samlify 2.12.0 → 2.13.0

package/types/src/entity.d.ts

@@ -1,35 +1,8 @@
 import { IdpMetadata as IdpMetadataConstructor } from './metadata-idp';
 import { SpMetadata as SpMetadataConstructor } from './metadata-sp';
-import { MetadataIdpConstructor, MetadataSpConstructor, EntitySetting } from './types';
-import { FlowResult } from './flow';
-export interface ESamlHttpRequest {
-    query?: any;
-    body?: any;
-    octetString?: string;
-}
-export interface BindingContext {
-    context: string;
-    id: string;
-}
-export interface PostBindingContext extends BindingContext {
-    relayState?: string;
-    entityEndpoint: string;
-    type: string;
-}
-export interface SimpleSignBindingContext extends PostBindingContext {
-    sigAlg?: string;
-    signature?: string;
-    keyInfo?: string;
-}
-export interface SimpleSignComputedContext extends BindingContext {
-    sigAlg?: string;
-    signature?: string;
-}
-export interface ParseResult {
-    samlContent: string;
-    extract: any;
-    sigAlg: string;
-}
+import type { MetadataIdpConstructor, MetadataSpConstructor, EntitySetting, ESamlHttpRequest, BindingContext, PostBindingContext, SimpleSignBindingContext, RequestInfo, SAMLUser, CreateLogoutRequestOptions, CreateLogoutResponseOptions, CustomTagReplacement } from './types';
+export type { ESamlHttpRequest, BindingContext, PostBindingContext, SimpleSignBindingContext, SimpleSignComputedContext, ParseResult, } from './types';
+/** Constructor argument shared by both SP and IdP factories. */
 export type EntityConstructor = (MetadataIdpConstructor | MetadataSpConstructor) & {
     metadata?: string | Buffer;
 };
@@ -38,62 +11,83 @@ export default class Entity {
     entityType: string;
     entityMeta: IdpMetadataConstructor | SpMetadataConstructor;
     /**
-    * @param entitySetting
-    * @param entityMeta is the entity metadata, deprecated after 2.0
-    */
+     * Build an entity, merging the provided configuration with defaults and
+     * hydrating the metadata abstraction for its role.
+     *
+     * @param entitySetting IdP or SP settings (metadata XML or options)
+     * @param entityType `idp` or `sp`
+     */
     constructor(entitySetting: EntityConstructor, entityType: 'idp' | 'sp');
     /**
-    * @desc  Returns the setting of entity
-    * @return {object}
-    */
+     * Return the effective entity settings (defaults merged with overrides).
+     */
     getEntitySetting(): EntitySetting;
     /**
-    * @desc  Returns the xml string of entity metadata
-    * @return {string}
-    */
+     * Return the serialized metadata XML for this entity.
+     */
     getMetadata(): string;
     /**
-    * @desc  Exports the entity metadata into specified folder
-    * @param  {string} exportFile indicates the file name
-    */
+     * Persist the metadata XML to disk.
+     *
+     * @param exportFile absolute file path
+     */
     exportMetadata(exportFile: string): void;
-    /** * @desc  Verify fields with the one specified in metadata
-    * @param  {string/[string]} field is a string or an array of string indicating the field value in SAML message
-    * @param  {string} metaField is a string indicating the same field specified in metadata
-    * @return {boolean} True/False
-    */
+    /**
+     * Equality check between a field value extracted from a SAML message and
+     * the value declared in the peer's metadata. Arrays must match on every
+     * entry.
+     *
+     * @param field value(s) from the inbound SAML message
+     * @param metaField value from peer metadata
+     * @returns true when every provided value equals `metaField`
+     */
     verifyFields(field: string | string[], metaField: string): boolean;
-    /** @desc   Generates the logout request for developers to design their own method
-    * @param  {ServiceProvider} sp     object of service provider
-    * @param  {string}   binding       protocol binding
-    * @param  {object}   user          current logged user (e.g. user)
-    * @param  {string} relayState      the URL to which to redirect the user when logout is complete
-    * @param  {function} customTagReplacement     used when developers have their own login response template
-    */
-    createLogoutRequest(targetEntity: any, binding: any, user: any, relayState?: string, customTagReplacement?: any): BindingContext | PostBindingContext;
     /**
-    * @desc  Generates the logout response for developers to design their own method
-    * @param  {IdentityProvider} idp               object of identity provider
-    * @param  {object} requestInfo                 corresponding request, used to obtain the id
-    * @param  {string} relayState                  the URL to which to redirect the user when logout is complete.
