admin/n8n-enterprise-unlocked
1
0
Fork 0
mirror of https://github.com/Abdulazizzn/n8n-enterprise-unlocked.git synced 2025-12-18 02:21:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(core): Add SAML XML validation (#5600)

Browse Source 
* consolidate SSO settings

* update saml settings

* fix type error

* limit user changes when saml is enabled

* add test

* add toggle endpoint and fetch metadata

* rename enabled param

* add handling of POST saml login request

* add config test endpoint

* adds saml XML validation

* add comment

* protect test endpoint

* improve ignoreSSL and some cleanup

* fix wrong schema used

* remove console.log
This commit is contained in:
Michael Auerswald
2023-03-06 09:44:25 +01:00
committed by GitHub
parent ddfa16cf27
commit ca66ec8f4d
16 changed files with 1672 additions and 51 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
packages/cli/package.json
View File

@@ -129,8 +129,8 @@
"bull": "^4.10.2", "bull": "^4.10.2",
"callsites": "^3.1.0", "callsites": "^3.1.0",
"change-case": "^4.1.1", "change-case": "^4.1.1",
"class-validator": "^0.14.0",
"class-transformer": "^0.5.1", "class-transformer": "^0.5.1",
"class-validator": "^0.14.0",
"client-oauth2": "^4.2.5", "client-oauth2": "^4.2.5",
"compression": "^1.7.4", "compression": "^1.7.4",
"connect-history-api-fallback": "^1.6.0", "connect-history-api-fallback": "^1.6.0",
@@ -205,6 +205,7 @@
"validator": "13.7.0", "validator": "13.7.0",
"winston": "^3.3.3", "winston": "^3.3.3",
"ws": "^8.12.0", "ws": "^8.12.0",
"xmllint-wasm": "^3.0.1",
"yamljs": "^0.3.0" "yamljs": "^0.3.0"
} }
} }

12
packages/cli/src/Server.ts
View File

@@ -515,10 +515,16 @@ class Server extends AbstractServer {
// SAML // SAML
// ---------------------------------------- // ----------------------------------------
// initialize SamlService // initialize SamlService if it is licensed, even if not enabled, to
await SamlService.getInstance().init(); // set up the initial environment
if (isSamlLicensed()) {
try {
await SamlService.getInstance().init();
} catch (error) {
LoggerProxy.error(`SAML initialization failed: ${error.message}`);
}
}
// public SAML endpoints
this.app.use(`/${this.restEndpoint}/sso/saml`, samlControllerPublic); this.app.use(`/${this.restEndpoint}/sso/saml`, samlControllerPublic);
this.app.use(`/${this.restEndpoint}/sso/saml`, samlControllerProtected); this.app.use(`/${this.restEndpoint}/sso/saml`, samlControllerProtected);

15
packages/cli/src/sso/saml/routes/saml.controller.protected.ee.ts
View File

@@ -57,12 +57,11 @@ samlControllerProtected.post(
SamlUrls.configToggleEnabled, SamlUrls.configToggleEnabled,
samlLicensedOwnerMiddleware, samlLicensedOwnerMiddleware,
async (req: SamlConfiguration.Toggle, res: express.Response) => { async (req: SamlConfiguration.Toggle, res: express.Response) => {
if (req.body.loginEnabled !== undefined) { if (req.body.loginEnabled === undefined) {
await SamlService.getInstance().setSamlPreferences({ loginEnabled: req.body.loginEnabled });
res.sendStatus(200);
} else {
throw new BadRequestError('Body should contain a boolean "loginEnabled" property'); throw new BadRequestError('Body should contain a boolean "loginEnabled" property');
} }
await SamlService.getInstance().setSamlPreferences({ loginEnabled: req.body.loginEnabled });
res.sendStatus(200);
}, },
); );
@@ -122,8 +121,9 @@ samlControllerProtected.get(
async (req: express.Request, res: express.Response) => { async (req: express.Request, res: express.Response) => {
const result = SamlService.getInstance().getLoginRequestUrl(); const result = SamlService.getInstance().getLoginRequestUrl();
if (result?.binding === 'redirect') { if (result?.binding === 'redirect') {
// forced client side redirect // forced client side redirect through the use of a javascript redirect
return res.send(getInitSSOPostView(result.context)); return res.send(getInitSSOPostView(result.context));
// TODO:SAML: If we want the frontend to handle the redirect, we will send the redirect URL instead:
// return res.status(301).send(result.context.context); // return res.status(301).send(result.context.context);
} else if (result?.binding === 'post') { } else if (result?.binding === 'post') {
return res.send(getInitSSOFormView(result.context as PostBindingContext)); return res.send(getInitSSOFormView(result.context as PostBindingContext));
@@ -133,8 +133,13 @@ samlControllerProtected.get(
}, },
); );
/**
* GET /sso/saml/config/test
* Test SAML config
*/
samlControllerProtected.get( samlControllerProtected.get(
SamlUrls.configTest, SamlUrls.configTest,
samlLicensedOwnerMiddleware,
async (req: express.Request, res: express.Response) => { async (req: express.Request, res: express.Response) => {
const testResult = await SamlService.getInstance().testSamlConnection(); const testResult = await SamlService.getInstance().testSamlConnection();
return res.send(testResult); return res.send(testResult);

71
packages/cli/src/sso/saml/saml.service.ee.ts
View File

@@ -10,7 +10,7 @@ import { isSsoJustInTimeProvisioningEnabled } from '../ssoHelpers';
import type { SamlPreferences } from './types/samlPreferences'; import type { SamlPreferences } from './types/samlPreferences';
import { SAML_PREFERENCES_DB_KEY } from './constants'; import { SAML_PREFERENCES_DB_KEY } from './constants';
import type { IdentityProviderInstance } from 'samlify'; import type { IdentityProviderInstance } from 'samlify';
import { IdentityProvider } from 'samlify'; import { IdentityProvider, setSchemaValidator } from 'samlify';
import { import {
createUserFromSamlAttributes, createUserFromSamlAttributes,
getMappedSamlAttributesFromFlowResult, getMappedSamlAttributesFromFlowResult,
@@ -22,8 +22,10 @@ import {
} from './samlHelpers'; } from './samlHelpers';
import type { Settings } from '../../databases/entities/Settings'; import type { Settings } from '../../databases/entities/Settings';
import axios from 'axios'; import axios from 'axios';
import https from 'https';
import type { SamlLoginBinding } from './types'; import type { SamlLoginBinding } from './types';
import type { BindingContext, PostBindingContext } from 'samlify/types/src/entity'; import type { BindingContext, PostBindingContext } from 'samlify/types/src/entity';
import { validateMetadata, validateResponse } from './samlValidator';
export class SamlService { export class SamlService {
private static instance: SamlService; private static instance: SamlService;
@@ -46,30 +48,14 @@ export class SamlService {
this._attributeMapping = mapping; this._attributeMapping = mapping;
} }
private _metadata = ''; private metadata = '';
private metadataUrl = ''; private metadataUrl = '';
private ignoreSSL = false;
private loginBinding: SamlLoginBinding = 'post'; private loginBinding: SamlLoginBinding = 'post';
public get metadata(): string {
return this._metadata;
}
public set metadata(metadata: string) {
this._metadata = metadata;
}
constructor() {
this.loadFromDbAndApplySamlPreferences()
.then(() => {
LoggerProxy.debug('Initializing SAML service');
})
.catch(() => {
LoggerProxy.error('Error initializing SAML service');
});
}
static getInstance(): SamlService { static getInstance(): SamlService {
if (!SamlService.instance) { if (!SamlService.instance) {
SamlService.instance = new SamlService(); SamlService.instance = new SamlService();
@@ -79,6 +65,15 @@ export class SamlService {
async init(): Promise<void> { async init(): Promise<void> {
await this.loadFromDbAndApplySamlPreferences(); await this.loadFromDbAndApplySamlPreferences();
setSchemaValidator({
validate: async (response: string) => {
const valid = await validateResponse(response);
if (!valid) {
return Promise.reject(new Error('Invalid SAML response'));
}
return Promise.resolve();
},
});
} }
getIdentityProviderInstance(forceRecreate = false): IdentityProviderInstance { getIdentityProviderInstance(forceRecreate = false): IdentityProviderInstance {
@@ -125,7 +120,6 @@ export class SamlService {
'post', 'post',
) as PostBindingContext; ) as PostBindingContext;
//TODO:SAML: debug logging //TODO:SAML: debug logging
LoggerProxy.debug(loginRequest.context); LoggerProxy.debug(loginRequest.context);
return loginRequest; return loginRequest;
} }
@@ -188,6 +182,7 @@ export class SamlService {
mapping: this.attributeMapping, mapping: this.attributeMapping,
metadata: this.metadata, metadata: this.metadata,
metadataUrl: this.metadataUrl, metadataUrl: this.metadataUrl,
ignoreSSL: this.ignoreSSL,
loginBinding: this.loginBinding, loginBinding: this.loginBinding,
loginEnabled: isSamlLoginEnabled(), loginEnabled: isSamlLoginEnabled(),
loginLabel: getSamlLoginLabel(), loginLabel: getSamlLoginLabel(),
@@ -198,12 +193,19 @@ export class SamlService {
this.loginBinding = prefs.loginBinding ?? this.loginBinding; this.loginBinding = prefs.loginBinding ?? this.loginBinding;
this.metadata = prefs.metadata ?? this.metadata; this.metadata = prefs.metadata ?? this.metadata;
this.attributeMapping = prefs.mapping ?? this.attributeMapping; this.attributeMapping = prefs.mapping ?? this.attributeMapping;
this.ignoreSSL = prefs.ignoreSSL ?? this.ignoreSSL;
if (prefs.metadataUrl) { if (prefs.metadataUrl) {
this.metadataUrl = prefs.metadataUrl; this.metadataUrl = prefs.metadataUrl;
const fetchedMetadata = await this.fetchMetadataFromUrl(); const fetchedMetadata = await this.fetchMetadataFromUrl();
if (fetchedMetadata) { if (fetchedMetadata) {
this.metadata = fetchedMetadata; this.metadata = fetchedMetadata;
} }
} else if (prefs.metadata) {
const validationResult = await validateMetadata(prefs.metadata);
if (!validationResult) {
throw new Error('Invalid SAML metadata');
}
this.metadata = prefs.metadata;
} }
setSamlLoginEnabled(prefs.loginEnabled ?? isSamlLoginEnabled()); setSamlLoginEnabled(prefs.loginEnabled ?? isSamlLoginEnabled());
setSamlLoginLabel(prefs.loginLabel ?? getSamlLoginLabel()); setSamlLoginLabel(prefs.loginLabel ?? getSamlLoginLabel());
@@ -248,18 +250,24 @@ export class SamlService {
async fetchMetadataFromUrl(): Promise<string | undefined> { async fetchMetadataFromUrl(): Promise<string | undefined> {
try { try {
const prevRejectStatus = process.env.NODE_TLS_REJECT_UNAUTHORIZED; // TODO:SAML: this will not work once axios is upgraded to > 1.2.0 (see checkServerIdentity)
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0'; const agent = new https.Agent({
const response = await axios.get(this.metadataUrl); rejectUnauthorized: !this.ignoreSSL,
process.env.NODE_TLS_REJECT_UNAUTHORIZED = prevRejectStatus; });
const response = await axios.get(this.metadataUrl, { httpsAgent: agent });
if (response.status === 200 && response.data) { if (response.status === 200 && response.data) {
const xml = (await response.data) as string; const xml = (await response.data) as string;
// TODO: SAML: validate XML const validationResult = await validateMetadata(xml);
// throw new BadRequestError('Received XML is not valid SAML metadata.'); if (!validationResult) {
throw new BadRequestError(
`Data received from ${this.metadataUrl} is not valid SAML metadata.`,
);
}
return xml; return xml;
} }
} catch (error) { } catch (error) {
throw new BadRequestError('SAML Metadata URL is invalid or response is .'); // eslint-disable-next-line @typescript-eslint/restrict-template-expressions
throw new BadRequestError(`Error fetching SAML Metadata from ${this.metadataUrl}: ${error}`);
} }
return; return;
} }
@@ -298,10 +306,14 @@ export class SamlService {
async testSamlConnection(): Promise<boolean> { async testSamlConnection(): Promise<boolean> {
try { try {
// TODO:SAML: this will not work once axios is upgraded to > 1.2.0 (see checkServerIdentity)
const agent = new https.Agent({
rejectUnauthorized: !this.ignoreSSL,
});
const requestContext = this.getLoginRequestUrl(); const requestContext = this.getLoginRequestUrl();
if (!requestContext) return false; if (!requestContext) return false;
if (requestContext.binding === 'redirect') { if (requestContext.binding === 'redirect') {
const fetchResult = await axios.get(requestContext.context.context); const fetchResult = await axios.get(requestContext.context.context, { httpsAgent: agent });
if (fetchResult.status !== 200) { if (fetchResult.status !== 200) {
LoggerProxy.debug('SAML: Error while testing SAML connection.'); LoggerProxy.debug('SAML: Error while testing SAML connection.');
return false; return false;
@@ -319,6 +331,7 @@ export class SamlService {
// eslint-disable-next-line @typescript-eslint/naming-convention // eslint-disable-next-line @typescript-eslint/naming-convention
'Content-type': 'application/x-www-form-urlencoded', 'Content-type': 'application/x-www-form-urlencoded',
}, },
httpsAgent: agent,
}); });
if (fetchResult.status !== 200) { if (fetchResult.status !== 200) {
LoggerProxy.debug('SAML: Error while testing SAML connection.'); LoggerProxy.debug('SAML: Error while testing SAML connection.');

