From 5a7a97f63ba105ba5dec02dae3cba1a2275e2f81 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Germ=C3=A1n=20Lena?= <german@auth0.com>
Date: Mon, 31 Aug 2020 10:22:30 -0300
Subject: [PATCH] [ULP-2576] Add support for subject in AuthNRequests (#103)

* [ULP-2576] Add support for subject in AuthNRequests

* add the namespace validation to the path
---
 lib/samlp.js                      | 108 ++++++++++++++++--------------
 test/samlp.parse_request.tests.js | 106 +++++++++++++++++------------
 2 files changed, 118 insertions(+), 96 deletions(-)

diff --git a/lib/samlp.js b/lib/samlp.js
index 9108c58..e2aa2af 100644
--- a/lib/samlp.js
+++ b/lib/samlp.js
@@ -1,31 +1,31 @@
-var saml20                = require('saml').Saml20;
-var SignedXml             = require('xml-crypto').SignedXml;
-var xpath                 = require('xpath');
-var xtend                 = require('xtend');
-var utils                 = require('./utils');
-var templates             = require('./templates');
-var encoders              = require('./encoders');
+var saml20 = require('saml').Saml20;
+var SignedXml = require('xml-crypto').SignedXml;
+var xpath = require('xpath');
+var xtend = require('xtend');
+var utils = require('./utils');
+var templates = require('./templates');
+var encoders = require('./encoders');
 var PassportProfileMapper = require('./claims/PassportProfileMapper');
-var constants             = require('./constants');
+var constants = require('./constants');
 
 function buildSamlResponse(options) {
   var SAMLResponse = templates.samlresponse({
-    id:             '_' + utils.generateUniqueID(),
-    instant:        utils.generateInstant(),
-    destination:    options.destination || options.audience,
-    inResponseTo:   options.inResponseTo,
-    issuer:         options.issuer,
+    id: '_' + utils.generateUniqueID(),
+    instant: utils.generateInstant(),
+    destination: options.destination || options.audience,
+    inResponseTo: options.inResponseTo,
+    issuer: options.issuer,
     samlStatusCode: options.samlStatusCode,
     samlStatusMessage: options.samlStatusMessage,
-    assertion:      options.signedAssertion || ''
+    assertion: options.signedAssertion || ''
   });
 
   if (options.signResponse) {
-    options.signatureNamespacePrefix = typeof options.signatureNamespacePrefix === 'string' ? options.signatureNamespacePrefix : '' ;
+    options.signatureNamespacePrefix = typeof options.signatureNamespacePrefix === 'string' ? options.signatureNamespacePrefix : '';
 
     var cannonicalized = SAMLResponse
       .replace(/\r\n/g, '')
-      .replace(/\n/g,'')
+      .replace(/\n/g, '')
       .replace(/>(\s*)</g, '><') //unindent
       .trim();
 
@@ -48,7 +48,7 @@ function buildSamlResponse(options) {
       }
     };
 
-    sig.computeSignature(cannonicalized, { prefix: options.signatureNamespacePrefix, location: { action: 'after', reference: "//*[local-name(.)='Issuer']" }});
+    sig.computeSignature(cannonicalized, { prefix: options.signatureNamespacePrefix, location: { action: 'after', reference: "//*[local-name(.)='Issuer']" } });
     SAMLResponse = sig.getSignedXml();
   }
 
@@ -63,7 +63,7 @@ function nameIdentiferNotFoundErrorMessage(options) {
 
 function getSamlResponse(options, user, callback) {
   options.profileMapper = options.profileMapper || PassportProfileMapper;
-  options.signatureNamespacePrefix = typeof options.signatureNamespacePrefix === 'string' ? options.signatureNamespacePrefix : '' ;
+  options.signatureNamespacePrefix = typeof options.signatureNamespacePrefix === 'string' ? options.signatureNamespacePrefix : '';
 
   var profileMap = options.profileMapper(user);
   var claims = profileMap.getClaims(options);
@@ -76,25 +76,25 @@ function getSamlResponse(options, user, callback) {
   }
 