-    * @param  {string} binding                     protocol binding
-    * @param  {function} customTagReplacement                 used when developers have their own login response template
-    */
-    createLogoutResponse(target: any, requestInfo: any, binding: any, relayState?: string, customTagReplacement?: any): BindingContext | PostBindingContext;
+     * Build a logout request targeting `targetEntity`. The return type depends
+     * on the binding: `redirect` produces a URL; `post` and `simpleSign`
+     * produce a base64 envelope (the latter with a detached signature).
+     *
+     * The fourth parameter accepts either a string (legacy `relayState`
+     * positional shape) or an options bag `{ relayState?, customTagReplacement? }`.
+     * Per `saml-bindings §3.4.3 / §3.5.3`, RelayState is request-scoped — pass
+     * it via the options bag instead of `entitySetting.relayState`.
+     *
+     * @param targetEntity peer to receive the logout request
+     * @param binding `redirect`, `post`, or `simpleSign`
+     * @param user currently authenticated user
+     * @param optionsOrRelayState per-request options or legacy RelayState string
+     * @param legacyCustomTagReplacement optional custom template transformer (legacy positional form)
+     */
+    createLogoutRequest(targetEntity: Entity, binding: string, user: SAMLUser, optionsOrRelayState?: CreateLogoutRequestOptions | string, legacyCustomTagReplacement?: CustomTagReplacement): BindingContext | PostBindingContext | SimpleSignBindingContext;
+    /**
+     * Build a logout response to the peer that initiated logout.
+     *
+     * The fourth parameter accepts either a string (legacy `relayState`
+     * positional shape) or an options bag `{ relayState?, customTagReplacement? }`.
+     * Per `saml-bindings §3.4.3 / §3.5.3`, RelayState is request-scoped — pass
+     * it via the options bag instead of `entitySetting.relayState`.
+     *
+     * @param target peer that sent the corresponding logout request
+     * @param requestInfo parsed request used to link `InResponseTo`
+     * @param binding `redirect`, `post`, or `simpleSign`
+     * @param optionsOrRelayState per-request options or legacy RelayState string
+     * @param legacyCustomTagReplacement optional custom template transformer (legacy positional form)
+     */
+    createLogoutResponse(target: Entity, requestInfo: RequestInfo, binding: string, optionsOrRelayState?: CreateLogoutResponseOptions | string, legacyCustomTagReplacement?: CustomTagReplacement): BindingContext | PostBindingContext | SimpleSignBindingContext;
     /**
-    * @desc   Validation of the parsed the URL parameters
-    * @param  {IdentityProvider}   idp             object of identity provider
-    * @param  {string}   binding                   protocol binding
-    * @param  {request}   req                      request
-    * @return {Promise}
-    */
-    parseLogoutRequest(from: any, binding: any, request: ESamlHttpRequest): Promise<FlowResult>;
+     * Parse, validate and verify an inbound logout request.
+     *
+     * @param from peer entity that produced the request
+     * @param binding `redirect`, `post`, or `simpleSign`
+     * @param request HTTP request envelope
+     */
+    parseLogoutRequest(from: Entity, binding: string, request: ESamlHttpRequest): Promise<import("./flow").FlowResult>;
     /**
-    * @desc   Validation of the parsed the URL parameters
-    * @param  {object} config                      config for the parser
-    * @param  {string}   binding                   protocol binding
-    * @param  {request}   req                      request
-    * @return {Promise}
-    */
-    parseLogoutResponse(from: any, binding: any, request: ESamlHttpRequest): Promise<FlowResult>;
+     * Parse, validate and verify an inbound logout response.