93
packages/cli/src/sso/saml/samlValidator.ts Normal file
View File

@@ -0,0 +1,93 @@
import { LoggerProxy } from 'n8n-workflow';
import type { XMLFileInfo } from 'xmllint-wasm';
import { validateXML } from 'xmllint-wasm';
import { xsdSamlSchemaAssertion20 } from './schema/saml-schema-assertion-2.0.xsd';
import { xsdSamlSchemaMetadata20 } from './schema/saml-schema-metadata-2.0.xsd';
import { xsdSamlSchemaProtocol20 } from './schema/saml-schema-protocol-2.0.xsd';
import { xsdXenc } from './schema/xenc-schema.xsd';
import { xsdXml } from './schema/xml.xsd';
import { xsdXmldsigCore } from './schema/xmldsig-core-schema.xsd';
const xml: XMLFileInfo = {
fileName: 'xml.xsd',
contents: xsdXml,
};
const xmldsigCore: XMLFileInfo = {
fileName: 'xmldsig-core-schema.xsd',
contents: xsdXmldsigCore,
};
const xmlXenc: XMLFileInfo = {
fileName: 'xenc-schema.xsd',
contents: xsdXenc,
};
const xmlMetadata: XMLFileInfo = {
fileName: 'saml-schema-metadata-2.0.xsd',
contents: xsdSamlSchemaMetadata20,
};
const xmlAssertion: XMLFileInfo = {
fileName: 'saml-schema-assertion-2.0.xsd',
contents: xsdSamlSchemaAssertion20,
};
const xmlProtocol: XMLFileInfo = {
fileName: 'saml-schema-protocol-2.0.xsd',
contents: xsdSamlSchemaProtocol20,
};
export async function validateMetadata(metadata: string): Promise<boolean> {
try {
const validationResult = await validateXML({
xml: [
{
fileName: 'metadata.xml',
contents: metadata,
},
],
extension: 'schema',
schema: [xmlMetadata],
preload: [xmlProtocol, xmlAssertion, xmldsigCore, xmlXenc, xml],
});
if (validationResult.valid) {
LoggerProxy.debug('SAML Metadata is valid');
return true;
} else {
LoggerProxy.warn('SAML Validate Metadata: Invalid metadata');
LoggerProxy.warn(validationResult.errors.join('\n'));
}
} catch (error) {
// eslint-disable-next-line @typescript-eslint/no-unsafe-argument
LoggerProxy.warn(error);
}
return false;
}
export async function validateResponse(response: string): Promise<boolean> {
try {
const validationResult = await validateXML({
xml: [
{
fileName: 'response.xml',
contents: response,
},
],
extension: 'schema',
schema: [xmlProtocol],
preload: [xmlMetadata, xmlAssertion, xmldsigCore, xmlXenc, xml],
});
if (validationResult.valid) {
LoggerProxy.debug('SAML Response is valid');
return true;
} else {
LoggerProxy.warn('SAML Validate Response: Failed');
LoggerProxy.warn(validationResult.errors.join('\n'));
}
} catch (error) {
// eslint-disable-next-line @typescript-eslint/no-unsafe-argument
LoggerProxy.warn(error);
}
return false;
}

283
packages/cli/src/sso/saml/schema/saml-schema-assertion-2.0.xsd.ts Normal file
View File

