scimgateway 5.0.14 → 5.1.0

package/.github/dependabot.yml

@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "daily"

package/README.md

@@ -16,7 +16,8 @@ Validated through IdP's:
 
 Latest news:  
 
-- Email, onError and sendMail() supports modern REST OAuth for Microsoft Exchange Online (ExO) and Google Workspace Gmail, alongside traditional SMTP Auth for all mail systems. HelperRest supports a wide range of common authentication methods, including basicAuth, bearerAuth, tokenAuth, oauth, oauthSamlAssertion, oauthJwtAssertion and Auth PassTrough 
+- By configuring the chainingBaseUrl, it is now possible to chain multiple gateways in sequence, such as `gateway1->gateway2->gateway3->endpoint`. In this setup, gateway beave much like a reverse proxy, validating authorization at each step unless PassThrough mode is enabled. Chaining is also supported in stream subscriber mode
+- Email, onError and sendMail() supports more secure RESTful OAuth for Microsoft Exchange Online (ExO) and Google Workspace Gmail, alongside traditional SMTP Auth for all mail systems. HelperRest supports a wide range of common authentication methods, including basicAuth, bearerAuth, tokenAuth, oauth, oauthSamlBearer, oauthJwtBearer and Auth PassTrough 
 - Major version **v5.0.0** marks a shift to native TypeScript support and prioritizes [Bun](https://bun.sh/) over Node.js. This upgrade requires some modifications to existing plugins.  
 - **BREAKING**: [SCIM Stream](https://elshaug.xyz/docs/scim-stream) is the modern way of user provisioning letting clients subscribe to messages instead of traditional IGA top-down provisioning. SCIM Gateway now offers enhanced functionality with support for message subscription and automated provisioning using SCIM Stream
 - Authentication PassThrough letting plugin pass authentication directly to endpoint for avoid maintaining secrets at the gateway. E.g., using Entra ID application OAuth
@@ -185,7 +186,7 @@ For Node.js (and also Bun), we might set the property `scimgateway_postinstall_s
 	// example starting all default plugins:
 	// const plugins = ['loki', 'scim', 'entra-id', 'ldap', 'mssql', 'api', 'mongodb', 'saphana', 'soap']
 
-	const plugins = ['ldap']
+	const plugins = ['loki']
 	
 	for (const plugin of plugins) {
 	  try {
@@ -354,6 +355,8 @@ Definitions in `endpoint` object are customized according to our plugin code. Pl
 
 - **localhostonly** - true or false. False means gateway accepts incoming requests from all clients. True means traffic from only localhost (127.0.0.1) is accepted.
 
+- **chainingBaseUrl** - baseUrl for chaining anohter gateway, syntax: `http(s)://host:port`. If defined, gateway beave much like a reverse proxy, validating authorization unless PassThrough mode is enabled. See `Configuration notes` for details
+
 - **idleTimeout** - default 120, sets the the number of seconds to wait before timing out a connection due to inactivity
 
 - **scim.version** - "1.1" or "2.0". Default is "2.0".
@@ -399,7 +402,7 @@ Definitions in `endpoint` object are customized according to our plugin code. Pl
 
 - **auth.bearerJwt** - Array of one or more standard JWT objects. Using **secret** or **publicKey** for signature verification. publicKey should be set to the filename of public key or certificate pem-file located in `<package-root>\config\certs` or absolute path being used. Clear text secret will become encrypted when gateway is started. **options.issuer** is mandatory. Other options may also be included according to jsonwebtoken npm package definition.
 
-- **auth.bearerOAuth** - Array of one or more Client Credentials OAuth configuration objects. **`clientId`** and **`clientSecret`** are mandatory. clientSecret value will become encrypted when gateway is started. OAuth token request url is **/oauth/token** e.g. http://localhost:8880/oauth/token
+- **auth.bearerOAuth** - Array of one or more Client Credentials OAuth configuration objects. **`clientId`** and **`clientSecret`** are mandatory. clientSecret value will become encrypted when gateway is started. OAuth token request url is **/oauth/token** e.g. `http://localhost:8880/oauth/token`
 