+     *
+     * @param from peer entity that produced the response
+     * @param binding `redirect`, `post`, or `simpleSign`
+     * @param request HTTP request envelope
+     */
+    parseLogoutResponse(from: Entity, binding: string, request: ESamlHttpRequest): Promise<import("./flow").FlowResult>;
 }

package/types/src/extractor.d.ts

@@ -1,25 +1,34 @@
-interface ExtractorField {
-    key: string;
-    localPath: string[] | string[][];
-    attributes: string[];
-    index?: string[];
-    attributePath?: string[];
-    context?: boolean;
-}
-export type ExtractorFields = ExtractorField[];
+import type { ExtractorField, ExtractorFields, ExtractorResult } from './types';
+export type { ExtractorField, ExtractorFields, ExtractorResult } from './types';
+/** Default extractor fields for an inbound `AuthnRequest` (login request). */
 export declare const loginRequestFields: ExtractorFields;
-export declare const loginResponseStatusFields: {
-    key: string;
-    localPath: string[];
-    attributes: string[];
-}[];
-export declare const logoutResponseStatusFields: {
-    key: string;
-    localPath: string[];
-    attributes: string[];
-}[];
-export declare const loginResponseFields: ((assertion: any) => ExtractorFields);
+/** Two-tier status code extractor for login responses. */
+export declare const loginResponseStatusFields: ExtractorFields;
+/** Two-tier status code extractor for logout responses. */
+export declare const logoutResponseStatusFields: ExtractorFields;
+/**
+ * Build the login-response extractor bound to a particular assertion XML.
+ * Assertion-scoped fields are re-rooted at the assertion fragment via the
+ * `shortcut` mechanism so that wrapping attacks can't redirect extraction.
+ *
+ * @param assertion XML string of the (verified) assertion node
+ * @returns extractor fields ready for `extract`
+ */
+export declare const loginResponseFields: (assertion: string) => ExtractorFields;
+/** Default extractor fields for an inbound `LogoutRequest`. */
 export declare const logoutRequestFields: ExtractorFields;
+/** Default extractor fields for an inbound `LogoutResponse`. */
 export declare const logoutResponseFields: ExtractorFields;
-export declare function extract(context: string, fields: any): any;
-export {};
+/**
+ * Evaluate the given extractor fields against an XML document and return
+ * a flat object keyed by `field.key`. Handles:
+ *   - multi-path localPaths (`string[][]`) collected with `|`
+ *   - parent/child attribute aggregation (`index` + `attributePath`)
+ *   - whole-subtree extraction (`context: true`)
+ *   - single/multiple/zero-attribute text extraction
+ *
+ * @param context XML string to parse
+ * @param fields extractor field definitions
+ * @returns extracted SAML values keyed by field name
+ */
+export declare function extract(context: string, fields: ExtractorField[]): ExtractorResult;

package/types/src/flow.d.ts

@@ -1,6 +1,28 @@
+import type { ESamlHttpRequest, ExtractorResult } from './types';
+import type Entity from './entity';
+import { ParserType } from './urn';
+/** Result emitted by the flow dispatcher for successful inbound messages. */
 export interface FlowResult {
     samlContent: string;
-    extract: any;
+    extract: ExtractorResult;
     sigAlg?: string | null;
 }
-export declare function flow(options: any): Promise<FlowResult>;
+/** Options consumed by {@link flow} and its internal dispatch helpers. */
+export interface FlowOptions {
+    request: ESamlHttpRequest;
+    parserType: ParserType | string;
+    self: Entity;
+    from: Entity;
+    checkSignature?: boolean;
+    type: 'login' | 'logout';
+    binding: string;
+    supportBindings?: string[];
+}
+/**
+ * Entry point: dispatch an inbound SAML message to the matching binding
+ * handler based on `options.binding`.
+ *
+ * @param options flow inputs (request, parserType, entities, binding)
+ * @returns resolved {@link FlowResult} on success
+ */
+export declare function flow(options: FlowOptions): Promise<FlowResult>;

package/types/src/libsaml.d.ts

@@ -1,9 +1,13 @@
 /**
-* @file SamlLib.js
-* @author tngan
-* @desc  A simple library including some common functions
-*/
+ * @file libsaml.ts
+ * @author tngan
+ * @desc SAML primitives: templates, XML signing/verification, assertion
+ * encryption/decryption, and XPath helpers used by the higher-level flows.
+ */
 import { MetadataInterface } from './metadata';
+import { SigningSchemeHash } from 'node-rsa';
+import type { EntitySetting, SignatureConfig, TagReplacementMap, XmlElementArray } from './types';
+/** Options accepted by {@link LibSamlInterface.constructSAMLSignature}. */
 export interface SignatureConstructor {
     rawSamlMessage: string;
     referenceTagXPath?: string;
@@ -12,22 +16,28 @@ export interface SignatureConstructor {
     signatureAlgorithm: string;
     signingCert: string | Buffer;
     isBase64Output?: boolean;
-    signatureConfig?: any;
+    signatureConfig?: SignatureConfig;
     isMessageSigned?: boolean;
     transformationAlgorithms?: string[];
 }
+/** Options accepted by {@link LibSamlInterface.verifySignature}. */
 export interface SignatureVerifierOptions {
     metadata?: MetadataInterface;
     keyFile?: string;
     signatureAlgorithm?: string;
 }
+/**
+ * Generic extracted SAML result shape retained for backwards compatibility.