@@ -0,0 +1,283 @@
export const xsdSamlSchemaAssertion20 = `<?xml version="1.0" encoding="US-ASCII"?>
<schema
targetNamespace="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns="http://www.w3.org/2001/XMLSchema"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
elementFormDefault="unqualified"
attributeFormDefault="unqualified"
blockDefault="substitution"
version="2.0">
<import namespace="http://www.w3.org/2000/09/xmldsig#"
schemaLocation="xmldsig-core-schema.xsd"/>
<import namespace="http://www.w3.org/2001/04/xmlenc#"
schemaLocation="xenc-schema.xsd"/>
<annotation>
<documentation>
Document identifier: saml-schema-assertion-2.0
Location: http://docs.oasis-open.org/security/saml/v2.0/
Revision history:
V1.0 (November, 2002):
Initial Standard Schema.
V1.1 (September, 2003):
Updates within the same V1.0 namespace.
V2.0 (March, 2005):
New assertion schema for SAML V2.0 namespace.
</documentation>
</annotation>
<attributeGroup name="IDNameQualifiers">
<attribute name="NameQualifier" type="string" use="optional"/>
<attribute name="SPNameQualifier" type="string" use="optional"/>
</attributeGroup>
<element name="BaseID" type="saml:BaseIDAbstractType"/>
<complexType name="BaseIDAbstractType" abstract="true">
<attributeGroup ref="saml:IDNameQualifiers"/>
</complexType>
<element name="NameID" type="saml:NameIDType"/>
<complexType name="NameIDType">
<simpleContent>
<extension base="string">
<attributeGroup ref="saml:IDNameQualifiers"/>
<attribute name="Format" type="anyURI" use="optional"/>
<attribute name="SPProvidedID" type="string" use="optional"/>
</extension>
</simpleContent>
</complexType>
<complexType name="EncryptedElementType">
<sequence>
<element ref="xenc:EncryptedData"/>
<element ref="xenc:EncryptedKey" minOccurs="0" maxOccurs="unbounded"/>
</sequence>
</complexType>
<element name="EncryptedID" type="saml:EncryptedElementType"/>
<element name="Issuer" type="saml:NameIDType"/>
<element name="AssertionIDRef" type="NCName"/>
<element name="AssertionURIRef" type="anyURI"/>
<element name="Assertion" type="saml:AssertionType"/>
<complexType name="AssertionType">
<sequence>
<element ref="saml:Issuer"/>
<element ref="ds:Signature" minOccurs="0"/>
<element ref="saml:Subject" minOccurs="0"/>
<element ref="saml:Conditions" minOccurs="0"/>
<element ref="saml:Advice" minOccurs="0"/>
<choice minOccurs="0" maxOccurs="unbounded">
<element ref="saml:Statement"/>
<element ref="saml:AuthnStatement"/>
<element ref="saml:AuthzDecisionStatement"/>
<element ref="saml:AttributeStatement"/>
</choice>
</sequence>
<attribute name="Version" type="string" use="required"/>
<attribute name="ID" type="ID" use="required"/>
<attribute name="IssueInstant" type="dateTime" use="required"/>
</complexType>
<element name="Subject" type="saml:SubjectType"/>
<complexType name="SubjectType">
<choice>
<sequence>
<choice>
<element ref="saml:BaseID"/>
<element ref="saml:NameID"/>
<element ref="saml:EncryptedID"/>
</choice>
<element ref="saml:SubjectConfirmation" minOccurs="0" maxOccurs="unbounded"/>
</sequence>
<element ref="saml:SubjectConfirmation" maxOccurs="unbounded"/>
</choice>
</complexType>
<element name="SubjectConfirmation" type="saml:SubjectConfirmationType"/>
<complexType name="SubjectConfirmationType">
<sequence>
<choice minOccurs="0">
<element ref="saml:BaseID"/>
<element ref="saml:NameID"/>
<element ref="saml:EncryptedID"/>
</choice>
<element ref="saml:SubjectConfirmationData" minOccurs="0"/>
</sequence>
<attribute name="Method" type="anyURI" use="required"/>
</complexType>
<element name="SubjectConfirmationData" type="saml:SubjectConfirmationDataType"/>
<complexType name="SubjectConfirmationDataType" mixed="true">
<complexContent>
<restriction base="anyType">
<sequence>
<any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
</sequence>
<attribute name="NotBefore" type="dateTime" use="optional"/>
<attribute name="NotOnOrAfter" type="dateTime" use="optional"/>
<attribute name="Recipient" type="anyURI" use="optional"/>
<attribute name="InResponseTo" type="NCName" use="optional"/>
<attribute name="Address" type="string" use="optional"/>
<anyAttribute namespace="##other" processContents="lax"/>
</restriction>
</complexContent>
</complexType>
<complexType name="KeyInfoConfirmationDataType" mixed="false">
<complexContent>
<restriction base="saml:SubjectConfirmationDataType">
<sequence>
<element ref="ds:KeyInfo" maxOccurs="unbounded"/>
</sequence>
</restriction>
</complexContent>
</complexType>
<element name="Conditions" type="saml:ConditionsType"/>
<complexType name="ConditionsType">
<choice minOccurs="0" maxOccurs="unbounded">
<element ref="saml:Condition"/>
<element ref="saml:AudienceRestriction"/>
<element ref="saml:OneTimeUse"/>
<element ref="saml:ProxyRestriction"/>
</choice>
<attribute name="NotBefore" type="dateTime" use="optional"/>
<attribute name="NotOnOrAfter" type="dateTime" use="optional"/>
</complexType>
<element name="Condition" type="saml:ConditionAbstractType"/>
<complexType name="ConditionAbstractType" abstract="true"/>
<element name="AudienceRestriction" type="saml:AudienceRestrictionType"/>
<complexType name="AudienceRestrictionType">
<complexContent>
<extension base="saml:ConditionAbstractType">
<sequence>
<element ref="saml:Audience" maxOccurs="unbounded"/>
</sequence>
</extension>
</complexContent>
</complexType>
<element name="Audience" type="anyURI"/>
<element name="OneTimeUse" type="saml:OneTimeUseType" />
<complexType name="OneTimeUseType">
<complexContent>
<extension base="saml:ConditionAbstractType"/>
</complexContent>
</complexType>
<element name="ProxyRestriction" type="saml:ProxyRestrictionType"/>
<complexType name="ProxyRestrictionType">
<complexContent>
<extension base="saml:ConditionAbstractType">
<sequence>
<element ref="saml:Audience" minOccurs="0" maxOccurs="unbounded"/>
</sequence>
<attribute name="Count" type="nonNegativeInteger" use="optional"/>
</extension>
</complexContent>
</complexType>
<element name="Advice" type="saml:AdviceType"/>
<complexType name="AdviceType">
<choice minOccurs="0" maxOccurs="unbounded">
<element ref="saml:AssertionIDRef"/>
<element ref="saml:AssertionURIRef"/>
<element ref="saml:Assertion"/>
<element ref="saml:EncryptedAssertion"/>
<any namespace="##other" processContents="lax"/>
</choice>
</complexType>
<element name="EncryptedAssertion" type="saml:EncryptedElementType"/>
<element name="Statement" type="saml:StatementAbstractType"/>
<complexType name="StatementAbstractType" abstract="true"/>
<element name="AuthnStatement" type="saml:AuthnStatementType"/>
<complexType name="AuthnStatementType">
<complexContent>
<extension base="saml:StatementAbstractType">
<sequence>
<element ref="saml:SubjectLocality" minOccurs="0"/>
<element ref="saml:AuthnContext"/>
</sequence>
<attribute name="AuthnInstant" type="dateTime" use="required"/>
<attribute name="SessionIndex" type="string" use="optional"/>
<attribute name="SessionNotOnOrAfter" type="dateTime" use="optional"/>
</extension>
</complexContent>
</complexType>
<element name="SubjectLocality" type="saml:SubjectLocalityType"/>
<complexType name="SubjectLocalityType">
<attribute name="Address" type="string" use="optional"/>
<attribute name="DNSName" type="string" use="optional"/>
</complexType>
<element name="AuthnContext" type="saml:AuthnContextType"/>
<complexType name="AuthnContextType">
<sequence>
<choice>
<sequence>
<element ref="saml:AuthnContextClassRef"/>
<choice minOccurs="0">
<element ref="saml:AuthnContextDecl"/>
<element ref="saml:AuthnContextDeclRef"/>
</choice>
</sequence>
<choice>
<element ref="saml:AuthnContextDecl"/>
<element ref="saml:AuthnContextDeclRef"/>
</choice>
</choice>
<element ref="saml:AuthenticatingAuthority" minOccurs="0" maxOccurs="unbounded"/>
</sequence>
</complexType>
<element name="AuthnContextClassRef" type="anyURI"/>
<element name="AuthnContextDeclRef" type="anyURI"/>
<element name="AuthnContextDecl" type="anyType"/>
<element name="AuthenticatingAuthority" type="anyURI"/>
<element name="AuthzDecisionStatement" type="saml:AuthzDecisionStatementType"/>
<complexType name="AuthzDecisionStatementType">
<complexContent>
<extension base="saml:StatementAbstractType">
<sequence>
<element ref="saml:Action" maxOccurs="unbounded"/>
<element ref="saml:Evidence" minOccurs="0"/>
</sequence>
<attribute name="Resource" type="anyURI" use="required"/>
<attribute name="Decision" type="saml:DecisionType" use="required"/>
</extension>
</complexContent>
</complexType>
<simpleType name="DecisionType">
<restriction base="string">
<enumeration value="Permit"/>
<enumeration value="Deny"/>
<enumeration value="Indeterminate"/>
</restriction>
</simpleType>
<element name="Action" type="saml:ActionType"/>
<complexType name="ActionType">
<simpleContent>
<extension base="string">
<attribute name="Namespace" type="anyURI" use="required"/>
</extension>
</simpleContent>
</complexType>
<element name="Evidence" type="saml:EvidenceType"/>
<complexType name="EvidenceType">
<choice maxOccurs="unbounded">
<element ref="saml:AssertionIDRef"/>
<element ref="saml:AssertionURIRef"/>
<element ref="saml:Assertion"/>
<element ref="saml:EncryptedAssertion"/>
</choice>
</complexType>
<element name="AttributeStatement" type="saml:AttributeStatementType"/>
<complexType name="AttributeStatementType">
<complexContent>
<extension base="saml:StatementAbstractType">
<choice maxOccurs="unbounded">
<element ref="saml:Attribute"/>
<element ref="saml:EncryptedAttribute"/>
</choice>
</extension>
</complexContent>
</complexType>
<element name="Attribute" type="saml:AttributeType"/>
<complexType name="AttributeType">
<sequence>
<element ref="saml:AttributeValue" minOccurs="0" maxOccurs="unbounded"/>
</sequence>
<attribute name="Name" type="string" use="required"/>
<attribute name="NameFormat" type="anyURI" use="optional"/>
<attribute name="FriendlyName" type="string" use="optional"/>
<anyAttribute namespace="##other" processContents="lax"/>
</complexType>
<element name="AttributeValue" type="anyType" nillable="true"/>
<element name="EncryptedAttribute" type="saml:EncryptedElementType"/>
</schema>`;

336
packages/cli/src/sso/saml/schema/saml-schema-metadata-2.0.xsd.ts Normal file
View File