 - **auth.passThrough** - Setting **auth.passThrough.enabled=true** will bypass SCIM Gateway authentication. Gateway will instead pass ctx containing authentication header to the plugin. Plugin could then use this information for endpoint authentication and we don't have any password/token stored at the gateway. Note, this also requires plugin binary having `scimgateway.authPassThroughAllowed = true` and endpoint logic for handling/passing ctx.request.header.authorization
 
@@ -437,13 +440,13 @@ Definitions in `endpoint` object are customized according to our plugin code. Pl
           "2603:1056:2000::/48",
           "2603:1057:2::/48"
         ]
-- **email** - Contains configuration for sending email from plugin or automated error notifications emailOnError. Note, for emailOnError only the first error will be sent until sendInterval have passed. Supporting both SMTP Auth and modern REST OAuth. For OAuth, currently Microsoft Exchange Online (ExO) and Google Workspace Gmail are supported
+- **email** - Sending email from plugin or automated error notifications emailOnError. For emailOnError only the first error will be sent until sendInterval have passed. Supporting both SMTP Auth and modern REST OAuth. For OAuth, currently Microsoft Exchange Online (ExO) and Google Workspace Gmail are supported - see configuration notes
 - **email.auth** - Authentication configuration
 - **email.auth.type** - `oauth` or `smtp`
 - **email.auth.options** - Authentication options - note, different options for type oauth and smtp
-- **email.auth.options.tenantIdGUID (oauth/ExO)** - Entra ID tenant id, mandatory/recommended when using Microsoft Exchange Online
-- **email.auth.options.clientId (oauth/ExO)** - Client ID
-- **email.auth.options.clientSecret (oauth/ExO)** - Client Secret
+- **email.auth.options.tenantIdGUID (oauth/ExO)** - Entra tenant id or domain name
+- **email.auth.options.clientId (oauth/ExO)** - Entra OAuth application Client ID
+- **email.auth.options.clientSecret (oauth/ExO)** - Entra OAuth application Client Secret
 - **email.auth.options.serviceAccountKeyFile (oauth/Gmail)** - Google Service Account key json-file name located in the `package-root>\config\certs` directory unless absolute path being defined
 - **email.auth.options.host (smtp)** - Mailserver e.g. "smtp.gmail.com" - mandatory for smtp
 - **email.auth.options.port (smtp)** - Port used by mailserver e.g. 587, 25 or 465 - mandatory for smtp
@@ -461,45 +464,6 @@ Definitions in `endpoint` object are customized according to our plugin code. Pl
 - **email.emailOnError.cc** - Optional comma separated list of cc mail addresses
 - **email.emailOnError.subject** - Optional mail subject, default `SCIM Gateway error message`
 
-	**Configuration notes for Microsoft Exchange Online (ExO):**
-
-	- Entra ID application must have application permissions `Mail.Send`  
-	- To prevent the sending of emails from any defined mailboxes, an ExO `ApplicationAccessPolicy` must be defined through PowerShell.  
-	
-		First create a mail-enabled security-group that only includes those users (mailboxes) the application is allowed to send from  
-		Note, `mail enabled security group` cannot be created from portal, only from admin or admin.exchange console
-		  
-			##Connect to Exchange
-			Install-Module -Name ExchangeOnlineManagement
-			Connect-ExchangeOnline
-			 
-			##Create ApplicationAccessPolicy
-			New-ApplicationAccessPolicy -AppId <AppClientID> -PolicyScopeGroupId <MailEnabledSecurityGrpId> -AccessRight RestrictAccess -Description "Restrict app to specific mailboxes"
-
-	**Configuration notes for Google Workspace Gmail:**
-
-	- https://console.cloud.google.com
-		- IAM & Admin > Service Accounts > Create Service Account
-			- Name=email-sender  
-			- Create and Continue
-			- Grant this service account access to project - not needed
-			- Grant users access to this service - not needed  
-		- IAM & Admin > Service Accounts > "email-sender" account > Keys    
-			- Add Key > Create new key > JSON
-			- download json `serviceAccountKeyFile` file, refere to configuration `email.auth.options.serviceAccountKeyFile`
-
-	- https://admin.google.com
-		- Security > Access and data control > API controls
-			- Manage Domain Wide Delegation > Add new
-			- Client ID = id of service account created
-			- OAuth scope = https://www.googleapis.com/auth/gmail.send  
-	 
-	- https://admin.google.com
-		- Billing > Subscriptions - verify Google Workspace license
-		- Directory > Users > "user"
-		- Licenses > Edit > enable Google Workspace license  
-		`email.onerror.from` mail address must have Google Workspace Business license
-
 - **stream** - See [SCIM Stream](https://elshaug.xyz/docs/scim-stream) for configuration details
 