   saml20.create({
-    signatureAlgorithm:   options.signatureAlgorithm,
-    digestAlgorithm:      options.digestAlgorithm,
-    cert:                 options.cert,
-    key:                  options.key,
-    issuer:               options.issuer,
-    lifetimeInSeconds:    options.lifetimeInSeconds || 3600,
-    audiences:            options.audience,
-    attributes:           claims,
-    nameIdentifier:       ni.nameIdentifier,
+    signatureAlgorithm: options.signatureAlgorithm,
+    digestAlgorithm: options.digestAlgorithm,
+    cert: options.cert,
+    key: options.key,
+    issuer: options.issuer,
+    lifetimeInSeconds: options.lifetimeInSeconds || 3600,
+    audiences: options.audience,
+    attributes: claims,
+    nameIdentifier: ni.nameIdentifier,
     nameIdentifierFormat: ni.nameIdentifierFormat || options.nameIdentifierFormat,
-    recipient:            options.recipient,
-    inResponseTo:         options.inResponseTo,
+    recipient: options.recipient,
+    inResponseTo: options.inResponseTo,
     authnContextClassRef: options.authnContextClassRef,
-    encryptionPublicKey:  options.encryptionPublicKey,
-    encryptionCert:       options.encryptionCert,
-    sessionIndex:         options.sessionIndex,
-    typedAttributes:      options.typedAttributes,
-    includeAttributeNameFormat:    options.includeAttributeNameFormat,
-    signatureNamespacePrefix:      options.signatureNamespacePrefix
+    encryptionPublicKey: options.encryptionPublicKey,
+    encryptionCert: options.encryptionCert,
+    sessionIndex: options.sessionIndex,
+    typedAttributes: options.typedAttributes,
+    includeAttributeNameFormat: options.includeAttributeNameFormat,
+    signatureNamespacePrefix: options.signatureNamespacePrefix
   }, function (err, signedAssertion) {
     if (err) return callback(err);
 
@@ -122,8 +122,8 @@ function getSamlResponse(options, user, callback) {
  * @param  {[type]} options [description]
  * @return {[type]}         [description]
  */
-module.exports.auth = function(options) {
-  options.getUserFromRequest = options.getUserFromRequest || function(req){ return req.user; };
+module.exports.auth = function (options) {
+  options.getUserFromRequest = options.getUserFromRequest || function (req) { return req.user; };
   options.signatureAlgorithm = options.signatureAlgorithm || 'rsa-sha256';
   options.digestAlgorithm = options.digestAlgorithm || 'sha256';
 
@@ -134,13 +134,13 @@ module.exports.auth = function(options) {
   return function (req, res, next) {
     var opts = xtend({}, options || {}); // clone options
 
-    if(req.method === 'GET' && req.query.Signature){
+    if (req.method === 'GET' && req.query.Signature) {
       opts.signature = req.query.Signature;
       opts.sigAlg = req.query.SigAlg;
       opts.relayState = opts.RelayState || req.query.RelayState;
     }
 
-    function execute (postUrl, audience, req, res, next) {
+    function execute(postUrl, audience, req, res, next) {
       var user = opts.getUserFromRequest(req);
       if (!user) return res.send(401);
 
@@ -157,21 +157,21 @@ module.exports.auth = function(options) {
         } else {
           res.set('Content-Type', 'text/html');
           res.send(templates.form({
-            type:            'SAMLResponse',
-            callback:        postUrl,
-            RelayState:      opts.RelayState || (req.query || {}).RelayState || (req.body || {}).RelayState || '',
-            token:           response.toString('base64')
+            type: 'SAMLResponse',
+            callback: postUrl,
+            RelayState: opts.RelayState || (req.query || {}).RelayState || (req.body || {}).RelayState || '',
+            token: response.toString('base64')
           }));
         }
       });
     }
 
-    utils.parseSamlRequest(req, (req.query || {}).SAMLRequest || (req.body || {}).SAMLRequest,  "AUTHN_REQUEST", opts, function(err, samlRequestDom) {
+    utils.parseSamlRequest(req, (req.query || {}).SAMLRequest || (req.body || {}).SAMLRequest, "AUTHN_REQUEST", opts, function (err, samlRequestDom) {
       if (err) return next(err);
 
       var audience = opts.audience;
       if (samlRequestDom) {
-        if (!audience){
+        if (!audience) {
           var issuer = xpath.select("//*[local-name(.)='Issuer' and namespace-uri(.)='urn:oasis:names:tc:SAML:2.0:assertion']/text()", samlRequestDom);
           if (issuer && issuer.length > 0)
             audience = issuer[0].textContent;
@@ -191,8 +191,8 @@ module.exports.auth = function(options) {
   };
 };
 
