;
+    location?: {
+        reference?: string;
+        action?: 'append' | 'prepend' | 'before' | 'after';
+    };
+    attrs?: Record<string, string>;
+    existingPrefixes?: Record<string, string>;
+}
+/** SAML root-element wrapping template (request/response contexts). */
+export interface SAMLDocumentTemplate {
+    context?: string;
+}
+/** Options accepted when constructing IdP metadata programmatically. */
 export interface MetadataIdpOptions {
     entityID?: string;
     signingCert?: string | Buffer | (string | Buffer)[];
@@ -18,8 +194,19 @@ export interface MetadataIdpOptions {
     singleSignOnService?: SSOService[];
     singleLogoutService?: SSOService[];
     requestSignatureAlgorithm?: string;
+    /**
+     * Override the order of child elements rendered inside
+     * `<IDPSSODescriptor>`. Each entry names a child element; the constructor
+     * emits the populated children in the order given. Mirrors the SP-side
+     * `MetadataSpOptions.elementsOrder`. Pre-baked variants are exposed via
+     * `Constants.elementsOrder.idp` (`default`, `onelogin`, `shibboleth`).
+     * See `saml-metadata §2.4.3` for the schema-declared sequence (#429).
+     */
+    elementsOrder?: string[];
 }
+/** Constructor argument for IdP metadata: options or raw XML. */
 export type MetadataIdpConstructor = MetadataIdpOptions | MetadataFile;
+/** Options accepted when constructing SP metadata programmatically. */
 export interface MetadataSpOptions {
     entityID?: string;
     signingCert?: string | Buffer | (string | Buffer)[];
@@ -27,28 +214,19 @@ export interface MetadataSpOptions {
     authnRequestsSigned?: boolean;
     wantAssertionsSigned?: boolean;
     wantMessageSigned?: boolean;
-    signatureConfig?: {
-        [key: string]: any;
-    };
+    signatureConfig?: SignatureConfig;
     nameIDFormat?: string[];
     singleSignOnService?: SSOService[];
     singleLogoutService?: SSOService[];
     assertionConsumerService?: SSOService[];
     elementsOrder?: string[];
 }
+/** Constructor argument for SP metadata: options or raw XML. */
 export type MetadataSpConstructor = MetadataSpOptions | MetadataFile;
+/** Combined settings bag carried by an Entity. */
 export type EntitySetting = ServiceProviderSettings & IdentityProviderSettings;
-export interface SignatureConfig {
-    prefix?: string;
-    location?: {
-        reference?: string;
-        action?: 'append' | 'prepend' | 'before' | 'after';
-    };
-}
-export interface SAMLDocumentTemplate {
-    context?: string;
-}
-export type ServiceProviderSettings = {
+/** Service-provider configuration accepted by the SP factory. */
+export interface ServiceProviderSettings {
     metadata?: string | Buffer;
     entityID?: string;
     authnRequestsSigned?: boolean;
@@ -67,23 +245,36 @@ export type ServiceProviderSettings = {
     signatureConfig?: SignatureConfig;
     loginRequestTemplate?: SAMLDocumentTemplate;
     logoutRequestTemplate?: SAMLDocumentTemplate;
+    logoutResponseTemplate?: SAMLDocumentTemplate;
     signingCert?: string | Buffer | (string | Buffer)[];
     encryptCert?: string | Buffer | (string | Buffer)[];
     transformationAlgorithms?: string[];
     nameIDFormat?: string[];
     allowCreate?: boolean;
+    /**
+     * @deprecated Pass `relayState` per request via the options bag on
+     * `createLoginRequest` / `createLogoutRequest` / `createLogoutResponse`
+     * instead. RelayState is request-scoped per `saml-bindings §3.4.3, §3.5.3`;
+     * keeping it on the entity makes a single SP/IdP instance unsafe for
+     * concurrent requests with different relay state values. Will be removed
+     * in v3.