@@ -0,0 +1,336 @@
export const xsdSamlSchemaMetadata20 = `<?xml version="1.0" encoding="UTF-8"?>
<schema
targetNamespace="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns="http://www.w3.org/2001/XMLSchema"
elementFormDefault="unqualified"
attributeFormDefault="unqualified"
blockDefault="substitution"
version="2.0">
<import namespace="http://www.w3.org/2000/09/xmldsig#"
schemaLocation="xmldsig-core-schema.xsd"/>
<import namespace="http://www.w3.org/2001/04/xmlenc#"
schemaLocation="xenc-schema.xsd"/>
<import namespace="urn:oasis:names:tc:SAML:2.0:assertion"
schemaLocation="saml-schema-assertion-2.0.xsd"/>
<import namespace="http://www.w3.org/XML/1998/namespace"
schemaLocation="xml.xsd"/>
<annotation>
<documentation>
Document identifier: saml-schema-metadata-2.0
Location: http://docs.oasis-open.org/security/saml/v2.0/
Revision history:
V2.0 (March, 2005):
Schema for SAML metadata, first published in SAML 2.0.
</documentation>
</annotation>
<simpleType name="entityIDType">
<restriction base="anyURI">
<maxLength value="1024"/>
</restriction>
</simpleType>
<complexType name="localizedNameType">
<simpleContent>
<extension base="string">
<attribute ref="xml:lang" use="required"/>
</extension>
</simpleContent>
</complexType>
<complexType name="localizedURIType">
<simpleContent>
<extension base="anyURI">
<attribute ref="xml:lang" use="required"/>
</extension>
</simpleContent>
</complexType>
<element name="Extensions" type="md:ExtensionsType"/>
<complexType final="#all" name="ExtensionsType">
<sequence>
<any namespace="##other" processContents="lax" maxOccurs="unbounded"/>
</sequence>
</complexType>
<complexType name="EndpointType">
<sequence>
<any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
</sequence>
<attribute name="Binding" type="anyURI" use="required"/>
<attribute name="Location" type="anyURI" use="required"/>
<attribute name="ResponseLocation" type="anyURI" use="optional"/>
<anyAttribute namespace="##other" processContents="lax"/>
</complexType>
<complexType name="IndexedEndpointType">
<complexContent>
<extension base="md:EndpointType">
<attribute name="index" type="unsignedShort" use="required"/>
<attribute name="isDefault" type="boolean" use="optional"/>
</extension>
</complexContent>
</complexType>
<element name="EntitiesDescriptor" type="md:EntitiesDescriptorType"/>
<complexType name="EntitiesDescriptorType">
<sequence>
<element ref="ds:Signature" minOccurs="0"/>
<element ref="md:Extensions" minOccurs="0"/>
<choice minOccurs="1" maxOccurs="unbounded">
<element ref="md:EntityDescriptor"/>
<element ref="md:EntitiesDescriptor"/>
</choice>
</sequence>
<attribute name="validUntil" type="dateTime" use="optional"/>
<attribute name="cacheDuration" type="duration" use="optional"/>
<attribute name="ID" type="ID" use="optional"/>
<attribute name="Name" type="string" use="optional"/>
</complexType>
<element name="EntityDescriptor" type="md:EntityDescriptorType"/>
<complexType name="EntityDescriptorType">
<sequence>
<element ref="ds:Signature" minOccurs="0"/>
<element ref="md:Extensions" minOccurs="0"/>
<choice>
<choice maxOccurs="unbounded">
<element ref="md:RoleDescriptor"/>
<element ref="md:IDPSSODescriptor"/>
<element ref="md:SPSSODescriptor"/>
<element ref="md:AuthnAuthorityDescriptor"/>
<element ref="md:AttributeAuthorityDescriptor"/>
<element ref="md:PDPDescriptor"/>
</choice>
<element ref="md:AffiliationDescriptor"/>
</choice>
<element ref="md:Organization" minOccurs="0"/>
<element ref="md:ContactPerson" minOccurs="0" maxOccurs="unbounded"/>
<element ref="md:AdditionalMetadataLocation" minOccurs="0" maxOccurs="unbounded"/>
</sequence>
<attribute name="entityID" type="md:entityIDType" use="required"/>
<attribute name="validUntil" type="dateTime" use="optional"/>
<attribute name="cacheDuration" type="duration" use="optional"/>
<attribute name="ID" type="ID" use="optional"/>
<anyAttribute namespace="##other" processContents="lax"/>
</complexType>
<element name="Organization" type="md:OrganizationType"/>
<complexType name="OrganizationType">
<sequence>
<element ref="md:Extensions" minOccurs="0"/>
<element ref="md:OrganizationName" maxOccurs="unbounded"/>
<element ref="md:OrganizationDisplayName" maxOccurs="unbounded"/>
<element ref="md:OrganizationURL" maxOccurs="unbounded"/>
</sequence>
<anyAttribute namespace="##other" processContents="lax"/>
</complexType>
<element name="OrganizationName" type="md:localizedNameType"/>
<element name="OrganizationDisplayName" type="md:localizedNameType"/>
<element name="OrganizationURL" type="md:localizedURIType"/>
<element name="ContactPerson" type="md:ContactType"/>
<complexType name="ContactType">
<sequence>
<element ref="md:Extensions" minOccurs="0"/>
<element ref="md:Company" minOccurs="0"/>
<element ref="md:GivenName" minOccurs="0"/>
<element ref="md:SurName" minOccurs="0"/>
<element ref="md:EmailAddress" minOccurs="0" maxOccurs="unbounded"/>
<element ref="md:TelephoneNumber" minOccurs="0" maxOccurs="unbounded"/>
</sequence>
<attribute name="contactType" type="md:ContactTypeType" use="required"/>
<anyAttribute namespace="##other" processContents="lax"/>
</complexType>
<element name="Company" type="string"/>
<element name="GivenName" type="string"/>
<element name="SurName" type="string"/>
<element name="EmailAddress" type="anyURI"/>
<element name="TelephoneNumber" type="string"/>
<simpleType name="ContactTypeType">
<restriction base="string">
<enumeration value="technical"/>
<enumeration value="support"/>
<enumeration value="administrative"/>
<enumeration value="billing"/>
<enumeration value="other"/>
</restriction>
</simpleType>
<element name="AdditionalMetadataLocation" type="md:AdditionalMetadataLocationType"/>
<complexType name="AdditionalMetadataLocationType">
<simpleContent>
<extension base="anyURI">
<attribute name="namespace" type="anyURI" use="required"/>
</extension>
</simpleContent>
</complexType>
<element name="RoleDescriptor" type="md:RoleDescriptorType"/>
<complexType name="RoleDescriptorType" abstract="true">
<sequence>
<element ref="ds:Signature" minOccurs="0"/>
<element ref="md:Extensions" minOccurs="0"/>
<element ref="md:KeyDescriptor" minOccurs="0" maxOccurs="unbounded"/>
<element ref="md:Organization" minOccurs="0"/>
<element ref="md:ContactPerson" minOccurs="0" maxOccurs="unbounded"/>
</sequence>
<attribute name="ID" type="ID" use="optional"/>
<attribute name="validUntil" type="dateTime" use="optional"/>
<attribute name="cacheDuration" type="duration" use="optional"/>
<attribute name="protocolSupportEnumeration" type="md:anyURIListType" use="required"/>
<attribute name="errorURL" type="anyURI" use="optional"/>
<anyAttribute namespace="##other" processContents="lax"/>
</complexType>
<simpleType name="anyURIListType">
<list itemType="anyURI"/>
</simpleType>
<element name="KeyDescriptor" type="md:KeyDescriptorType"/>
<complexType name="KeyDescriptorType">
<sequence>
<element ref="ds:KeyInfo"/>
<element ref="md:EncryptionMethod" minOccurs="0" maxOccurs="unbounded"/>
</sequence>
<attribute name="use" type="md:KeyTypes" use="optional"/>
</complexType>
<simpleType name="KeyTypes">
<restriction base="string">
<enumeration value="encryption"/>
<enumeration value="signing"/>
</restriction>
</simpleType>
<element name="EncryptionMethod" type="xenc:EncryptionMethodType"/>
<complexType name="SSODescriptorType" abstract="true">
<complexContent>
<extension base="md:RoleDescriptorType">
<sequence>
<element ref="md:ArtifactResolutionService" minOccurs="0" maxOccurs="unbounded"/>
<element ref="md:SingleLogoutService" minOccurs="0" maxOccurs="unbounded"/>
<element ref="md:ManageNameIDService" minOccurs="0" maxOccurs="unbounded"/>
<element ref="md:NameIDFormat" minOccurs="0" maxOccurs="unbounded"/>
</sequence>
</extension>
</complexContent>
</complexType>
<element name="ArtifactResolutionService" type="md:IndexedEndpointType"/>
<element name="SingleLogoutService" type="md:EndpointType"/>
<element name="ManageNameIDService" type="md:EndpointType"/>
<element name="NameIDFormat" type="anyURI"/>
<element name="IDPSSODescriptor" type="md:IDPSSODescriptorType"/>
<complexType name="IDPSSODescriptorType">
<complexContent>
<extension base="md:SSODescriptorType">
<sequence>
<element ref="md:SingleSignOnService" maxOccurs="unbounded"/>
<element ref="md:NameIDMappingService" minOccurs="0" maxOccurs="unbounded"/>
<element ref="md:AssertionIDRequestService" minOccurs="0" maxOccurs="unbounded"/>
<element ref="md:AttributeProfile" minOccurs="0" maxOccurs="unbounded"/>
<element ref="saml:Attribute" minOccurs="0" maxOccurs="unbounded"/>
</sequence>
<attribute name="WantAuthnRequestsSigned" type="boolean" use="optional"/>
</extension>
</complexContent>
</complexType>
<element name="SingleSignOnService" type="md:EndpointType"/>
<element name="NameIDMappingService" type="md:EndpointType"/>
<element name="AssertionIDRequestService" type="md:EndpointType"/>
<element name="AttributeProfile" type="anyURI"/>
<element name="SPSSODescriptor" type="md:SPSSODescriptorType"/>
<complexType name="SPSSODescriptorType">
<complexContent>
<extension base="md:SSODescriptorType">
<sequence>
<element ref="md:AssertionConsumerService" maxOccurs="unbounded"/>
<element ref="md:AttributeConsumingService" minOccurs="0" maxOccurs="unbounded"/>
</sequence>
<attribute name="AuthnRequestsSigned" type="boolean" use="optional"/>
<attribute name="WantAssertionsSigned" type="boolean" use="optional"/>
</extension>
</complexContent>
</complexType>
<element name="AssertionConsumerService" type="md:IndexedEndpointType"/>
<element name="AttributeConsumingService" type="md:AttributeConsumingServiceType"/>
<complexType name="AttributeConsumingServiceType">
<sequence>
<element ref="md:ServiceName" maxOccurs="unbounded"/>
<element ref="md:ServiceDescription" minOccurs="0" maxOccurs="unbounded"/>
<element ref="md:RequestedAttribute" maxOccurs="unbounded"/>
</sequence>
<attribute name="index" type="unsignedShort" use="required"/>
<attribute name="isDefault" type="boolean" use="optional"/>
</complexType>
<element name="ServiceName" type="md:localizedNameType"/>
<element name="ServiceDescription" type="md:localizedNameType"/>
<element name="RequestedAttribute" type="md:RequestedAttributeType"/>
<complexType name="RequestedAttributeType">
<complexContent>
<extension base="saml:AttributeType">
<attribute name="isRequired" type="boolean" use="optional"/>
</extension>
</complexContent>
</complexType>
<element name="AuthnAuthorityDescriptor" type="md:AuthnAuthorityDescriptorType"/>
<complexType name="AuthnAuthorityDescriptorType">
<complexContent>
<extension base="md:RoleDescriptorType">
<sequence>
<element ref="md:AuthnQueryService" maxOccurs="unbounded"/>
<element ref="md:AssertionIDRequestService" minOccurs="0" maxOccurs="unbounded"/>
<element ref="md:NameIDFormat" minOccurs="0" maxOccurs="unbounded"/>
</sequence>
</extension>
</complexContent>
</complexType>
<element name="AuthnQueryService" type="md:EndpointType"/>
<element name="PDPDescriptor" type="md:PDPDescriptorType"/>
<complexType name="PDPDescriptorType">
<complexContent>
<extension base="md:RoleDescriptorType">
<sequence>
<element ref="md:AuthzService" maxOccurs="unbounded"/>
<element ref="md:AssertionIDRequestService" minOccurs="0" maxOccurs="unbounded"/>
<element ref="md:NameIDFormat" minOccurs="0" maxOccurs="unbounded"/>
</sequence>
</extension>
</complexContent>
</complexType>
<element name="AuthzService" type="md:EndpointType"/>
<element name="AttributeAuthorityDescriptor" type="md:AttributeAuthorityDescriptorType"/>
<complexType name="AttributeAuthorityDescriptorType">
<complexContent>
<extension base="md:RoleDescriptorType">
<sequence>
<element ref="md:AttributeService" maxOccurs="unbounded"/>
<element ref="md:AssertionIDRequestService" minOccurs="0" maxOccurs="unbounded"/>
<element ref="md:NameIDFormat" minOccurs="0" maxOccurs="unbounded"/>
<element ref="md:AttributeProfile" minOccurs="0" maxOccurs="unbounded"/>
<element ref="saml:Attribute" minOccurs="0" maxOccurs="unbounded"/>
</sequence>
</extension>
</complexContent>
</complexType>
<element name="AttributeService" type="md:EndpointType"/>
<element name="AffiliationDescriptor" type="md:AffiliationDescriptorType"/>
<complexType name="AffiliationDescriptorType">
<sequence>
<element ref="ds:Signature" minOccurs="0"/>
<element ref="md:Extensions" minOccurs="0"/>
<element ref="md:AffiliateMember" maxOccurs="unbounded"/>
</sequence>
<attribute name="affiliationOwnerID" type="md:entityIDType" use="required"/>
<attribute name="validUntil" type="dateTime" use="optional"/>
<attribute name="cacheDuration" type="duration" use="optional"/>
<attribute name="ID" type="ID" use="optional"/>
<anyAttribute namespace="##other" processContents="lax"/>
</complexType>
<element name="AffiliateMember" type="md:entityIDType"/>
</schema>`;