+ * Prefer {@link import('./types').ExtractorResult} in new code.
+ */
 export interface ExtractorResult {
-    [key: string]: any;
+    [key: string]: unknown;
     signature?: string | string[];
     issuer?: string | string[];
     nameID?: string;
     notexist?: boolean;
 }
+/** Attribute configuration used when building an AttributeStatement. */
 export interface LoginResponseAttribute {
     name: string;
     nameFormat: string;
@@ -36,10 +46,12 @@ export interface LoginResponseAttribute {
     valueXmlnsXs?: string;
     valueXmlnsXsi?: string;
 }
+/** Overridable templates used when building a LoginResponse. */
 export interface LoginResponseAdditionalTemplates {
     attributeStatementTemplate?: AttributeStatementTemplate;
     attributeTemplate?: AttributeTemplate;
 }
+/** Shared shape for all SAML document templates. */
 export interface BaseSamlTemplate {
     context: string;
 }
@@ -57,26 +69,53 @@ export interface LogoutRequestTemplate extends BaseSamlTemplate {
 }
 export interface LogoutResponseTemplate extends BaseSamlTemplate {
 }
+/** Valid certificate `use` attribute values in metadata KeyDescriptor. */
 export type KeyUse = 'signing' | 'encryption';
+/** Shape of a KeyDescriptor element assembled by `createKeySection`. */
 export interface KeyComponent {
-    [key: string]: any;
+    [key: string]: unknown;
+    KeyDescriptor: XmlElementArray;
+}
+/** Structural shape of an Entity (IdP or SP) consumed by libsaml. */
+export interface EntityLike {
+    entitySetting: EntitySetting & {
+        isAssertionEncrypted?: boolean;
+        dataEncryptionAlgorithm?: string;
+        keyEncryptionAlgorithm?: string;
+        tagPrefix?: {
+            protocol?: string;
+            assertion?: string;
+            encryptedAssertion?: string;
+            [key: string]: string | undefined;
+        };
+        encPrivateKey?: string | Buffer;
+        encPrivateKeyPass?: string | Buffer;
+    };
+    entityMeta: MetadataInterface;
 }
+/** Public surface exposed by the libsaml singleton. */
 export interface LibSamlInterface {
     getQueryParamByType: (type: string) => string;
-    createXPath: (local: any, isExtractAll?: boolean) => string;
-    replaceTagsByValue: (rawXML: string, tagValues: any) => string;
+    createXPath: (local: string | {
+        name: string;
+        attr: string;
+    }, isExtractAll?: boolean) => string;
+    replaceTagsByValue: (rawXML: string, tagValues: TagReplacementMap) => string;
     attributeStatementBuilder: (attributes: LoginResponseAttribute[], attributeTemplate: AttributeTemplate, attributeStatementTemplate: AttributeStatementTemplate) => string;
     constructSAMLSignature: (opts: SignatureConstructor) => string;
-    verifySignature: (xml: string, opts: SignatureVerifierOptions) => [boolean, any];
-    createKeySection: (use: KeyUse, cert: string | Buffer) => {};
-    constructMessageSignature: (octetString: string, key: string, passphrase?: string, isBase64?: boolean, signingAlgorithm?: string) => string;
-    verifyMessageSignature: (metadata: any, octetString: string, signature: string | Buffer, verifyAlgorithm?: string) => boolean;
-    getKeyInfo: (x509Certificate: string, signatureConfig?: any) => void;
-    encryptAssertion: (sourceEntity: any, targetEntity: any, entireXML: string) => Promise<string>;
-    decryptAssertion: (here: any, entireXML: string) => Promise<[string, any]>;
-    getSigningScheme: (sigAlg: string) => string | null;
+    verifySignature: (xml: string, opts: SignatureVerifierOptions) => [boolean, string | null];
+    createKeySection: (use: KeyUse, cert: string | Buffer) => KeyComponent;
+    constructMessageSignature: (octetString: string, key: string, passphrase?: string, isBase64?: boolean, signingAlgorithm?: string) => string | Buffer;