-module.exports.parseRequest = function(req, options, callback) {
-  if (typeof options === 'function'){
+module.exports.parseRequest = function (req, options, callback) {
+  if (typeof options === 'function') {
     callback = options;
     options = {};
   }
@@ -201,7 +201,7 @@ module.exports.parseRequest = function(req, options, callback) {
   if (!samlRequest)
     return callback();
 
-  utils.parseSamlRequest(req, samlRequest,  "AUTHN_REQUEST", options, function(err, samlRequestDom) {
+  utils.parseSamlRequest(req, samlRequest, "AUTHN_REQUEST", options, function (err, samlRequestDom) {
     if (err) {
       return callback(err);
     }
@@ -210,6 +210,10 @@ module.exports.parseRequest = function(req, options, callback) {
     var issuer = xpath.select("//*[local-name(.)='Issuer' and namespace-uri(.)='urn:oasis:names:tc:SAML:2.0:assertion']/text()", samlRequestDom);
     if (issuer && issuer.length > 0) data.issuer = issuer[0].textContent;
 
+
+    var subject = xpath.select("//*[local-name(.)='Subject' and namespace-uri(.)='urn:oasis:names:tc:SAML:2.0:assertion']/*[local-name(.)='NameID']", samlRequestDom);
+    if (subject && subject.length > 0) data.subject = subject[0].textContent;
+
     var assertionConsumerUrl = samlRequestDom.documentElement.getAttribute('AssertionConsumerServiceURL');
     if (assertionConsumerUrl) data.assertionConsumerServiceURL = assertionConsumerUrl;
 
@@ -248,10 +252,10 @@ module.exports.sendError = function (options) {
 
     res.set('Content-Type', 'text/html');
     res.send(templates.form({
-      type:         'SAMLResponse',
-      callback:     postUrl,
-      RelayState:   options.RelayState,
-      token:        response.toString('base64')
+      type: 'SAMLResponse',
+      callback: postUrl,
+      RelayState: options.RelayState,
+      token: response.toString('base64')
     }));
   }
 
diff --git a/test/samlp.parse_request.tests.js b/test/samlp.parse_request.tests.js
index 07d5334..9ffbe40 100644
--- a/test/samlp.parse_request.tests.js
+++ b/test/samlp.parse_request.tests.js
@@ -7,11 +7,27 @@ var fs = require('fs')
 var path = require('path')
 var zlib = require('zlib');
 