302
packages/cli/src/sso/saml/schema/saml-schema-protocol-2.0.xsd.ts Normal file
View File

@@ -0,0 +1,302 @@
export const xsdSamlSchemaProtocol20 = `<?xml version="1.0" encoding="UTF-8"?>
<schema
targetNamespace="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns="http://www.w3.org/2001/XMLSchema"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
elementFormDefault="unqualified"
attributeFormDefault="unqualified"
blockDefault="substitution"
version="2.0">
<import namespace="urn:oasis:names:tc:SAML:2.0:assertion"
schemaLocation="saml-schema-assertion-2.0.xsd"/>
<import namespace="http://www.w3.org/2000/09/xmldsig#"
schemaLocation="xmldsig-core-schema.xsd"/>
<annotation>
<documentation>
Document identifier: saml-schema-protocol-2.0
Location: http://docs.oasis-open.org/security/saml/v2.0/
Revision history:
V1.0 (November, 2002):
Initial Standard Schema.
V1.1 (September, 2003):
Updates within the same V1.0 namespace.
V2.0 (March, 2005):
New protocol schema based in a SAML V2.0 namespace.
</documentation>
</annotation>
<complexType name="RequestAbstractType" abstract="true">
<sequence>
<element ref="saml:Issuer" minOccurs="0"/>
<element ref="ds:Signature" minOccurs="0"/>
<element ref="samlp:Extensions" minOccurs="0"/>
</sequence>
<attribute name="ID" type="ID" use="required"/>
<attribute name="Version" type="string" use="required"/>
<attribute name="IssueInstant" type="dateTime" use="required"/>
<attribute name="Destination" type="anyURI" use="optional"/>
<attribute name="Consent" type="anyURI" use="optional"/>
</complexType>
<element name="Extensions" type="samlp:ExtensionsType"/>
<complexType name="ExtensionsType">
<sequence>
<any namespace="##other" processContents="lax" maxOccurs="unbounded"/>
</sequence>
</complexType>
<complexType name="StatusResponseType">
<sequence>
<element ref="saml:Issuer" minOccurs="0"/>
<element ref="ds:Signature" minOccurs="0"/>
<element ref="samlp:Extensions" minOccurs="0"/>
<element ref="samlp:Status"/>
</sequence>
<attribute name="ID" type="ID" use="required"/>
<attribute name="InResponseTo" type="NCName" use="optional"/>
<attribute name="Version" type="string" use="required"/>
<attribute name="IssueInstant" type="dateTime" use="required"/>
<attribute name="Destination" type="anyURI" use="optional"/>
<attribute name="Consent" type="anyURI" use="optional"/>
</complexType>
<element name="Status" type="samlp:StatusType"/>
<complexType name="StatusType">
<sequence>
<element ref="samlp:StatusCode"/>
<element ref="samlp:StatusMessage" minOccurs="0"/>
<element ref="samlp:StatusDetail" minOccurs="0"/>
</sequence>
</complexType>
<element name="StatusCode" type="samlp:StatusCodeType"/>
<complexType name="StatusCodeType">
<sequence>
<element ref="samlp:StatusCode" minOccurs="0"/>
</sequence>
<attribute name="Value" type="anyURI" use="required"/>
</complexType>
<element name="StatusMessage" type="string"/>
<element name="StatusDetail" type="samlp:StatusDetailType"/>
<complexType name="StatusDetailType">
<sequence>
<any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
</sequence>
</complexType>
<element name="AssertionIDRequest" type="samlp:AssertionIDRequestType"/>
<complexType name="AssertionIDRequestType">
<complexContent>
<extension base="samlp:RequestAbstractType">
<sequence>
<element ref="saml:AssertionIDRef" maxOccurs="unbounded"/>
</sequence>
</extension>
</complexContent>
</complexType>
<element name="SubjectQuery" type="samlp:SubjectQueryAbstractType"/>
<complexType name="SubjectQueryAbstractType" abstract="true">
<complexContent>
<extension base="samlp:RequestAbstractType">
<sequence>
<element ref="saml:Subject"/>
</sequence>
</extension>
</complexContent>
</complexType>
<element name="AuthnQuery" type="samlp:AuthnQueryType"/>
<complexType name="AuthnQueryType">
<complexContent>
<extension base="samlp:SubjectQueryAbstractType">
<sequence>
<element ref="samlp:RequestedAuthnContext" minOccurs="0"/>
</sequence>
<attribute name="SessionIndex" type="string" use="optional"/>
</extension>
</complexContent>
</complexType>
<element name="RequestedAuthnContext" type="samlp:RequestedAuthnContextType"/>
<complexType name="RequestedAuthnContextType">
<choice>
<element ref="saml:AuthnContextClassRef" maxOccurs="unbounded"/>
<element ref="saml:AuthnContextDeclRef" maxOccurs="unbounded"/>
</choice>
<attribute name="Comparison" type="samlp:AuthnContextComparisonType" use="optional"/>
</complexType>
<simpleType name="AuthnContextComparisonType">
<restriction base="string">
<enumeration value="exact"/>
<enumeration value="minimum"/>
<enumeration value="maximum"/>
<enumeration value="better"/>
</restriction>
</simpleType>
<element name="AttributeQuery" type="samlp:AttributeQueryType"/>
<complexType name="AttributeQueryType">
<complexContent>
<extension base="samlp:SubjectQueryAbstractType">
<sequence>
<element ref="saml:Attribute" minOccurs="0" maxOccurs="unbounded"/>
</sequence>
</extension>
</complexContent>
</complexType>
<element name="AuthzDecisionQuery" type="samlp:AuthzDecisionQueryType"/>
<complexType name="AuthzDecisionQueryType">
<complexContent>
<extension base="samlp:SubjectQueryAbstractType">
<sequence>
<element ref="saml:Action" maxOccurs="unbounded"/>
<element ref="saml:Evidence" minOccurs="0"/>
</sequence>
<attribute name="Resource" type="anyURI" use="required"/>
</extension>
</complexContent>
</complexType>
<element name="AuthnRequest" type="samlp:AuthnRequestType"/>
<complexType name="AuthnRequestType">
<complexContent>
<extension base="samlp:RequestAbstractType">
<sequence>
<element ref="saml:Subject" minOccurs="0"/>
<element ref="samlp:NameIDPolicy" minOccurs="0"/>
<element ref="saml:Conditions" minOccurs="0"/>
<element ref="samlp:RequestedAuthnContext" minOccurs="0"/>
<element ref="samlp:Scoping" minOccurs="0"/>
</sequence>
<attribute name="ForceAuthn" type="boolean" use="optional"/>
<attribute name="IsPassive" type="boolean" use="optional"/>
<attribute name="ProtocolBinding" type="anyURI" use="optional"/>
<attribute name="AssertionConsumerServiceIndex" type="unsignedShort" use="optional"/>
<attribute name="AssertionConsumerServiceURL" type="anyURI" use="optional"/>
<attribute name="AttributeConsumingServiceIndex" type="unsignedShort" use="optional"/>
<attribute name="ProviderName" type="string" use="optional"/>
</extension>
</complexContent>
</complexType>
<element name="NameIDPolicy" type="samlp:NameIDPolicyType"/>
<complexType name="NameIDPolicyType">
<attribute name="Format" type="anyURI" use="optional"/>
<attribute name="SPNameQualifier" type="string" use="optional"/>
<attribute name="AllowCreate" type="boolean" use="optional"/>
</complexType>
<element name="Scoping" type="samlp:ScopingType"/>
<complexType name="ScopingType">
<sequence>
<element ref="samlp:IDPList" minOccurs="0"/>
<element ref="samlp:RequesterID" minOccurs="0" maxOccurs="unbounded"/>
</sequence>
<attribute name="ProxyCount" type="nonNegativeInteger" use="optional"/>
</complexType>
<element name="RequesterID" type="anyURI"/>
<element name="IDPList" type="samlp:IDPListType"/>
<complexType name="IDPListType">
<sequence>
<element ref="samlp:IDPEntry" maxOccurs="unbounded"/>
<element ref="samlp:GetComplete" minOccurs="0"/>
</sequence>
</complexType>
<element name="IDPEntry" type="samlp:IDPEntryType"/>
<complexType name="IDPEntryType">
<attribute name="ProviderID" type="anyURI" use="required"/>
<attribute name="Name" type="string" use="optional"/>
<attribute name="Loc" type="anyURI" use="optional"/>
</complexType>
<element name="GetComplete" type="anyURI"/>
<element name="Response" type="samlp:ResponseType"/>
<complexType name="ResponseType">
<complexContent>
<extension base="samlp:StatusResponseType">
<choice minOccurs="0" maxOccurs="unbounded">
<element ref="saml:Assertion"/>
<element ref="saml:EncryptedAssertion"/>
</choice>
</extension>
</complexContent>
</complexType>
<element name="ArtifactResolve" type="samlp:ArtifactResolveType"/>
<complexType name="ArtifactResolveType">
<complexContent>
<extension base="samlp:RequestAbstractType">
<sequence>
<element ref="samlp:Artifact"/>
</sequence>
</extension>
</complexContent>
</complexType>
<element name="Artifact" type="string"/>
<element name="ArtifactResponse" type="samlp:ArtifactResponseType"/>
<complexType name="ArtifactResponseType">
<complexContent>
<extension base="samlp:StatusResponseType">
<sequence>
<any namespace="##any" processContents="lax" minOccurs="0"/>
</sequence>
</extension>
</complexContent>
</complexType>
<element name="ManageNameIDRequest" type="samlp:ManageNameIDRequestType"/>
<complexType name="ManageNameIDRequestType">
<complexContent>
<extension base="samlp:RequestAbstractType">
<sequence>
<choice>
<element ref="saml:NameID"/>
<element ref="saml:EncryptedID"/>
</choice>
<choice>
<element ref="samlp:NewID"/>
<element ref="samlp:NewEncryptedID"/>
<element ref="samlp:Terminate"/>
</choice>
</sequence>
</extension>
</complexContent>
</complexType>
<element name="NewID" type="string"/>
<element name="NewEncryptedID" type="saml:EncryptedElementType"/>
<element name="Terminate" type="samlp:TerminateType"/>
<complexType name="TerminateType"/>
<element name="ManageNameIDResponse" type="samlp:StatusResponseType"/>
<element name="LogoutRequest" type="samlp:LogoutRequestType"/>
<complexType name="LogoutRequestType">
<complexContent>
<extension base="samlp:RequestAbstractType">
<sequence>
<choice>
<element ref="saml:BaseID"/>
<element ref="saml:NameID"/>
<element ref="saml:EncryptedID"/>
</choice>
<element ref="samlp:SessionIndex" minOccurs="0" maxOccurs="unbounded"/>
</sequence>
<attribute name="Reason" type="string" use="optional"/>
<attribute name="NotOnOrAfter" type="dateTime" use="optional"/>
</extension>
</complexContent>
</complexType>
<element name="SessionIndex" type="string"/>
<element name="LogoutResponse" type="samlp:StatusResponseType"/>
<element name="NameIDMappingRequest" type="samlp:NameIDMappingRequestType"/>
<complexType name="NameIDMappingRequestType">
<complexContent>
<extension base="samlp:RequestAbstractType">
<sequence>
<choice>
<element ref="saml:BaseID"/>
<element ref="saml:NameID"/>
<element ref="saml:EncryptedID"/>
</choice>
<element ref="samlp:NameIDPolicy"/>
</sequence>
</extension>
</complexContent>
</complexType>
<element name="NameIDMappingResponse" type="samlp:NameIDMappingResponseType"/>
<complexType name="NameIDMappingResponseType">
<complexContent>
<extension base="samlp:StatusResponseType">
<choice>
<element ref="saml:NameID"/>
<element ref="saml:EncryptedID"/>
</choice>
</extension>
</complexContent>
</complexType>
</schema>`;