+    verifyMessageSignature: (metadata: MetadataInterface, octetString: string, signature: string | Buffer, verifyAlgorithm?: string) => boolean;
+    getKeyInfo: (x509Certificate: string, signatureConfig?: SignatureConfig) => {
+        getKeyInfo: () => string;
+        getKey: () => string;
+    };
+    encryptAssertion: (sourceEntity: EntityLike, targetEntity: EntityLike, entireXML: string) => Promise<string>;
+    decryptAssertion: (here: EntityLike, entireXML: string) => Promise<[string, string]>;
+    getSigningScheme: (sigAlg: string) => SigningSchemeHash | null;
     getDigestMethod: (sigAlg: string) => string | null;
-    nrsaAliasMapping: any;
+    nrsaAliasMapping: Record<string, SigningSchemeHash>;
     defaultLoginRequestTemplate: LoginRequestTemplate;
     defaultLoginResponseTemplate: LoginResponseTemplate;
     defaultAttributeStatementTemplate: AttributeStatementTemplate;
@@ -85,125 +124,140 @@ export interface LibSamlInterface {
     defaultLogoutResponseTemplate: LogoutResponseTemplate;
 }
 declare const _default: {
-    createXPath: (local: any, isExtractAll?: boolean) => string;
-    getQueryParamByType: (type: string) => "SAMLRequest" | "SAMLResponse";
-    defaultLoginRequestTemplate: {
-        context: string;
-    };
-    defaultLoginResponseTemplate: {
-        context: string;
-        attributes: never[];
-        additionalTemplates: {
-            attributeStatementTemplate: {
-                context: string;
-            };
-            attributeTemplate: {
-                context: string;
-            };
-        };
-    };
-    defaultAttributeStatementTemplate: {
-        context: string;
-    };
-    defaultAttributeTemplate: {
-        context: string;
-    };
-    defaultLogoutRequestTemplate: {
-        context: string;
-    };
-    defaultLogoutResponseTemplate: {
-        context: string;
-    };
+    createXPath: (local: string | {
+        name: string;
+        attr: string;
+    }, isExtractAll?: boolean) => string;
+    getQueryParamByType: (type: string) => string;
+    defaultLoginRequestTemplate: LoginRequestTemplate;
+    defaultLoginResponseTemplate: LoginResponseTemplate;
+    defaultAttributeStatementTemplate: AttributeStatementTemplate;
+    defaultAttributeTemplate: AttributeTemplate;
+    defaultLogoutRequestTemplate: LogoutRequestTemplate;
+    defaultLogoutResponseTemplate: LogoutResponseTemplate;
     /**
-    * @desc Replace the tag (e.g. {tag}) inside the raw XML
-    * @param  {string} rawXML      raw XML string used to do keyword replacement
-    * @param  {array} tagValues    tag values
-    * @return {string}
-    */
-    replaceTagsByValue(rawXML: string, tagValues: Record<string, unknown>): string;
+     * Substitute `{Tag}` placeholders inside an XML template with the given
+     * replacement map. Replacement text is XML-escaped in both attribute and
+     * element-text positions to prevent SAML element/attribute injection.
+     *
+     * When a tag's value is `null` or `undefined`:
+     *   - in **attribute position** (`name="{Tag}"`) the entire attribute is
+     *     omitted from the rendered XML, per `saml-core §3.4.1` (every
+     *     `<AuthnRequest>` attribute is `use="optional"`); previously samlify
+     *     emitted `name=""` or the literal `name="undefined"`, which is
+     *     invalid for typed attributes (e.g. `AssertionConsumerServiceURL`
+     *     declared as `xs:anyURI`).
+     *   - in **element-only-body position** (`<X>{Tag}</X>` or
+     *     `<X attr="...">{Tag}</X>`) the entire element is dropped — per
+     *     `saml-core §3.7.1` for `<samlp:SessionIndex>` and any other
+     *     `minOccurs="0"` element where the body is solely a placeholder.
+     *   - in **mixed-text position** (`<X>prefix{Tag}suffix</X>`) the
+     *     placeholder is replaced with the empty string (legacy behaviour).
