feat(saml): add config options to set required signings

Signed-off-by: Erik Michelson <github@erik.michelson.eu>

lib/config/default.js

@@ -162,7 +162,9 @@ module.exports = {
       id: undefined,
       username: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name',
       email: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'
-    }
+    },
+    wantAssertionsSigned: true,
+    wantAuthnResponseSigned: true
   },
   email: true,
   allowEmailRegister: true,

lib/config/environment.js

@@ -146,6 +146,8 @@ module.exports = {
     issuer: process.env.CMD_SAML_ISSUER,
     identifierFormat: process.env.CMD_SAML_IDENTIFIERFORMAT,
     disableRequestedAuthnContext: toBooleanConfig(process.env.CMD_SAML_DISABLEREQUESTEDAUTHNCONTEXT),
+    wantAssertionsSigned: toBooleanConfig(process.env.CMD_SAML_WANT_ASSERTIONS_SIGNED),
+    wantAuthnResponseSigned: toBooleanConfig(process.env.CMD_SAML_WANT_AUTHN_RESPONSE_SIGNED),
     groupAttribute: process.env.CMD_SAML_GROUPATTRIBUTE,
     externalGroups: toArrayConfig(process.env.CMD_SAML_EXTERNALGROUPS, '|', []),
     requiredGroups: toArrayConfig(process.env.CMD_SAML_REQUIREDGROUPS, '|', []),

lib/web/auth/saml/index.js

@@ -36,7 +36,9 @@ passport.use(
         }
       }()),
       identifierFormat: config.saml.identifierFormat,
-      disableRequestedAuthnContext: config.saml.disableRequestedAuthnContext
+      disableRequestedAuthnContext: config.saml.disableRequestedAuthnContext,
+      wantAssertionsSigned: config.saml.wantAssertionsSigned,
+      wantAuthnResponseSigned: config.saml.wantAuthnResponseSigned
     },
     // sign-in
     function (user, done) {