145
packages/cli/src/sso/saml/schema/xenc-schema.xsd.ts Normal file
View File

@@ -0,0 +1,145 @@
export const xsdXenc = `<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE schema PUBLIC "-//W3C//DTD XMLSchema 200102//EN"
"http://www.w3.org/2001/XMLSchema.dtd"
[
<!ATTLIST schema
xmlns:xenc CDATA #FIXED 'http://www.w3.org/2001/04/xmlenc#'
xmlns:ds CDATA #FIXED 'http://www.w3.org/2000/09/xmldsig#'>
<!ENTITY xenc 'http://www.w3.org/2001/04/xmlenc#'>
<!ENTITY % p ''>
<!ENTITY % s ''>
]>
<schema xmlns='http://www.w3.org/2001/XMLSchema' version='1.0'
xmlns:xenc='http://www.w3.org/2001/04/xmlenc#'
xmlns:ds='http://www.w3.org/2000/09/xmldsig#'
targetNamespace='http://www.w3.org/2001/04/xmlenc#'
elementFormDefault='qualified'>
<import namespace='http://www.w3.org/2000/09/xmldsig#'
schemaLocation='xmldsig-core-schema.xsd'/>
<complexType name='EncryptedType' abstract='true'>
<sequence>
<element name='EncryptionMethod' type='xenc:EncryptionMethodType'
minOccurs='0'/>
<element ref='ds:KeyInfo' minOccurs='0'/>
<element ref='xenc:CipherData'/>
<element ref='xenc:EncryptionProperties' minOccurs='0'/>
</sequence>
<attribute name='Id' type='ID' use='optional'/>
<attribute name='Type' type='anyURI' use='optional'/>
<attribute name='MimeType' type='string' use='optional'/>
<attribute name='Encoding' type='anyURI' use='optional'/>
</complexType>
<complexType name='EncryptionMethodType' mixed='true'>
<sequence>
<element name='KeySize' minOccurs='0' type='xenc:KeySizeType'/>
<element name='OAEPparams' minOccurs='0' type='base64Binary'/>
<any namespace='##other' minOccurs='0' maxOccurs='unbounded'/>
</sequence>
<attribute name='Algorithm' type='anyURI' use='required'/>
</complexType>
<simpleType name='KeySizeType'>
<restriction base="integer"/>
</simpleType>
<element name='CipherData' type='xenc:CipherDataType'/>
<complexType name='CipherDataType'>
<choice>
<element name='CipherValue' type='base64Binary'/>
<element ref='xenc:CipherReference'/>
</choice>
</complexType>
<element name='CipherReference' type='xenc:CipherReferenceType'/>
<complexType name='CipherReferenceType'>
<choice>
<element name='Transforms' type='xenc:TransformsType' minOccurs='0'/>
</choice>
<attribute name='URI' type='anyURI' use='required'/>
</complexType>
<complexType name='TransformsType'>
<sequence>
<element ref='ds:Transform' maxOccurs='unbounded'/>
</sequence>
</complexType>
<element name='EncryptedData' type='xenc:EncryptedDataType'/>
<complexType name='EncryptedDataType'>
<complexContent>
<extension base='xenc:EncryptedType'>
</extension>
</complexContent>
</complexType>
<!-- Children of ds:KeyInfo -->
<element name='EncryptedKey' type='xenc:EncryptedKeyType'/>
<complexType name='EncryptedKeyType'>
<complexContent>
<extension base='xenc:EncryptedType'>
<sequence>
<element ref='xenc:ReferenceList' minOccurs='0'/>
<element name='CarriedKeyName' type='string' minOccurs='0'/>
</sequence>
<attribute name='Recipient' type='string'
use='optional'/>
</extension>
</complexContent>
</complexType>
<element name="AgreementMethod" type="xenc:AgreementMethodType"/>
<complexType name="AgreementMethodType" mixed="true">
<sequence>
<element name="KA-Nonce" minOccurs="0" type="base64Binary"/>
<!-- <element ref="ds:DigestMethod" minOccurs="0"/> -->
<any namespace="##other" minOccurs="0" maxOccurs="unbounded"/>
<element name="OriginatorKeyInfo" minOccurs="0" type="ds:KeyInfoType"/>
<element name="RecipientKeyInfo" minOccurs="0" type="ds:KeyInfoType"/>
</sequence>
<attribute name="Algorithm" type="anyURI" use="required"/>
</complexType>
<!-- End Children of ds:KeyInfo -->
<element name='ReferenceList'>
<complexType>
<choice minOccurs='1' maxOccurs='unbounded'>
<element name='DataReference' type='xenc:ReferenceType'/>
<element name='KeyReference' type='xenc:ReferenceType'/>
</choice>
</complexType>
</element>
<complexType name='ReferenceType'>
<sequence>
<any namespace='##other' minOccurs='0' maxOccurs='unbounded'/>
</sequence>
<attribute name='URI' type='anyURI' use='required'/>
</complexType>
<element name='EncryptionProperties' type='xenc:EncryptionPropertiesType'/>
<complexType name='EncryptionPropertiesType'>
<sequence>
<element ref='xenc:EncryptionProperty' maxOccurs='unbounded'/>
</sequence>
<attribute name='Id' type='ID' use='optional'/>
</complexType>
<element name='EncryptionProperty' type='xenc:EncryptionPropertyType'/>
<complexType name='EncryptionPropertyType' mixed='true'>
<choice maxOccurs='unbounded'>
<any namespace='##other' processContents='lax'/>
</choice>
<attribute name='Target' type='anyURI' use='optional'/>
<attribute name='Id' type='ID' use='optional'/>
<anyAttribute namespace="http://www.w3.org/XML/1998/namespace"/>
</complexType>
</schema>`;

