Make breaking change patches

1 week ago · 9eb219c204
parent 899a4d78a2
commit 9eb219c204
2 changed files with 17 additions and 10 deletions
--- a/server/modules/authentication/saml/authentication.js
+++ b/server/modules/authentication/saml/authentication.js
@ -14,11 +14,12 @@ module.exports = {
      callbackUrl: conf.callbackURL,
      entryPoint: conf.entryPoint,
      issuer: conf.issuer,
-      cert: (conf.cert || '').split('|'),
+      idpCert: (conf.cert || '').split('|'),
      signatureAlgorithm: conf.signatureAlgorithm,
      digestAlgorithm: conf.digestAlgorithm,
      identifierFormat: conf.identifierFormat,
      wantAssertionsSigned: conf.wantAssertionsSigned,
+      wantAuthnResponseSigned: conf.wantAuthnResponseSigned, 
      acceptedClockSkewMs: _.toSafeInteger(conf.acceptedClockSkewMs),
      disableRequestedAuthnContext: conf.disableRequestedAuthnContext,
      authnContext: (conf.authnContext || '').split('|'),
--- a/server/modules/authentication/saml/definition.yml
+++ b/server/modules/authentication/saml/definition.yml
@ -74,30 +74,36 @@ props:
    hint: If enabled, add WantAssertionsSigned="true" to the metadata, to specify that the IdP should always sign the assertions.
    default: false
    order: 21
+  wantAuthnResponseSigned:
+    type: Boolean
+    title: Always Sign Authentication Response
+    hint: If enabled, require that all incoming authentication response messages be signed at the top level, not just at the assertions.
+    default: false
+    order: 22
  acceptedClockSkewMs:
    type: Number
    title: Accepted Clock Skew Milleseconds
    hint: Time in milliseconds of skew that is acceptable between client and server when checking OnBefore and NotOnOrAfter assertion condition validity timestamps. Setting to -1 will disable checking these conditions entirely.
    default: 0
-    order: 22
+    order: 23
  disableRequestedAuthnContext:
    type: Boolean
    title: Disable Requested Auth Context
    hint: If enabled, do not request a specific authentication context. This is known to help when authenticating against Active Directory (AD FS) servers.
    default: false
-    order: 23
+    order: 24
  authnContext:
    type: String
    title: Auth Context
    hint: Name identifier format to request auth context. For multiple values, join them together using the | pipe symbol.
    default: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
-    order: 24
+    order: 25
  racComparison:
    type: String
    title: RAC Comparison Type
    hint: Requested Authentication Context comparison type.
    maxWidth: 400
-    order: 25
+    order: 26
    default: exact
    enum:
      - exact
@ -109,31 +115,31 @@ props:
    title: Force Initial Re-authentication
    hint: If enabled, the initial SAML request from the service provider specifies that the IdP should force re-authentication of the user, even if they possess a valid session.
    default: false
-    order: 26
+    order: 27
  passive:
    type: Boolean
    title: Passive
    hint: If enabled, the initial SAML request from the service provider specifies that the IdP should prevent visible user interaction.
    default: false
-    order: 27
+    order: 28
  providerName:
    type: String
    title: Provider Name
    hint: Optional human-readable name of the requester for use by the presenter's user agent or the identity provider.
    default: wiki.js
-    order: 28
+    order: 29
  skipRequestCompression:
    type: Boolean
    title: Skip Request Compression
    hint: If enabled, the SAML request from the service provider won't be compressed.
    default: false
-    order: 29
+    order: 30
  authnRequestBinding:
    type: String
    title: Request Binding
    hint: Binding used for request authentication from IDP.
    maxWidth: 400
-    order: 30
+    order: 31
    default: 'HTTP-POST'
    enum:
      - HTTP-Redirect