 - **endpoint** - Contains endpoint specific configuration according to customized **plugin code**. 
@@ -561,6 +525,89 @@ Definitions in `endpoint` object are customized according to our plugin code. Pl
 		}  
 
 
+- Email, using Microsoft Exchange Online (ExO)
+
+	- Entra ID application must have application permissions `Mail.Send`  
+	- To prevent the sending of emails from any defined mailboxes, an ExO `ApplicationAccessPolicy` must be defined through PowerShell.  
+	
+		First create a mail-enabled security-group that only includes those users (mailboxes) the application is allowed to send from  
+		Note, `mail enabled security group` cannot be created from portal, only from admin or admin.exchange console
+		  
+			##Connect to Exchange
+			Install-Module -Name ExchangeOnlineManagement
+			Connect-ExchangeOnline
+			 
+			##Create ApplicationAccessPolicy
+			New-ApplicationAccessPolicy -AppId <AppClientID> -PolicyScopeGroupId <MailEnabledSecurityGrpId> -AccessRight RestrictAccess -Description "Restrict app to specific mailboxes"
+
+- Email, using Google Workspace Gmail
+
+	- https://console.cloud.google.com
+		- IAM & Admin > Service Accounts > Create Service Account
+			- Name=email-sender  
+			- Create and Continue
+			- Grant this service account access to project - not needed
+			- Grant users access to this service - not needed  
+		- IAM & Admin > Service Accounts > "email-sender" account > Keys    
+			- Add Key > Create new key > JSON
+			- download json Service Account Key file, refere to configuration `email.auth.options.serviceAccountKeyFile`
+
+	- https://admin.google.com
+		- Security > Access and data control > API controls
+			- Manage Domain Wide Delegation > Add new
+			- Client ID = id of service account created
+			- OAuth scope = `https://www.googleapis.com/auth/gmail.send`  
+	 
+	- https://admin.google.com
+		- Billing > Subscriptions - verify Google Workspace license
+		- Directory > Users > "user"
+		- Licenses > Edit > enable Google Workspace license  
+		`email.emailOnError.from` mail address must have Google Workspace license
+
+- Gateway chainging and chainingBaseUrl configuration
+
+	By configuring the `chainingBaseUrl`, it is possible to chain multiple gateways in sequence, such as `gateway1->gateway2->gateway3->endpoint`. In this setup, gateway behave much like a reverse proxy, validating authorization at each step unless PassThrough mode is enabled. Chaining is also supported in stream subscriber mode
+	
+		{
+		  "scimgateway": {
+		    ...
+		    "chainingBaseUrl": "https:\\gateway2:8880",
+		    ...
+		    "auth": {
+		      ...
+		      "passThrough": {
+		        "enabled": false,
+		        "readOnly": false,
+		        "baseEntities": []
+		      }
+			  ...
+		    }
+		  },
+		  ...
+		}
+	
+	
+	Using above configuration example on gateway1, incoming requests will be routed to `https:\\gateway2:8880`
+	
+	The plugin and its associated authentication configuration can mirror the setup running on the final gateway. However, in chaining mode, the plugin binary is used solely for initializing and configuring the gateway. This allows for the use of a simplified `plugin-<name>.ts` binary containing only the essential mandatory components:
+		
+		// start - mandatory plugin initialization
+		const ScimGateway: typeof import('scimgateway').ScimGateway = await (async () => {
+		  try {
+		    return (await import('scimgateway')).ScimGateway
+		  } catch (err) {
+		    const source = './scimgateway.ts'
+		    return (await import(source)).ScimGateway
+		  }
+		})()
+		const scimgateway = new ScimGateway()
+		const config = scimgateway.getConfig()
+		scimgateway.authPassThroughAllowed = false
+		// end - mandatory plugin initialization
+
+	Using `scimgateway.authPassThroughAllowed = true` and `plugin-<name>.json` configuration `scimgateway.auth.passThrough=true` enables Authentication PassTrhough
+
+
 