-var requestWithAuthnContextClassRef = '<?xml version="1.0" encoding="UTF-8"?>\n<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="pfxe6c08b2b-e9a1-5d44-9016-f4c2b59add88" AssertionConsumerServiceURL="https://acs" Destination="https://destination" IssueInstant="2013-04-28T22:43:42.386Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://sp</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">\n  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>\n    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>\n  <ds:Reference URI="#pfxe6c08b2b-e9a1-5d44-9016-f4c2b59add88"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>1GJyc/S+0PTuqU1hp6grJy3u4Dk=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>MKsGyFxVQgCSLwkajqGZBKHskLVo/G1aj1V8PptruBwLBZ9nhMXgX8T+rmDuyTqbHUDfITRMXcREmIqbLyqvK4ICqU24TB4agHtRe9302BeNXCqVbtwQOuQGdjqAKHAIev+4Nd+74PblL5EBUMxnHcS0LavTisXvqab+70vnTn/Bhxqj+upBNyTGscqGpPxrZMqZzlwPpaCMCnDyBj3tyYdh+4iUrzmom3UBQuazpriezEYFa+6HNl0qi6umh9gEkaPjqC7z4HspvA5+R5ipS2zqk54Aq0bH9iFLstzc4BPENB2LrNEtC11xXo6opbk2p9sCeEMH0A/Dlc+LxbR5tg==</ds:SignatureValue>\n<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDtTCCAp2gAwIBAgIJAMKR/NsyfcazMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTIxMTEyMjM0MzQxWhcNMTYxMjIxMjM0MzQxWjBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvtH4wKLYlIXZlfYQFJtXZVC3fD8XMarzwvb/fHUyJ6NvNStN+H7GHp3/QhZbSaRyqK5hu5xXtFLgnI0QG8oE1NlXbczjH45LeHWhPIdc2uHSpzXic78kOugMY1vng4J10PF6+T2FNaiv0iXeIQq9xbwwPYpflViQyJnzGCIZ7VGan6GbRKzyTKcB58yx24pJq+CviLXEY52TIW1l5imcjGvLtlCp1za9qBZa4XGoVqHi1kRXkdDSHty6lZWj3KxoRvTbiaBCH+75U7rifS6fR9lqjWE57bCGoz7+BBu9YmPKtI1KkyHFqWpxaJc/AKf9xgg+UumeqVcirUmAsHJrMwIDAQABo4GnMIGkMB0GA1UdDgQWBBTs83nkLtoXFlmBUts3EIxcVvkvcjB1BgNVHSMEbjBsgBTs83nkLtoXFlmBUts3EIxcVvkvcqFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAMKR/NsyfcazMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBABw7w/5k4d5dVDgd/OOOmXdaaCIKvt7d3ntlv1SSvAoKT8d8lt97Dm5RrmefBI13I2yivZg5bfTge4+vAV6VdLFdWeFp1b/FOZkYUv6A8o5HW0OWQYVX26zIqBcG2Qrm3reiSl5BLvpj1WSpCsYvs5kaO4vFpMak/ICgdZD+rxwxf8Vb/6fntKywWSLgwKH3mJ+Z0kRlpq1g1oieiOm1/gpZ35s0YuorXZba9ptfLCYSggg/qc3d3d0tbHplKYkwFm7f5ORGHDSD5SJm+gI7RPE+4bO8q79RPAfbG1UGuJ0b/oigagciHhJp851SQRYf3JuNSc17BnK2L5IEtzjqr+Q=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" AllowCreate="true"/><samlp:RequestedAuthnContext Comparison="exact"><samlp:AuthnContextClassRef>http://schemas.openid.net/pape/policies/2007/06/multi-factor</samlp:AuthnContextClassRef></samlp:RequestedAuthnContext></samlp:AuthnRequest>';
-
-var requestWithoutAuthnContextClassRef = '<?xml version="1.0" encoding="UTF-8"?>\n<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="pfx20d87357-f8ae-db44-a7a9-39c0446a2ee2" AssertionConsumerServiceURL="https://acs" Destination="https://destination" IssueInstant="2013-04-28T22:43:42.386Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://sp</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">\n  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>\n    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>\n  <ds:Reference URI="#pfx20d87357-f8ae-db44-a7a9-39c0446a2ee2"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>HB+gsJjEBYtMgMwznLms7tXAmmo=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>mt6/9/JW8wsk72FaATq5Xp+TIartEZlDCo+Y8DWCenxoE1KXP0YKP4btEoTO3yop/l9JNMEJm7rONYbLZ+WxpjObCRbuVfmFpS4NNUyEiCTMzaDvzd0ipGpD0Zd/m719cwdhlxe6GjNHBWSmgjW/ojJPtb0aeuwCa3i2rv71R28DPOfLL1324V8YuDyqukqoOMfMI7NMUW5Wklh+AqhIp/rmin4SGQRc6Ccj9judPHQsijws9PtKoWMnWC9mVLd7sRcRY5yXissnnT8v4kH2haG1usu+t3HojhZ/symC9o7cmQJauyJyNLTx5Cl+4tokqwI3amK0gDhhoR0Q2cRxTg==</ds:SignatureValue>\n<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDtTCCAp2gAwIBAgIJAMKR/NsyfcazMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTIxMTEyMjM0MzQxWhcNMTYxMjIxMjM0MzQxWjBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvtH4wKLYlIXZlfYQFJtXZVC3fD8XMarzwvb/fHUyJ6NvNStN+H7GHp3/QhZbSaRyqK5hu5xXtFLgnI0QG8oE1NlXbczjH45LeHWhPIdc2uHSpzXic78kOugMY1vng4J10PF6+T2FNaiv0iXeIQq9xbwwPYpflViQyJnzGCIZ7VGan6GbRKzyTKcB58yx24pJq+CviLXEY52TIW1l5imcjGvLtlCp1za9qBZa4XGoVqHi1kRXkdDSHty6lZWj3KxoRvTbiaBCH+75U7rifS6fR9lqjWE57bCGoz7+BBu9YmPKtI1KkyHFqWpxaJc/AKf9xgg+UumeqVcirUmAsHJrMwIDAQABo4GnMIGkMB0GA1UdDgQWBBTs83nkLtoXFlmBUts3EIxcVvkvcjB1BgNVHSMEbjBsgBTs83nkLtoXFlmBUts3EIxcVvkvcqFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAMKR/NsyfcazMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBABw7w/5k4d5dVDgd/OOOmXdaaCIKvt7d3ntlv1SSvAoKT8d8lt97Dm5RrmefBI13I2yivZg5bfTge4+vAV6VdLFdWeFp1b/FOZkYUv6A8o5HW0OWQYVX26zIqBcG2Qrm3reiSl5BLvpj1WSpCsYvs5kaO4vFpMak/ICgdZD+rxwxf8Vb/6fntKywWSLgwKH3mJ+Z0kRlpq1g1oieiOm1/gpZ35s0YuorXZba9ptfLCYSggg/qc3d3d0tbHplKYkwFm7f5ORGHDSD5SJm+gI7RPE+4bO8q79RPAfbG1UGuJ0b/oigagciHhJp851SQRYf3JuNSc17BnK2L5IEtzjqr+Q=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" AllowCreate="true"/></samlp:AuthnRequest>';
-
-describe('samlp parse response', function() {
+var requestWithAuthnContextClassRef = `<?xml version="1.0"?>
