From 9eb219c20492a57bd6dede667d4e1fa0975218c6 Mon Sep 17 00:00:00 2001 From: Josh Sharpe Date: Mon, 26 Jan 2026 14:08:39 -0600 Subject: [PATCH] Make breaking change patches --- .../authentication/saml/authentication.js | 3 ++- .../authentication/saml/definition.yml | 24 ++++++++++++------- 2 files changed, 17 insertions(+), 10 deletions(-) diff --git a/server/modules/authentication/saml/authentication.js b/server/modules/authentication/saml/authentication.js index 38d2e6f2..ad47b7a1 100644 --- a/server/modules/authentication/saml/authentication.js +++ b/server/modules/authentication/saml/authentication.js @@ -14,11 +14,12 @@ module.exports = { callbackUrl: conf.callbackURL, entryPoint: conf.entryPoint, issuer: conf.issuer, - cert: (conf.cert || '').split('|'), + idpCert: (conf.cert || '').split('|'), signatureAlgorithm: conf.signatureAlgorithm, digestAlgorithm: conf.digestAlgorithm, identifierFormat: conf.identifierFormat, wantAssertionsSigned: conf.wantAssertionsSigned, + wantAuthnResponseSigned: conf.wantAuthnResponseSigned, acceptedClockSkewMs: _.toSafeInteger(conf.acceptedClockSkewMs), disableRequestedAuthnContext: conf.disableRequestedAuthnContext, authnContext: (conf.authnContext || '').split('|'), diff --git a/server/modules/authentication/saml/definition.yml b/server/modules/authentication/saml/definition.yml index 551e0f72..66294df6 100644 --- a/server/modules/authentication/saml/definition.yml +++ b/server/modules/authentication/saml/definition.yml @@ -74,30 +74,36 @@ props: hint: If enabled, add WantAssertionsSigned="true" to the metadata, to specify that the IdP should always sign the assertions. default: false order: 21 + wantAuthnResponseSigned: + type: Boolean + title: Always Sign Authentication Response + hint: If enabled, require that all incoming authentication response messages be signed at the top level, not just at the assertions. + default: false + order: 22 acceptedClockSkewMs: type: Number title: Accepted Clock Skew Milleseconds hint: Time in milliseconds of skew that is acceptable between client and server when checking OnBefore and NotOnOrAfter assertion condition validity timestamps. Setting to -1 will disable checking these conditions entirely. default: 0 - order: 22 + order: 23 disableRequestedAuthnContext: type: Boolean title: Disable Requested Auth Context hint: If enabled, do not request a specific authentication context. This is known to help when authenticating against Active Directory (AD FS) servers. default: false - order: 23 + order: 24 authnContext: type: String title: Auth Context hint: Name identifier format to request auth context. For multiple values, join them together using the | pipe symbol. default: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport - order: 24 + order: 25 racComparison: type: String title: RAC Comparison Type hint: Requested Authentication Context comparison type. maxWidth: 400 - order: 25 + order: 26 default: exact enum: - exact @@ -109,31 +115,31 @@ props: title: Force Initial Re-authentication hint: If enabled, the initial SAML request from the service provider specifies that the IdP should force re-authentication of the user, even if they possess a valid session. default: false - order: 26 + order: 27 passive: type: Boolean title: Passive hint: If enabled, the initial SAML request from the service provider specifies that the IdP should prevent visible user interaction. default: false - order: 27 + order: 28 providerName: type: String title: Provider Name hint: Optional human-readable name of the requester for use by the presenter's user agent or the identity provider. default: wiki.js - order: 28 + order: 29 skipRequestCompression: type: Boolean title: Skip Request Compression hint: If enabled, the SAML request from the service provider won't be compressed. default: false - order: 29 + order: 30 authnRequestBinding: type: String title: Request Binding hint: Binding used for request authentication from IDP. maxWidth: 400 - order: 30 + order: 31 default: 'HTTP-POST' enum: - HTTP-Redirect