 ## Manual startup    
 
@@ -1009,17 +1056,17 @@ For JavaScript coding editor you may use [Visual Studio Code](https://code.visua
 
 Preparation:
 
-* Copy "best matching" example plugin e.g. `lib\plugin-mssql.ts` and `config\plugin-mssql.json` and rename both copies to your plugin name prefix e.g. plugin-mine.ts and plugin-mine.json (for SOAP Webservice endpoint we might use plugin-soap as a template) 
+* Copy "best matching" example plugin e.g. `lib\plugin-mssql.ts` and `config\plugin-mssql.json` and rename both copies to your plugin name prefix e.g. plugin-mine.ts and plugin-mine.json 
 * Edit plugin-mine.json and define a unique port number for the gateway setting  
 * Edit index.ts and include your plugin in the startup e.g. `const plugins = ['mine']');`  
-* Start SCIM Gateway and verify. If using CA Provisioning you could setup a SCIM endpoint using the port number you defined  
+* Start SCIM Gateway and verify using using your own SCIM API requests or your IdP/IGA system.  
 
 Now we are ready for custom coding by editing plugin-mine.ts
-Coding should be done step by step and each step should be verified and tested before starting the next (they are all highlighted by comments in existing code).  
+Coding should be done step by step and each step should be verified and tested before starting the next 
 
-1. **Turn off group functionality** - getGroups to return empty response  
+1. **Turn off group functionality** - getGroups to return empty response (gateway automatically use getGroups for some of the methods if groups not included)  
 Please see plugin-saphana that do not use groups.
-2. **getUsers** (test provisioning retrieve accounts)
+2. **getUsers** (test provisioning retrieve all accounts and single account)
 4. **createUser** (test provisioning new account)
 5. **deleteUser** (test provisioning delete account)
 6. **modifyUser** (test provisioning modify account)
@@ -1136,6 +1183,21 @@ MIT © [Jarle Elshaug](https://www.elshaug.xyz)
 
 ## Change log  
 
+### v5.1.0
+
+[Improved]
+
+- By configuring the `chainingBaseUrl`, it is now possible to chain multiple gateways in sequence, such as `gateway1->gateway2->gateway3->endpoint`. In this setup, gateway beave much like a reverse proxy, validating authorization at each step unless PassThrough mode is enabled. Chaining is also supported in stream subscriber mode
+
+	Please see `Configuration notes` for details	
+
+
+### v5.0.15
+
+[Improved]
+
+- HelperRest, auth.type=oauthSamlAssertion and auth.type=oauthJwtAssertion have been updated to `oauthSamlBearer` and `oauthJwtBearer` for consistency
+
 ### v5.0.14
 
 [Improved]

package/config/plugin-api.json

@@ -2,6 +2,7 @@
   "scimgateway": {
     "port": 8890,
     "localhostonly": false,
+    "chainingBaseUrl": null,
     "scim": {
       "version": "2.0",
       "skipTypeConvert": false,

package/config/plugin-entra-id.json

@@ -2,6 +2,7 @@
   "scimgateway": {
     "port": 8881,
     "localhostonly": false,
+    "chainingBaseUrl": null,
     "scim": {
       "version": "2.0",
       "customSchema": null,

package/config/plugin-ldap.json

@@ -2,6 +2,7 @@
   "scimgateway": {
     "port": 8883,
     "localhostonly": false,
+    "chainingBaseUrl": null,
     "scim": {
       "version": "2.0",
       "skipTypeConvert": false,

package/config/plugin-loki.json

@@ -2,6 +2,7 @@
   "scimgateway": {
     "port": 8880,
     "localhostonly": false,
+    "chainingBaseUrl": null,
     "scim": {
       "version": "2.0",
       "skipTypeConvert": false,

package/config/plugin-mongodb.json

@@ -2,6 +2,7 @@
   "scimgateway": {
     "port": 8885,
     "localhostonly": false,
+    "chainingBaseUrl": null,
     "scim": {
       "version": "2.0",
       "skipTypeConvert": false,

package/config/plugin-mssql.json

@@ -2,6 +2,7 @@
   "scimgateway": {
     "port": 8888,
     "localhostonly": false,
+    "chainingBaseUrl": null,
     "scim": {
       "version": "2.0",
       "skipTypeConvert": false,

