[Security] Update passport yaml dependency

package.json

@@ -40,6 +40,7 @@
     "@azure/storage-blob": "12.29.1",
     "@exlinc/keycloak-passport": "1.0.2",
     "@joplin/turndown-plugin-gfm": "1.0.45",
+    "@node-saml/passport-saml": "5.1.0",
     "@root/csr": "0.8.1",
     "@root/keypairs": "0.10.3",
     "@root/pem": "1.0.4",
@@ -153,7 +154,6 @@
     "passport-oauth2": "1.8.0",
     "passport-okta-oauth": "0.0.1",
     "passport-openidconnect": "0.1.2",
-    "passport-saml": "3.2.4",
     "passport-slack-oauth2": "1.2.0",
     "passport-twitch-strategy": "2.2.0",
     "patch-package": "8.0.1",
@@ -338,8 +338,7 @@
   },
   "resolutions": {
     "apollo-server-express/**/graphql-tools": "4.0.8",
-    "graphql": "15.3.0",
-    "passport-saml/**/xml-crypto": "2.1.6"
+    "graphql": "15.3.0"
   },
   "browserslist": [
     "> 1%",

server/modules/authentication/saml/authentication.js

@@ -6,19 +6,20 @@ const _ = require('lodash')
 // SAML Account
 // ------------------------------------
 
-const SAMLStrategy = require('passport-saml').Strategy
+const SAMLStrategy = require('@node-saml/passport-saml').Strategy
 
 module.exports = {
   init (passport, conf) {
     const samlConfig = {
       callbackUrl: conf.callbackURL,
       entryPoint: conf.entryPoint,
       issuer: conf.issuer,
-      cert: (conf.cert || '').split('|'),
+      idpCert: (conf.cert || '').split('|'),
       signatureAlgorithm: conf.signatureAlgorithm,
       digestAlgorithm: conf.digestAlgorithm,
       identifierFormat: conf.identifierFormat,
       wantAssertionsSigned: conf.wantAssertionsSigned,
+      wantAuthnResponseSigned: conf.wantAuthnResponseSigned, 
       acceptedClockSkewMs: _.toSafeInteger(conf.acceptedClockSkewMs),
       disableRequestedAuthnContext: conf.disableRequestedAuthnContext,
       authnContext: (conf.authnContext || '').split('|'),

server/modules/authentication/saml/definition.yml

@@ -47,7 +47,7 @@ props:
     hint: Signature algorithm used for signing requests
     maxWidth: 400
     order: 7
-    default: sha1
+    default: sha256
     enum:
       - sha1
       - sha256
@@ -58,7 +58,7 @@ props:
     hint: Digest algorithm used to provide a digest for the signed data object
     maxWidth: 400
     order: 8
-    default: sha1
+    default: sha256
     enum:
       - sha1
       - sha256
@@ -74,30 +74,36 @@ props:
     hint: If enabled, add WantAssertionsSigned="true" to the metadata, to specify that the IdP should always sign the assertions.
     default: false
     order: 21
+  wantAuthnResponseSigned:
+    type: Boolean
+    title: Always Sign Authentication Response
+    hint: If enabled, require that all incoming authentication response messages be signed at the top level, not just at the assertions.
+    default: false
+    order: 22
   acceptedClockSkewMs:
     type: Number
     title: Accepted Clock Skew Milleseconds
     hint: Time in milliseconds of skew that is acceptable between client and server when checking OnBefore and NotOnOrAfter assertion condition validity timestamps. Setting to -1 will disable checking these conditions entirely.
     default: 0
-    order: 22
+    order: 23
   disableRequestedAuthnContext:
     type: Boolean
     title: Disable Requested Auth Context
     hint: If enabled, do not request a specific authentication context. This is known to help when authenticating against Active Directory (AD FS) servers.
     default: false
-    order: 23
+    order: 24
   authnContext:
     type: String
     title: Auth Context
     hint: Name identifier format to request auth context. For multiple values, join them together using the | pipe symbol.
     default: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
-    order: 24
+    order: 25
   racComparison:
     type: String
     title: RAC Comparison Type
     hint: Requested Authentication Context comparison type.
     maxWidth: 400
-    order: 25
+    order: 26
     default: exact
     enum:
       - exact
@@ -109,31 +115,31 @@ props:
     title: Force Initial Re-authentication
     hint: If enabled, the initial SAML request from the service provider specifies that the IdP should force re-authentication of the user, even if they possess a valid session.
     default: false
-    order: 26
+    order: 27
   passive:
     type: Boolean
     title: Passive
     hint: If enabled, the initial SAML request from the service provider specifies that the IdP should prevent visible user interaction.
     default: false
-    order: 27
+    order: 28
   providerName:
     type: String
     title: Provider Name
     hint: Optional human-readable name of the requester for use by the presenter's user agent or the identity provider.
     default: wiki.js
-    order: 28
+    order: 29
   skipRequestCompression:
     type: Boolean
     title: Skip Request Compression
     hint: If enabled, the SAML request from the service provider won't be compressed.
     default: false
-    order: 29
+    order: 30
   authnRequestBinding:
     type: String
     title: Request Binding
     hint: Binding used for request authentication from IDP.
     maxWidth: 400
-    order: 30
+    order: 31
     default: 'HTTP-POST'
     enum:
       - HTTP-Redirect