Generate SP metadata without knowing IdP cert

[nwalters512]

Is your feature request related to a problem? Please describe.

I use the MultiSamlStrategy Passport strategy. I'd like to provide metadata URLs to our IdPs, which I can build with MultiSamlStrategy#generateServiceProviderMetadata.

This works fine if I know the IdP's cert and can have getSamlOptions return an option object with cert. However, during initial setup, I may not immediately know the IdP's certificate. I should still be able to generate metadata for them, as (as far as I know) that metadata doesn't depend on their own certificate. However, if getSamlOptions returns cert: null (because I don't yet know it), the following assertion fails:

node-saml/src/saml.ts

Line 98 in e691ccf

assertRequired(ctorOptions.cert, "cert is required");

Describe the solution you'd like

Since the XML metadata doesn't depend on the IdP's cert, I'd like to be able to generate it before I do in fact know their cert.

Describe alternatives you've considered

When someone asks for our metadata URL, I can of course say "no, you give me your metadata URL first so I can get your cert". However, it would be very nice to be able to always provide it first.

[cjbarth]

Just at first glance, i believe this is supposed to be your public cert. Otherwise, I agree with you that you should be able to generate metadata without anything from the IdP.

[srd90]

Lets reiterate/refresh memory why strategy's constructor fails fast if cert is not configured: node-saml/passport-saml#523

---

What comes to this enhancement issue:

It seems that you are trying to establish IdP --> SP trust prior to establishing SP --> IdP trust. I.e. you do not have IdP's public cert prior to configure Strategy (with the help of MultiSamlStrategy) for that particular IdP in order to generate SP's metadata for that particular IdP. There is nothing wrong with that.

Because IdP is pretty much unknown at this point your "findSamlProvider" implementation is probably returning pretty much static configuration for all requests (and cert as null).
https://github.com/node-saml/passport-saml/blob/0e34bc865b83042533c72a84e34944ef7a383a2a/README.md?plain=1#L76-L83
and those provider configuration options are used to configure SamlStrategy in order to be able to call generate metadata function:
https://github.com/node-saml/passport-saml/blob/0e34bc865b83042533c72a84e34944ef7a383a2a/src/multiSamlStrategy.ts#L82-L94

Why not just set value of cert to e.g. not_available string (at your getsamloptions implementation) instead of null. Value of cert is not used for anything anyhow and that way you can get around SamlStrategy's assertion of cert value. Assertion is checking that value is not null, undefined or empty string:

node-saml/src/utility.ts

Lines 4 to 8 in e691ccf

	export function assertRequired<T>(value: T | null | undefined, error?: string): asserts value {
	if (value === undefined || value === null || (typeof value === "string" && value.length === 0)) {
	throw new TypeError(error ?? "value does not exist");
	}
	}

Another workaround/solutions could be to:

1. use this
   

   node-saml/src/metadata.ts

   Lines 11 to 25 in e691ccf

   	export const generateServiceProviderMetadata = (
   	params: GenerateServiceProviderMetadataParams,
   	): string => {
   	const {
   	issuer,
   	callbackUrl,
   	logoutCallbackUrl,
   	identifierFormat,
   	wantAssertionsSigned,
   	decryptionPvk,
   	privateKey,
   	metadataContactPerson,
   	metadataOrganization,
   	generateUniqueId,
   	} = params;

   
   directly (if it is available directly for client SW). Maybe first resolving SAML provider parameters with same function that is used at multisamlstrategy.
2. Implement separated SP metadata generator function (see example of such function from above)

[nwalters512]

@cjbarth The node-saml docs state that this should be the IdP's public cert:

cert: the IDP's public signing certificate used to validate the signatures of the incoming SAML Responses

@srd90 thank you for the link to that discussion, I'm very much in agreement that having a certificate configured is critical for security and I'm not trying to question that.

It didn't occur to me that I could provide any string for the cert, but yes, given that the constructor currently only validates that it's a string and not that it's a well-formed and valid certification, that should be safe. I'd be a little worried about future changes that move such validation to the constructor. If such a change is ever considered, this is a use case that should be considered with it.

Using generateServiceProviderMetadata is also a good idea, since it seems like that takes an object that basically matches what getSamlOptions will return. However, that doesn't appear to be a public API (it's not exported from src/index.ts. @cjbarth, do you think you or another maintainer would accept a PR that officially makes generateServiceProviderMetadata part of the API?

[cjbarth]

I have no objection to a PR that makes metadata/generateServiceProviderMetadata() part of the API as long as there is a test for it.

[nwalters512]

@cjbarth I opened #337 with that change!