+<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="pfx9702ffd6-91a0-24bd-17f6-c66a3ac24f70" AssertionConsumerServiceURL="https://acs" Destination="https://destination" IssueInstant="2013-04-28T22:43:42.386Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml:Subject xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"><saml:NameID>test@samlreq.com</saml:NameID></saml:Subject><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://sp</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+  <ds:Reference URI="#pfx9702ffd6-91a0-24bd-17f6-c66a3ac24f70"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>GhzsHhoK8QpTW5Q54Ab9zstSenc=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>BJheKXguoWu+UuLXMU7Lxctv2h4wZnSrX1A15USop5kndsUMOMp0Zs5qkUtMfjuJnbpIZkfboz2Rca61E805k59zOW6IzNFnXfXf38YJ1CJ7RDoFYdF/PR4QSzCIfK/X4R/K+IWi9Janhr472kJLV4eHi+FH3hIVzZFT33xt6tfAkmPmxdjaVuDBEg+ytIDY6usthAKcxOtlJiCqmiGRFM/5wvPnK1X0roHsMnUPCdW2uOhCB9XqqaWWz/4AesxCA3v3RXhT5CvI9bs/J9zyjAoiCq0KDHY6nBykGqO8GCL6gvLJuM5tN790m1MhRxvdRTwCmV6OO9cMJ2kk8Y94pg==</ds:SignatureValue>
+<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDtTCCAp2gAwIBAgIJAMKR/NsyfcazMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTIxMTEyMjM0MzQxWhcNMTYxMjIxMjM0MzQxWjBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvtH4wKLYlIXZlfYQFJtXZVC3fD8XMarzwvb/fHUyJ6NvNStN+H7GHp3/QhZbSaRyqK5hu5xXtFLgnI0QG8oE1NlXbczjH45LeHWhPIdc2uHSpzXic78kOugMY1vng4J10PF6+T2FNaiv0iXeIQq9xbwwPYpflViQyJnzGCIZ7VGan6GbRKzyTKcB58yx24pJq+CviLXEY52TIW1l5imcjGvLtlCp1za9qBZa4XGoVqHi1kRXkdDSHty6lZWj3KxoRvTbiaBCH+75U7rifS6fR9lqjWE57bCGoz7+BBu9YmPKtI1KkyHFqWpxaJc/AKf9xgg+UumeqVcirUmAsHJrMwIDAQABo4GnMIGkMB0GA1UdDgQWBBTs83nkLtoXFlmBUts3EIxcVvkvcjB1BgNVHSMEbjBsgBTs83nkLtoXFlmBUts3EIxcVvkvcqFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAMKR/NsyfcazMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBABw7w/5k4d5dVDgd/OOOmXdaaCIKvt7d3ntlv1SSvAoKT8d8lt97Dm5RrmefBI13I2yivZg5bfTge4+vAV6VdLFdWeFp1b/FOZkYUv6A8o5HW0OWQYVX26zIqBcG2Qrm3reiSl5BLvpj1WSpCsYvs5kaO4vFpMak/ICgdZD+rxwxf8Vb/6fntKywWSLgwKH3mJ+Z0kRlpq1g1oieiOm1/gpZ35s0YuorXZba9ptfLCYSggg/qc3d3d0tbHplKYkwFm7f5ORGHDSD5SJm+gI7RPE+4bO8q79RPAfbG1UGuJ0b/oigagciHhJp851SQRYf3JuNSc17BnK2L5IEtzjqr+Q=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" AllowCreate="true"/><samlp:RequestedAuthnContext Comparison="exact"><samlp:AuthnContextClassRef>http://schemas.openid.net/pape/policies/2007/06/multi-factor</samlp:AuthnContextClassRef></samlp:RequestedAuthnContext></samlp:AuthnRequest>`;
+
+var requestWithoutAuthnContextClassRef = `<?xml version="1.0"?>
+<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="pfxa4ada2aa-21ed-2788-7f49-e708fdaebc88" AssertionConsumerServiceURL="https://acs" Destination="https://destination" IssueInstant="2013-04-28T22:43:42.386Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">
+<saml:Subject xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
+<saml:NameID>test@samlreq.com</saml:NameID>
+</saml:Subject>
+<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://sp</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+  <ds:Reference URI="#pfxa4ada2aa-21ed-2788-7f49-e708fdaebc88"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>UZB6cYGRYoUa2Mt+LqU+D+7qZlI=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>n7Icnw3cwlZjfhNaXDTAoFycIZew8i0dHspZVKmxk9KxRapRwJ0InFkJT4wLTs+58mlPob7m0bEHT9ph1QHkA5tzDa1dja2nCtIvEgL3ajsKpW2LEzbCVFmoCEXSBZ19LePjLzmXHI2TptEbuNoIIoWWRVuWjcuz0QQGKhbukSC8KQI/6UeVGk3CQWCYxnkwl7jnGmDkawoiyTAWssTvVq90tdzGhuRBSXwat8ncfYwAxbP+Sip3Qqyh5gkqP4AnfKp1jG7LTHxY+HQ+XmntIDESHVj+VYrWfpKI2L/sZDKgSEzjOGhzwBWRIoC9yK4SYDUmru0LO1i2dO52MqfutQ==</ds:SignatureValue>
+<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDtTCCAp2gAwIBAgIJAMKR/NsyfcazMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTIxMTEyMjM0MzQxWhcNMTYxMjIxMjM0MzQxWjBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvtH4wKLYlIXZlfYQFJtXZVC3fD8XMarzwvb/fHUyJ6NvNStN+H7GHp3/QhZbSaRyqK5hu5xXtFLgnI0QG8oE1NlXbczjH45LeHWhPIdc2uHSpzXic78kOugMY1vng4J10PF6+T2FNaiv0iXeIQq9xbwwPYpflViQyJnzGCIZ7VGan6GbRKzyTKcB58yx24pJq+CviLXEY52TIW1l5imcjGvLtlCp1za9qBZa4XGoVqHi1kRXkdDSHty6lZWj3KxoRvTbiaBCH+75U7rifS6fR9lqjWE57bCGoz7+BBu9YmPKtI1KkyHFqWpxaJc/AKf9xgg+UumeqVcirUmAsHJrMwIDAQABo4GnMIGkMB0GA1UdDgQWBBTs83nkLtoXFlmBUts3EIxcVvkvcjB1BgNVHSMEbjBsgBTs83nkLtoXFlmBUts3EIxcVvkvcqFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAMKR/NsyfcazMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBABw7w/5k4d5dVDgd/OOOmXdaaCIKvt7d3ntlv1SSvAoKT8d8lt97Dm5RrmefBI13I2yivZg5bfTge4+vAV6VdLFdWeFp1b/FOZkYUv6A8o5HW0OWQYVX26zIqBcG2Qrm3reiSl5BLvpj1WSpCsYvs5kaO4vFpMak/ICgdZD+rxwxf8Vb/6fntKywWSLgwKH3mJ+Z0kRlpq1g1oieiOm1/gpZ35s0YuorXZba9ptfLCYSggg/qc3d3d0tbHplKYkwFm7f5ORGHDSD5SJm+gI7RPE+4bO8q79RPAfbG1UGuJ0b/oigagciHhJp851SQRYf3JuNSc17BnK2L5IEtzjqr+Q=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
+<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" AllowCreate="true"/>
+</samlp:AuthnRequest>`;
+
+describe('samlp parse response', function () {
   var cert;
 