package/config/plugin-saphana.json

@@ -2,6 +2,7 @@
   "scimgateway": {
     "port": 8884,
     "localhostonly": false,
+    "chainingBaseUrl": null,
     "scim": {
       "version": "2.0",
       "skipTypeConvert": false,

package/config/plugin-scim.json

@@ -2,6 +2,7 @@
   "scimgateway": {
     "port": 8886,
     "localhostonly": false,
+    "chainingBaseUrl": null,
     "scim": {
       "version": "2.0",
       "skipTypeConvert": false,

package/config/plugin-soap.json

@@ -2,6 +2,7 @@
   "scimgateway": {
     "port": 8882,
     "localhostonly": false,
+    "chainingBaseUrl": null,
     "scim": {
       "version": "2.0",
       "skipTypeConvert": false,

package/lib/helper-rest.ts

@@ -1,7 +1,16 @@
+// =================================================================================
+// File:    helper-rest.ts
+//
+// Author:  Jarle Elshaug
+//
+// Purpose: HelperRest class for executing REST calls supporting various auth types
+//          Plugins may use this class: import { HelperRest } from 'scimgateway'
+// =================================================================================
+
 import { HttpsProxyAgent } from 'https-proxy-agent'
 import { URL } from 'url'
 import { Buffer } from 'node:buffer'
-import { samlAssertion } from './samlAssertion.ts' // prereq: saml
+import { samlAssertion } from './samlAssertion.ts'
 import { sign as jwtSign } from 'jsonwebtoken'
 import fs from 'node:fs'
 import querystring from 'querystring'
@@ -37,7 +46,7 @@ export class HelperRest {
           }
         } else if (this.config_entity[baseEntity]?.connection?.auth?.options?.serviceAccountKeyFile) { // Google, setting baseUrls to googleapis
           const type = this.config_entity[baseEntity]?.connection?.auth?.type
-          if (type === 'oauthJwtAssertion' || type === 'oauth') { // includes oauth because of email.auth.type
+          if (type === 'oauthJwtBearer' || type === 'oauth') { // includes oauth because of email.auth.type
             this.config_entity[baseEntity].connection.baseUrls = [this.googleUrl]
           }
         }
@@ -99,7 +108,7 @@ export class HelperRest {
         }
         break
 
-      case 'oauthSamlAssertion':
+      case 'oauthSamlBearer':
         tokenUrl = this.config_entity[baseEntity].connection.auth.options.tokenUrl
         const context = null
         const cert = fs.readFileSync(this.config_entity[baseEntity].connection.auth.options.certificate.cert).toString()
@@ -123,7 +132,7 @@ export class HelperRest {
         }
         break
 
-      case 'oauthJwtAssertion':
+      case 'oauthJwtBearer':
         let privateKey = ''
         let jwtAttr: Record<string, any> = {}
         const serviceAccountKeyFile = this.config_entity[baseEntity]?.connection?.auth?.options?.serviceAccountKeyFile
@@ -284,7 +293,7 @@ export class HelperRest {
         }
 
         // Support  no auth, header based auth (e.g., config {"options":{"headers":{"APIkey":"123"}}}),
-        // basicAuth, bearerAuth, oauth, tokenAuth, oauthSamlAssertion, oauthJwtAssertion and auth PassTrough using request header authorization
+        // basicAuth, bearerAuth, oauth, tokenAuth, oauthSamlBearer, oauthJwtBearer and auth PassTrough using request header authorization
 
