/** * SAML 2.0 Handler * * P1 - Enterprise SSO support * * Supports: * - SP-initiated SSO (Service Provider initiates) * - IdP-initiated SSO (Identity Provider initiates) * - SAML Response parsing and validation * - Assertion extraction and attribute reading * - Signature verification (basic) * * @see https://www.oasis-open.org/committees/download.php/6058/sstc-saml-core-2.0.pdf */ export interface SAMLConfig { /** Entity ID of the Service Provider (your app) */ spEntityId: string; /** Assertion Consumer Service (ACS) URL */ acsUrl: string; /** Identity Provider Single Sign-On URL */ idpSsoUrl?: string; /** Identity Provider Entity ID */ idpEntityId?: string; /** X.509 certificate for signature verification */ idpCert?: string; /** Private key for signing requests (optional) */ spPrivateKey?: string; /** SAML Request protocol binding */ protocolBinding?: 'HTTP-POST' | 'HTTP-Redirect'; } export interface SAMLResponse { /** Raw SAML response XML */ raw: string; /** Parsed response */ response?: ParsedSAMLResponse; /** Validation errors */ errors?: string[]; } export interface ParsedSAMLResponse { /** Response ID */ id: string; /** Response issue instant */ issueInstant: string; /** Destination URL (should match ACS URL) */ destination?: string; /** Issuer (IdP Entity ID) */ issuer?: string; /** SAML version */ version: string; /** Assertion containing user info */ assertion?: SAMLAssertion; /** Status code */ statusCode?: string; /** Status message */ statusMessage?: string; } export interface SAMLAssertion { /** Assertion ID */ id: string; /** Issue instant */ issueInstant: string; /** Issuer */ issuer: string; /** Subject (user identifier) */ subject?: SAMLSubject; /** Conditions (validity window) */ conditions?: SAMLConditions; /** Attribute statements */ attributes?: Record; /** Authn statement */ authnStatement?: { authnInstant: string; sessionIndex?: string; sessionNotOnOrAfter?: string; }; } export interface SAMLSubject { /** Name ID (username/email) */ nameId: string; /** Name ID format */ format?: string; } export interface SAMLConditions { /** Not valid before */ notBefore?: string; /** Not valid after */ notOnOrAfter?: string; /** Allowed audiences */ audience?: string[]; } /** * SAML 2.0 Handler class */ export declare class SAMLHandler { private config; constructor(config: SAMLConfig); /** * Generate SAML AuthnRequest for SP-initiated SSO * Creates a base64-encoded SAML request to send to IdP */ generateAuthnRequest(options?: { forceAuthn?: boolean; passive?: boolean; assertionConsumerServiceUrl?: string; protocolBinding?: string; }): string; /** * Get IdP SSO URL with SAML request for SP-initiated flow */ getSSOUrl(options?: { forceAuthn?: boolean; passive?: boolean; relayState?: string; }): string; /** * Parse SAML Response from IdP * Extracts assertion and attributes from base64-encoded SAML response */ parseResponse(samlResponse: string): SAMLResponse; /** * Parse SAML XML and extract relevant fields */ private parseSAMLXML; /** * Parse SAML Assertion */ private parseAssertion; /** * Parse SAML Subject */ private parseSubject; /** * Parse SAML Conditions */ private parseConditions; /** * Parse SAML Attributes */ private parseAttributes; /** * Validate SAML Response conditions * Checks time validity and audience */ validateConditions(parsed: ParsedSAMLResponse): { valid: boolean; errors: string[]; }; /** * Extract user attributes from SAML response */ getUserAttributes(samlResponse: string): Record | null; /** * Get NameID (user identifier) from SAML response */ getNameId(samlResponse: string): string | null; /** * Get email from SAML response attributes */ getEmail(samlResponse: string): string | null; /** * Get display name from SAML response attributes */ getDisplayName(samlResponse: string): string | null; /** * Generate unique ID for SAML requests */ private generateId; } /** * Factory function to create SAML handler */ export declare function createSAMLHandler(config: SAMLConfig): SAMLHandler; export default SAMLHandler;