+     *
+     * @param rawXML template with `{Tag}` placeholders
+     * @param tagValues replacement map keyed by tag name
+     * @returns XML with placeholders resolved
+     */
+    replaceTagsByValue(rawXML: string, tagValues: TagReplacementMap): string;
     /**
-    * @desc Helper function to build the AttributeStatement tag
-    * @param  {LoginResponseAttribute} attributes    an array of attribute configuration
-    * @param  {AttributeTemplate} attributeTemplate    the attribute tag template to be used
-    * @param  {AttributeStatementTemplate} attributeStatementTemplate    the attributeStatement tag template to be used
-    * @return {string}
-    */
+     * Build a serialized `<AttributeStatement>` from attribute descriptors
+     * by applying the attribute and statement templates.
+     *
+     * @param attributes attribute descriptors (name, format, value)
+     * @param attributeTemplate per-attribute template
+     * @param attributeStatementTemplate wrapping statement template
+     * @returns serialized XML fragment
+     */
     attributeStatementBuilder(attributes: LoginResponseAttribute[], attributeTemplate?: AttributeTemplate, attributeStatementTemplate?: AttributeStatementTemplate): string;
     /**
-    * @desc Construct the XML signature for POST binding
-    * @param  {string} rawSamlMessage      request/response xml string
-    * @param  {string} referenceTagXPath    reference uri
-    * @param  {string} privateKey           declares the private key
-    * @param  {string} passphrase           passphrase of the private key [optional]
-    * @param  {string|buffer} signingCert   signing certificate
-    * @param  {string} signatureAlgorithm   signature algorithm
-    * @param  {string[]} transformationAlgorithms   canonicalization and transformation Algorithms
-    * @return {string} base64 encoded string
-    */
+     * Compute an XML-DSig signature over the supplied SAML message. Can
+     * sign the message root (`isMessageSigned`), a referenced subtree
+     * (`referenceTagXPath`), or both.
+     *
+     * @param opts signature inputs and layout options
+     * @returns base64 (default) or raw signed XML string
+     */
     constructSAMLSignature(opts: SignatureConstructor): string;
     /**
-    * @desc Verify the XML signature
-    * @param  {string} xml xml
-    * @param  {SignatureVerifierOptions} opts cert declares the X509 certificate
-     * @return {[boolean, string | null]} - A tuple where:
-     *   - The first element is `true` if the signature is valid, `false` otherwise.
-     *   - The second element is the cryptographically authenticated assertion node as a string, or `null` if not found.
+     * Verify an XML-DSig signature on a SAML payload and, on success, return
+     * the cryptographically authenticated assertion node.
+     *
+     * Defends against classic wrapping attacks by rejecting assertions that
+     * appear inside a `SubjectConfirmationData` subtree.
+     *
+     * @param xml SAML message XML
+     * @param opts metadata or key file plus signature algorithm
+     * @returns tuple `[verified, authenticatedAssertion | null]`
      */
     verifySignature(xml: string, opts: SignatureVerifierOptions): [boolean, string | null];
     /**
-    * @desc Helper function to create the key section in metadata (abstraction for signing and encrypt use)
-    * @param  {string} use          type of certificate (e.g. signing, encrypt)
-    * @param  {string} certString    declares the certificate String
-    * @return {object} object used in xml module
-    */
+     * Build the metadata `<KeyDescriptor>` fragment for a certificate use.
+     *
+     * @param use `signing` or `encryption`
+     * @param certString PEM certificate body or Buffer
+     * @returns element tree consumable by the `xml` module
+     */
     createKeySection(use: KeyUse, certString: string | Buffer): KeyComponent;
     /**
-    * @desc Constructs SAML message
-    * @param  {string} octetString               see "Bindings for the OASIS Security Assertion Markup Language (SAML V2.0)" P.17/46
-    * @param  {string} key                       declares the pem-formatted private key
-    * @param  {string} passphrase                passphrase of private key [optional]
-    * @param  {string} signingAlgorithm          signing algorithm
-    * @return {string} message signature
-    */
-    constructMessageSignature(octetString: string, key: string, passphrase?: string, isBase64?: boolean, signingAlgorithm?: string): string | Buffer<ArrayBufferLike>;
+     * Produce a detached RSA signature over a SAML redirect-binding octet
+     * string. See SAML bindings spec §3.4.4.1.