   before(function () {
@@ -21,8 +37,8 @@ describe('samlp parse response', function() {
   describe('SAMLRequest on querystring', function () {
     let parseResult;
 
-    describe('when request has authnContextClassRef', function() {
-      it('should return a valid response', function(done){
+    describe('when request has authnContextClassRef', function () {
+      it('should return a valid response', function (done) {
         samlp.parseRequest({
           query: {
             SAMLRequest: new Buffer(requestWithAuthnContextClassRef).toString('base64'),
@@ -30,15 +46,16 @@ describe('samlp parse response', function() {
           }
         }, {
           signingCert: cert,
-          thumbprints: [ encoder.thumbprint(cert) ],
+          thumbprints: [encoder.thumbprint(cert)],
           relayState: '123'
-        }, function(err, result) {
+        }, function (err, result) {
           expect(err).not.to.exist;
           expect(result).to.eql({
             issuer: 'http://sp',
+            subject: 'test@samlreq.com',
             assertionConsumerServiceURL: 'https://acs',
             destination: 'https://destination',
-            id: 'pfxe6c08b2b-e9a1-5d44-9016-f4c2b59add88',
+            id: 'pfx9702ffd6-91a0-24bd-17f6-c66a3ac24f70',
             requestedAuthnContext: {
               authnContextClassRef: 'http://schemas.openid.net/pape/policies/2007/06/multi-factor'
             }
@@ -49,39 +66,40 @@ describe('samlp parse response', function() {
       });
     });
 