117
packages/cli/src/sso/saml/schema/xml.xsd.ts Normal file
View File

@@ -0,0 +1,117 @@
export const xsdXml = `<?xml version='1.0'?>
<!DOCTYPE xs:schema PUBLIC "-//W3C//DTD XMLSCHEMA 200102//EN" "XMLSchema.dtd" >
<xs:schema targetNamespace="http://www.w3.org/XML/1998/namespace" xmlns:xs="http://www.w3.org/2001/XMLSchema" xml:lang="en">
<xs:annotation>
<xs:documentation>
See http://www.w3.org/XML/1998/namespace.html and
http://www.w3.org/TR/REC-xml for information about this namespace.
This schema document describes the XML namespace, in a form
suitable for import by other schema documents.
Note that local names in this namespace are intended to be defined
only by the World Wide Web Consortium or its subgroups. The
following names are currently defined in this namespace and should
not be used with conflicting semantics by any Working Group,
specification, or document instance:
base (as an attribute name): denotes an attribute whose value
provides a URI to be used as the base for interpreting any
relative URIs in the scope of the element on which it
appears; its value is inherited. This name is reserved
by virtue of its definition in the XML Base specification.
lang (as an attribute name): denotes an attribute whose value
is a language code for the natural language of the content of
any element; its value is inherited. This name is reserved
by virtue of its definition in the XML specification.
space (as an attribute name): denotes an attribute whose
value is a keyword indicating what whitespace processing
discipline is intended for the content of the element; its
value is inherited. This name is reserved by virtue of its
definition in the XML specification.
Father (in any context at all): denotes Jon Bosak, the chair of
the original XML Working Group. This name is reserved by
the following decision of the W3C XML Plenary and
XML Coordination groups:
In appreciation for his vision, leadership and dedication
the W3C XML Plenary on this 10th day of February, 2000
reserves for Jon Bosak in perpetuity the XML name
xml:Father
</xs:documentation>
</xs:annotation>
<xs:annotation>
<xs:documentation>This schema defines attributes and an attribute group
suitable for use by
schemas wishing to allow xml:base, xml:lang or xml:space attributes
on elements they define.
To enable this, such a schema must import this schema
for the XML namespace, e.g. as follows:
&lt;schema . . .>
. . .
&lt;import namespace="http://www.w3.org/XML/1998/namespace"
schemaLocation="xml.xsd"/>
Subsequently, qualified reference to any of the attributes
or the group defined below will have the desired effect, e.g.
&lt;type . . .>
. . .
&lt;attributeGroup ref="xml:specialAttrs"/>
will define a type which will schema-validate an instance
element with any of those attributes</xs:documentation>
</xs:annotation>
<xs:annotation>
<xs:documentation>In keeping with the XML Schema WG's standard versioning
policy, this schema document will persist at
http://www.w3.org/2001/03/xml.xsd.
At the date of issue it can also be found at
http://www.w3.org/2001/xml.xsd.
The schema document at that URI may however change in the future,
in order to remain compatible with the latest version of XML Schema
itself. In other words, if the XML Schema namespace changes, the version
of this document at
http://www.w3.org/2001/xml.xsd will change
accordingly; the version at
http://www.w3.org/2001/03/xml.xsd will not change.
</xs:documentation>
</xs:annotation>
<xs:attribute name="lang" type="xs:language">
<xs:annotation>
<xs:documentation>In due course, we should install the relevant ISO 2- and 3-letter
codes as the enumerated possible values . . .</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="space" default="preserve">
<xs:simpleType>
<xs:restriction base="xs:NCName">
<xs:enumeration value="default"/>
<xs:enumeration value="preserve"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="base" type="xs:anyURI">
<xs:annotation>
<xs:documentation>See http://www.w3.org/TR/xmlbase/ for
information about this attribute.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attributeGroup name="specialAttrs">
<xs:attribute ref="xml:base"/>
<xs:attribute ref="xml:lang"/>
<xs:attribute ref="xml:space"/>
</xs:attributeGroup>
</xs:schema>`;

318
packages/cli/src/sso/saml/schema/xmldsig-core-schema.xsd.ts Normal file
View File

@@ -0,0 +1,318 @@
export const xsdXmldsigCore = `<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE schema
PUBLIC "-//W3C//DTD XMLSchema 200102//EN" "http://www.w3.org/2001/XMLSchema.dtd"
[
<!ATTLIST schema
xmlns:ds CDATA #FIXED "http://www.w3.org/2000/09/xmldsig#">
<!ENTITY dsig 'http://www.w3.org/2000/09/xmldsig#'>
<!ENTITY % p ''>
<!ENTITY % s ''>
]>
<!-- Schema for XML Signatures
http://www.w3.org/2000/09/xmldsig#
$Revision: 1.1 $ on $Date: 2002/02/08 20:32:26 $ by $Author: reagle $
Copyright 2001 The Internet Society and W3C (Massachusetts Institute
of Technology, Institut National de Recherche en Informatique et en
Automatique, Keio University). All Rights Reserved.
http://www.w3.org/Consortium/Legal/
This document is governed by the W3C Software License [1] as described
in the FAQ [2].
[1] http://www.w3.org/Consortium/Legal/copyright-software-19980720
[2] http://www.w3.org/Consortium/Legal/IPR-FAQ-20000620.html#DTD
-->
<schema xmlns="http://www.w3.org/2001/XMLSchema"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
targetNamespace="http://www.w3.org/2000/09/xmldsig#"
version="0.1" elementFormDefault="qualified">
<!-- Basic Types Defined for Signatures -->
<simpleType name="CryptoBinary">
<restriction base="base64Binary">
</restriction>
</simpleType>
<!-- Start Signature -->
<element name="Signature" type="ds:SignatureType"/>
<complexType name="SignatureType">
<sequence>
<element ref="ds:SignedInfo"/>
<element ref="ds:SignatureValue"/>
<element ref="ds:KeyInfo" minOccurs="0"/>
<element ref="ds:Object" minOccurs="0" maxOccurs="unbounded"/>
</sequence>
<attribute name="Id" type="ID" use="optional"/>
</complexType>
<element name="SignatureValue" type="ds:SignatureValueType"/>
<complexType name="SignatureValueType">
<simpleContent>
<extension base="base64Binary">
<attribute name="Id" type="ID" use="optional"/>
</extension>
</simpleContent>
</complexType>
<!-- Start SignedInfo -->
<element name="SignedInfo" type="ds:SignedInfoType"/>
<complexType name="SignedInfoType">
<sequence>
<element ref="ds:CanonicalizationMethod"/>
<element ref="ds:SignatureMethod"/>
<element ref="ds:Reference" maxOccurs="unbounded"/>
</sequence>
<attribute name="Id" type="ID" use="optional"/>
</complexType>
<element name="CanonicalizationMethod" type="ds:CanonicalizationMethodType"/>
<complexType name="CanonicalizationMethodType" mixed="true">
<sequence>
<any namespace="##any" minOccurs="0" maxOccurs="unbounded"/>
<!-- (0,unbounded) elements from (1,1) namespace -->
</sequence>
<attribute name="Algorithm" type="anyURI" use="required"/>
</complexType>
<element name="SignatureMethod" type="ds:SignatureMethodType"/>
<complexType name="SignatureMethodType" mixed="true">
<sequence>
<element name="HMACOutputLength" minOccurs="0" type="ds:HMACOutputLengthType"/>
<any namespace="##other" minOccurs="0" maxOccurs="unbounded"/>
<!-- (0,unbounded) elements from (1,1) external namespace -->
</sequence>
<attribute name="Algorithm" type="anyURI" use="required"/>
</complexType>
<!-- Start Reference -->
<element name="Reference" type="ds:ReferenceType"/>
<complexType name="ReferenceType">
<sequence>
<element ref="ds:Transforms" minOccurs="0"/>
<element ref="ds:DigestMethod"/>
<element ref="ds:DigestValue"/>
</sequence>
<attribute name="Id" type="ID" use="optional"/>
<attribute name="URI" type="anyURI" use="optional"/>
<attribute name="Type" type="anyURI" use="optional"/>
</complexType>
<element name="Transforms" type="ds:TransformsType"/>
<complexType name="TransformsType">
<sequence>
<element ref="ds:Transform" maxOccurs="unbounded"/>
</sequence>
</complexType>
<element name="Transform" type="ds:TransformType"/>
<complexType name="TransformType" mixed="true">
<choice minOccurs="0" maxOccurs="unbounded">
<any namespace="##other" processContents="lax"/>
<!-- (1,1) elements from (0,unbounded) namespaces -->
<element name="XPath" type="string"/>
</choice>
<attribute name="Algorithm" type="anyURI" use="required"/>
</complexType>
<!-- End Reference -->
<element name="DigestMethod" type="ds:DigestMethodType"/>
<complexType name="DigestMethodType" mixed="true">
<sequence>
<any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
</sequence>
<attribute name="Algorithm" type="anyURI" use="required"/>
</complexType>
<element name="DigestValue" type="ds:DigestValueType"/>
<simpleType name="DigestValueType">
<restriction base="base64Binary"/>
</simpleType>
<!-- End SignedInfo -->
<!-- Start KeyInfo -->
<element name="KeyInfo" type="ds:KeyInfoType"/>
<complexType name="KeyInfoType" mixed="true">
<choice maxOccurs="unbounded">
<element ref="ds:KeyName"/>
<element ref="ds:KeyValue"/>
<element ref="ds:RetrievalMethod"/>
<element ref="ds:X509Data"/>
<element ref="ds:PGPData"/>
<element ref="ds:SPKIData"/>
<element ref="ds:MgmtData"/>
<any processContents="lax" namespace="##other"/>
<!-- (1,1) elements from (0,unbounded) namespaces -->
</choice>
<attribute name="Id" type="ID" use="optional"/>
</complexType>
<element name="KeyName" type="string"/>
<element name="MgmtData" type="string"/>
<element name="KeyValue" type="ds:KeyValueType"/>
<complexType name="KeyValueType" mixed="true">
<choice>
<element ref="ds:DSAKeyValue"/>
<element ref="ds:RSAKeyValue"/>
<any namespace="##other" processContents="lax"/>
</choice>
</complexType>
<element name="RetrievalMethod" type="ds:RetrievalMethodType"/>
<complexType name="RetrievalMethodType">
<sequence>
<element ref="ds:Transforms" minOccurs="0"/>
</sequence>
<attribute name="URI" type="anyURI"/>
<attribute name="Type" type="anyURI" use="optional"/>
</complexType>
<!-- Start X509Data -->
<element name="X509Data" type="ds:X509DataType"/>
<complexType name="X509DataType">
<sequence maxOccurs="unbounded">
<choice>
<element name="X509IssuerSerial" type="ds:X509IssuerSerialType"/>
<element name="X509SKI" type="base64Binary"/>
<element name="X509SubjectName" type="string"/>
<element name="X509Certificate" type="base64Binary"/>
<element name="X509CRL" type="base64Binary"/>
<any namespace="##other" processContents="lax"/>
</choice>
</sequence>
</complexType>
<complexType name="X509IssuerSerialType">
<sequence>
<element name="X509IssuerName" type="string"/>
<element name="X509SerialNumber" type="integer"/>
</sequence>
</complexType>
<!-- End X509Data -->
<!-- Begin PGPData -->
<element name="PGPData" type="ds:PGPDataType"/>
<complexType name="PGPDataType">
<choice>
<sequence>
<element name="PGPKeyID" type="base64Binary"/>
<element name="PGPKeyPacket" type="base64Binary" minOccurs="0"/>
<any namespace="##other" processContents="lax" minOccurs="0"
maxOccurs="unbounded"/>
</sequence>
<sequence>
<element name="PGPKeyPacket" type="base64Binary"/>
<any namespace="##other" processContents="lax" minOccurs="0"
maxOccurs="unbounded"/>
</sequence>
</choice>
</complexType>
<!-- End PGPData -->
<!-- Begin SPKIData -->
<element name="SPKIData" type="ds:SPKIDataType"/>
<complexType name="SPKIDataType">
<sequence maxOccurs="unbounded">
<element name="SPKISexp" type="base64Binary"/>
<any namespace="##other" processContents="lax" minOccurs="0"/>
</sequence>
</complexType>
<!-- End SPKIData -->
<!-- End KeyInfo -->
<!-- Start Object (Manifest, SignatureProperty) -->
<element name="Object" type="ds:ObjectType"/>
<complexType name="ObjectType" mixed="true">
<sequence minOccurs="0" maxOccurs="unbounded">
<any namespace="##any" processContents="lax"/>
</sequence>
<attribute name="Id" type="ID" use="optional"/>
<attribute name="MimeType" type="string" use="optional"/> <!-- add a grep facet -->
<attribute name="Encoding" type="anyURI" use="optional"/>
</complexType>
<element name="Manifest" type="ds:ManifestType"/>
<complexType name="ManifestType">
<sequence>
<element ref="ds:Reference" maxOccurs="unbounded"/>
</sequence>
<attribute name="Id" type="ID" use="optional"/>
</complexType>
<element name="SignatureProperties" type="ds:SignaturePropertiesType"/>
<complexType name="SignaturePropertiesType">
<sequence>
<element ref="ds:SignatureProperty" maxOccurs="unbounded"/>
</sequence>
<attribute name="Id" type="ID" use="optional"/>
</complexType>
<element name="SignatureProperty" type="ds:SignaturePropertyType"/>
<complexType name="SignaturePropertyType" mixed="true">
<choice maxOccurs="unbounded">
<any namespace="##other" processContents="lax"/>
<!-- (1,1) elements from (1,unbounded) namespaces -->
</choice>
<attribute name="Target" type="anyURI" use="required"/>
<attribute name="Id" type="ID" use="optional"/>
</complexType>
<!-- End Object (Manifest, SignatureProperty) -->
<!-- Start Algorithm Parameters -->
<simpleType name="HMACOutputLengthType">
<restriction base="integer"/>
</simpleType>
<!-- Start KeyValue Element-types -->
<element name="DSAKeyValue" type="ds:DSAKeyValueType"/>
<complexType name="DSAKeyValueType">
<sequence>
<sequence minOccurs="0">
<element name="P" type="ds:CryptoBinary"/>
<element name="Q" type="ds:CryptoBinary"/>
</sequence>
<element name="G" type="ds:CryptoBinary" minOccurs="0"/>
<element name="Y" type="ds:CryptoBinary"/>
<element name="J" type="ds:CryptoBinary" minOccurs="0"/>
<sequence minOccurs="0">
<element name="Seed" type="ds:CryptoBinary"/>
<element name="PgenCounter" type="ds:CryptoBinary"/>
</sequence>
</sequence>
</complexType>
<element name="RSAKeyValue" type="ds:RSAKeyValueType"/>
<complexType name="RSAKeyValueType">
<sequence>
<element name="Modulus" type="ds:CryptoBinary"/>
<element name="Exponent" type="ds:CryptoBinary"/>
</sequence>
</complexType>
<!-- End KeyValue Element-types -->
<!-- End Signature -->
</schema>`;