+     */
     relayState?: string;
+    /** Clock drift tolerance in ms for notBefore / notOnOrAfter checks. */
     clockDrifts?: [number, number];
-};
-export type IdentityProviderSettings = {
+}
+/** Identity-provider configuration accepted by the IdP factory. */
+export interface IdentityProviderSettings {
     metadata?: string | Buffer;
-    /** signature algorithm */
+    /** XML-DSig signature algorithm URI for requests. */
     requestSignatureAlgorithm?: string;
-    /** template of login response */
+    /** Login response template with optional attribute statements. */
     loginResponseTemplate?: LoginResponseTemplate;
-    /** template of logout request */
+    /** Logout request XML template. */
     logoutRequestTemplate?: SAMLDocumentTemplate;
-    /** customized function used for generating request ID */
+    /** Logout response XML template. */
+    logoutResponseTemplate?: SAMLDocumentTemplate;
+    /** Callback used to generate a unique SAML message ID. */
     generateID?: () => string;
     entityID?: string;
     privateKey?: string | Buffer;
@@ -101,7 +292,42 @@ export type IdentityProviderSettings = {
     wantLogoutResponseSigned?: boolean;
     wantAuthnRequestsSigned?: boolean;
     wantLogoutRequestSignedResponseSigned?: boolean;
+    /**
+     * Override the XML namespace prefixes used when rendering the IdP's
+     * default request/response templates.
+     *
+     * - `protocol` rebinds the SAML protocol namespace
+     *   (`urn:oasis:names:tc:SAML:2.0:protocol`, default prefix `samlp`).
+     * - `assertion` rebinds the SAML assertion namespace
+     *   (`urn:oasis:names:tc:SAML:2.0:assertion`, default prefix `saml`).
+     * - `encryptedAssertion` is the prefix wrapped around
+     *   `<EncryptedAssertion>` inside `libsaml.encryptAssertion`.
+     *
+     * Per saml-core §1.4 the prefix choice is not normative — only the
+     * namespace URI bindings are. Some peers (legacy ADFS quirks, custom
+     * integrations) require non-standard prefixes; this lets callers swap
+     * `samlp:` ↔ `samlp2:` and `saml:` ↔ `saml2:` without supplying a fully
+     * custom template (closes #388).
+     */
     tagPrefix?: {
-        [key: string]: string;
+        /** Prefix bound to the SAML protocol namespace (default: 'samlp'). */
+        protocol?: string;
+        /** Prefix bound to the SAML assertion namespace (default: 'saml'). */
+        assertion?: string;
+        /** Prefix used when wrapping `<EncryptedAssertion>`. */
+        encryptedAssertion?: string;
+        [key: string]: string | undefined;
     };
-};
+    /**
+     * @internal Populated by the IdP constructor when `tagPrefix.protocol`
+     * or `tagPrefix.assertion` is overridden — pre-rewritten copies of the
+     * built-in default request/response templates that the bindings consume
+     * in place of the library-internal defaults. Not part of the public
+     * configuration surface.
+     */
+    tagPrefixedDefaults?: {
+        loginResponseTemplate?: SAMLDocumentTemplate;
+        logoutRequestTemplate?: SAMLDocumentTemplate;
+        logoutResponseTemplate?: SAMLDocumentTemplate;
+    };
+}

package/types/src/urn.d.ts

@@ -135,6 +135,7 @@ declare const algorithms: {
         RSA_SHA1: string;
         RSA_SHA256: string;
         RSA_SHA512: string;
+        RSA_SHA256_MGF1: string;
     };
     encryption: {
         data: {
@@ -152,6 +153,7 @@ declare const algorithms: {
         'http://www.w3.org/2000/09/xmldsig#rsa-sha1': string;
         'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256': string;
         'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512': string;
+        'http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1': string;
     };
 };
 export declare enum ParserType {
@@ -189,5 +191,10 @@ declare const elementsOrder: {
     default: string[];
     onelogin: string[];
     shibboleth: string[];
+    idp: {
+        default: string[];
+        onelogin: string[];
+        shibboleth: string[];
+    };
 };
 export { namespace, tags, algorithms, wording, elementsOrder, messageConfigurations };