+     *
+     * @param octetString canonical query-string to sign
+     * @param key PEM private key
+     * @param passphrase optional passphrase for the key
+     * @param isBase64 when true (default), base64-encode the signature
+     * @param signingAlgorithm signature algorithm URI
+     * @returns base64 string (default) or raw Buffer signature
+     */
+    constructMessageSignature(octetString: string, key: string, passphrase?: string, isBase64?: boolean, signingAlgorithm?: string): string | Buffer;
     /**
-    * @desc Verifies message signature
-    * @param  {Metadata} metadata                 metadata object of identity provider or service provider
-    * @param  {string} octetString                see "Bindings for the OASIS Security Assertion Markup Language (SAML V2.0)" P.17/46
-    * @param  {string} signature                  context of XML signature
-    * @param  {string} verifyAlgorithm            algorithm used to verify
-    * @return {boolean} verification result
-    */
-    verifyMessageSignature(metadata: any, octetString: string, signature: string | Buffer, verifyAlgorithm?: string): boolean;
+     * Verify a detached RSA signature over a redirect-binding octet string.
+     *
+     * @param metadata peer metadata carrying the signing certificate
+     * @param octetString canonical query-string that was signed
+     * @param signature signature bytes
+     * @param verifyAlgorithm signature algorithm URI (optional)
+     * @returns true when the signature verifies
+     */
+    verifyMessageSignature(metadata: MetadataInterface, octetString: string, signature: string | Buffer, verifyAlgorithm?: string): boolean;
     /**
-    * @desc Get the public key in string format
-    * @param  {string} x509Certificate certificate
-    * @return {string} public key
-    */
-    getKeyInfo(x509Certificate: string, signatureConfig?: any): {
+     * Build the KeyInfo XML fragment and PEM public key for a certificate.
+     *
+     * @param x509Certificate certificate body (no PEM wrappers)
+     * @param signatureConfig optional prefix/location for the KeyInfo element
+     */
+    getKeyInfo(x509Certificate: string, signatureConfig?: SignatureConfig): {
         getKeyInfo: () => string;
         getKey: () => string;
     };
     /**
-    * @desc Encrypt the assertion section in Response
-    * @param  {Entity} sourceEntity             source entity
-    * @param  {Entity} targetEntity             target entity
-    * @param  {string} xml                      response in xml string format
-    * @return {Promise} a promise to resolve the finalized xml
-    */
-    encryptAssertion(sourceEntity: any, targetEntity: any, xml?: string): Promise<string>;
+     * Encrypt the `<Assertion>` inside a SAML response using the target
+     * entity's encryption certificate. Returns the base64-encoded XML
+     * containing the `<EncryptedAssertion>` element in place of the plaintext.
+     *
+     * @param sourceEntity entity initiating the encryption (its settings drive the algorithms)
+     * @param targetEntity entity whose certificate is used
+     * @param xml response XML containing a single `<Assertion>`
+     * @returns promise resolving to base64-encoded XML
+     */
+    encryptAssertion(sourceEntity: EntityLike, targetEntity: EntityLike, xml?: string): Promise<string>;
     /**
-    * @desc Decrypt the assertion section in Response
-    * @param  {string} type             only accept SAMLResponse to proceed decryption
-    * @param  {Entity} here             this entity
-    * @param  {Entity} from             from the entity where the message is sent
-    * @param {string} entireXML         response in xml string format
-    * @return {function} a promise to get back the entire xml with decrypted assertion
-    */
-    decryptAssertion(here: any, entireXML: string): Promise<[string, any]>;
+     * Decrypt the `<EncryptedAssertion>` inside a SAML response using the
+     * local entity's private key. Returns both the decrypted document XML
+     * and the raw assertion fragment for downstream extraction.
+     *
+     * @param here local entity performing decryption
+     * @param entireXML SAML response XML containing `<EncryptedAssertion>`
+     * @returns tuple `[decryptedDocumentXml, rawAssertionXml]`
+     */
+    decryptAssertion(here: EntityLike, entireXML: string): Promise<[string, string]>;
     /**
-     * @desc Check if the xml string is valid and bounded
+     * Validate the SAML XML against the registered schema validator. Throws
+     * when no validator has been configured via {@link setSchemaValidator}
+     * so consumers can't silently ship without schema checks.
+     *
+     * @param input SAML XML string
      */
-    isValidXml(input: string): Promise<any>;
+    isValidXml(input: string): Promise<unknown>;
 };
 export default _default;