10
packages/cli/src/sso/saml/serviceProvider.ee.ts
View File

@@ -1,18 +1,10 @@
import { getInstanceBaseUrl } from '@/UserManagement/UserManagementHelper'; import { getInstanceBaseUrl } from '@/UserManagement/UserManagementHelper';
import type { ServiceProviderInstance } from 'samlify'; import type { ServiceProviderInstance } from 'samlify';
import { ServiceProvider, setSchemaValidator } from 'samlify'; import { ServiceProvider } from 'samlify';
import { SamlUrls } from './constants'; import { SamlUrls } from './constants';
let serviceProviderInstance: ServiceProviderInstance | undefined; let serviceProviderInstance: ServiceProviderInstance | undefined;
setSchemaValidator({
// eslint-disable-next-line @typescript-eslint/no-unused-vars
validate: async (response: string) => {
// TODO:SAML: implment validation
return Promise.resolve('skipped');
},
});
const metadata = ` const metadata = `
<EntityDescriptor <EntityDescriptor
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"

4
packages/cli/src/sso/saml/types/samlPreferences.ts
View File

@@ -15,6 +15,10 @@ export class SamlPreferences {
@IsOptional() @IsOptional()
metadataUrl?: string; metadataUrl?: string;
@IsBoolean()
@IsOptional()
ignoreSSL?: boolean = false;
@IsString() @IsString()
@IsOptional() @IsOptional()
loginBinding?: SamlLoginBinding = 'redirect'; loginBinding?: SamlLoginBinding = 'redirect';

5
packages/cli/src/sso/ssoHelpers.ts
View File

@@ -1,4 +1,5 @@
import config from '@/config'; import config from '@/config';
import type { AuthProviderType } from '@/databases/entities/AuthIdentity';
export function isSamlCurrentAuthenticationMethod(): boolean { export function isSamlCurrentAuthenticationMethod(): boolean {
return config.getEnv('userManagement.authenticationMethod') === 'saml'; return config.getEnv('userManagement.authenticationMethod') === 'saml';
@@ -12,8 +13,6 @@ export function doRedirectUsersFromLoginToSsoFlow(): boolean {
return config.getEnv('sso.redirectLoginToSso'); return config.getEnv('sso.redirectLoginToSso');
} }
export function setCurrentAuthenticationMethod( export function setCurrentAuthenticationMethod(authenticationMethod: AuthProviderType): void {
authenticationMethod: 'email' | 'ldap' | 'saml',
): void {
config.set('userManagement.authenticationMethod', authenticationMethod); config.set('userManagement.authenticationMethod', authenticationMethod);
} }

2
packages/cli/tsconfig.json
View File

@@ -18,7 +18,7 @@
"noUnusedLocals": false, "noUnusedLocals": false,
"useUnknownInCatchVariables": false "useUnknownInCatchVariables": false
}, },
"include": ["src/**/*.ts", "test/**/*.ts"], "include": ["src/**/*.ts", "test/**/*.ts", "src/sso/saml/saml-schema-metadata-2.0.xsd"],
"references": [ "references": [
{ "path": "../workflow/tsconfig.build.json" }, { "path": "../workflow/tsconfig.build.json" },
{ "path": "../core/tsconfig.build.json" } { "path": "../core/tsconfig.build.json" }

7
pnpm-lock.yaml generated
View File

@@ -250,6 +250,7 @@ importers:
validator: 13.7.0 validator: 13.7.0
winston: ^3.3.3 winston: ^3.3.3
ws: ^8.12.0 ws: ^8.12.0
xmllint-wasm: ^3.0.1
yamljs: ^0.3.0 yamljs: ^0.3.0
dependencies: dependencies:
'@n8n_io/license-sdk': 1.8.0 '@n8n_io/license-sdk': 1.8.0
@@ -343,6 +344,7 @@ importers:
validator: 13.7.0 validator: 13.7.0
winston: 3.8.2 winston: 3.8.2
ws: 8.12.0 ws: 8.12.0
xmllint-wasm: 3.0.1
yamljs: 0.3.0 yamljs: 0.3.0
devDependencies: devDependencies:
'@apidevtools/swagger-cli': 4.0.0 '@apidevtools/swagger-cli': 4.0.0
@@ -21643,6 +21645,11 @@ packages:
resolution: {integrity: sha512-JZnDKK8B0RCDw84FNdDAIpZK+JuJw+s7Lz8nksI7SIuU3UXJJslUthsi+uWBUYOwPFwW7W7PRLRfUKpxjtjFCw==} resolution: {integrity: sha512-JZnDKK8B0RCDw84FNdDAIpZK+JuJw+s7Lz8nksI7SIuU3UXJJslUthsi+uWBUYOwPFwW7W7PRLRfUKpxjtjFCw==}
dev: true dev: true
/xmllint-wasm/3.0.1:
resolution: {integrity: sha512-t+aKQXJQNAt9/qLgCjhHUmCnPXAyqBKiyh8oV0ZwBMar/uB+5F40tqOJZ97JwLADcqQr5WB2bjCxLKrm+DHz1g==}
engines: {node: '>=10.5.0'}
dev: false
/xpath/0.0.32: /xpath/0.0.32:
resolution: {integrity: sha512-rxMJhSIoiO8vXcWvSifKqhvV96GjiD5wYb8/QHdoRyQvraTpp4IEv944nhGausZZ3u7dhQXteZuZbaqfpB7uYw==} resolution: {integrity: sha512-rxMJhSIoiO8vXcWvSifKqhvV96GjiD5wYb8/QHdoRyQvraTpp4IEv944nhGausZZ3u7dhQXteZuZbaqfpB7uYw==}
engines: {node: '>=0.6.0'} engines: {node: '>=0.6.0'}