         let orgConnection: any
         if (opt?.connection) { // allow overriding/extending configuration connection by caller argument opt.connection
@@ -325,19 +334,19 @@ export class HelperRest {
             }
             param.options.headers['Authorization'] = 'Bearer ' + Buffer.from(this.config_entity[baseEntity].connection.auth.options.token).toString('base64')
             break
-          case 'oauthSamlAssertion':
+          case 'oauthSamlBearer':
             if (!this.config_entity[baseEntity]?.connection?.auth?.options?.clientId || !this.config_entity[baseEntity]?.connection?.auth?.options?.companyId
               || !this.config_entity[baseEntity]?.connection?.auth?.options?.certificate?.key) {
-              const err = new Error(`auth.type 'oauthSamlAssertion' - missing configuration entity.${baseEntity}.connection.auth.options...`)
+              const err = new Error(`auth.type 'oauthSamlBearer' - missing configuration entity.${baseEntity}.connection.auth.options...`)
               throw err
             }
             param.accessToken = await this.getAccessToken(baseEntity, ctx)
             param.options.headers['Authorization'] = `Bearer ${param.accessToken.access_token}`
             break
-          case 'oauthJwtAssertion':
+          case 'oauthJwtBearer':
             if (this.config_entity[baseEntity]?.connection?.auth?.options?.serviceAccountKeyFile) { // Google Service Account
               if (!this.config_entity[baseEntity]?.connection?.auth?.options?.scope || !this.config_entity[baseEntity]?.connection?.auth?.options?.subject) {
-                const err = new Error(`auth.type 'oauthJwtAssertion' - using auth.options 'serviceAccountKeyFile' also requires mandatory configuration entity.${baseEntity}.connection.auth.options.scope/subject`)
+                const err = new Error(`auth.type 'oauthJwtBearer' - using auth.options 'serviceAccountKeyFile' also requires mandatory configuration entity.${baseEntity}.connection.auth.options.scope/subject`)
                 throw err
               }
             } else if (!this.config_entity[baseEntity]?.connection?.auth?.options?.tokenUrl
@@ -347,7 +356,7 @@ export class HelperRest {
               || !this.config_entity[baseEntity]?.connection?.auth?.options?.audience
               || !this.config_entity[baseEntity]?.connection?.auth?.options?.certificate?.key
             ) {
-              const err = new Error(`auth.type 'oauthJwtAssertion' - when not using auth.options 'serviceAccountKeyFile' which is related to Google, following auth.options is mandatory: tokenUrl, scope, subject, issuer, audience, certificate.key`)
+              const err = new Error(`auth.type 'oauthJwtBearer' - when not using auth.options 'serviceAccountKeyFile' which is related to Google, following auth.options is mandatory: tokenUrl, scope, subject, issuer, audience, certificate.key`)
               throw err
             }
 
@@ -428,9 +437,9 @@ export class HelperRest {
       return cli // final client
     }
     //
-    // url path - none config based and used as is (no cache)
+    // url path - none config based (enpoint.entity) and used as is (no cache)
     //
-    this.scimgateway.logDebug(baseEntity, `${action}: Using none config based client`)
+    this.scimgateway.logDebug(baseEntity, `${action}: Using raw client`)
     let options: any = {
       json: true,
       headers: {
@@ -440,7 +449,7 @@ export class HelperRest {
       port: urlObj.port,
       protocol: urlObj.protocol,
       method: method,
-      path: urlObj.pathname,
+      path: urlObj.pathname + urlObj.search,
     }
 
     // proxy
@@ -653,7 +662,7 @@ export class HelperRest {
   * ```
   * type defines authentication being used  
   * if type not defined, no authentication used  
-  * valid type is: `basic`, `oauth`, `token`, `bearer` or `oauthSamlAssertion`  
+  * valid type is: `basic`, `oauth`, `token`, `bearer` or `oauthSamlBearer`  
   * 
   * for each valid type there are different auth.options  
   * 
@@ -699,7 +708,7 @@ export class HelperRest {
   * }
   * ```
   * 
-  * type=**"oauthSamlAssertion"** having auth.options:
+  * type=**"oauthSamlBearer"** having auth.options:
   * ```
   * {
   *   "options": {
@@ -715,7 +724,7 @@ export class HelperRest {
   * }
   * ```
   * 
-  * type=**"oauthJwtAssertion"** having auth.options:
+  * type=**"oauthJwtBearer"** having auth.options:
   * ```
   * // Google API - baseUrls automatically set to [https://www.googleapis.com]
   * {

package/lib/logger.ts

@@ -49,7 +49,7 @@ export class Log {
     )
   }
 
-  private maskSecret = winston.format((info) => {
+  private maskSecret = winston.format((info: any) => {
     // mask json secrets
     let rePattern = new RegExp(this.reJson, 'i')
     let msg: string = info.message

package/lib/samlAssertion.ts

@@ -1,4 +1,5 @@
 //
+// File: samlAssertion.ts
 // Purpose: create SAML token assertion that can be used by OAuth token request having grant type saml2-bearer
 // Based on: https://github.com/edersouza38/insomnia-plugin-sfsf-samlassertion
 //