-    describe('when request does not have authnContextClassRef', function() {
-      it('should return a valid response', function(done){
+    describe('when request does not have authnContextClassRef', function () {
+      it('should return a valid response', function (done) {
         samlp.parseRequest({
-            query: {
-              SAMLRequest: new Buffer(requestWithoutAuthnContextClassRef).toString('base64'),
-              RelayState: '123'
-            }
-          }, {
-            signingCert: cert,
-            thumbprints: [ encoder.thumbprint(cert) ],
-            relayState: '123'
-          }, function(err, result) {
-            if (err) {
-              done(err);
-              return;
-            }
-
-            expect(err).not.to.exist;
-            expect(result).to.eql({
-              issuer: 'http://sp',
-              assertionConsumerServiceURL: 'https://acs',
-              destination: 'https://destination',
-              id: 'pfx20d87357-f8ae-db44-a7a9-39c0446a2ee2'
-            });
+          query: {
+            SAMLRequest: new Buffer(requestWithoutAuthnContextClassRef).toString('base64'),
+            RelayState: '123'
+          }
+        }, {
+          signingCert: cert,
+          thumbprints: [encoder.thumbprint(cert)],
+          relayState: '123'
+        }, function (err, result) {
+          if (err) {
+            done(err);
+            return;
+          }
 
-            done();
+          expect(err).not.to.exist;
+          expect(result).to.eql({
+            issuer: 'http://sp',
+            subject: 'test@samlreq.com',
+            assertionConsumerServiceURL: 'https://acs',
+            destination: 'https://destination',
+            id: 'pfxa4ada2aa-21ed-2788-7f49-e708fdaebc88'
           });
+
+          done();
+        });
       });
     });
 
-    describe('when request is not a valid XML', function(){
+    describe('when request is not a valid XML', function () {
       // There was a bug in xmldom causing an infinite loop in this case
-      it('should return an empty object', function(done){
+      it('should return an empty object', function (done) {
         const req = '<samlp:AuthnRequest';
         samlp.parseRequest({
           query: {
@@ -90,7 +108,7 @@ describe('samlp parse response', function() {
           }
         }, {
           relayState: '123'
-        }, function(err, result) {
+        }, function (err, result) {
           expect(err).to.exist;
           expect(err.message).to.equal('expected null to exist');
           expect(result).to.be.undefined;
@@ -99,10 +117,10 @@ describe('samlp parse response', function() {
       });
     });
 
-    describe('when request is not a malformed XML', function(){
-      it('should return an error', function(done){
+    describe('when request is not a malformed XML', function () {
+      it('should return an error', function (done) {
         const samlRequestPlain = '<samlp:AuthnRequest foo="bar"></test>';
-        encodeAndDeflate(samlRequestPlain, function(err, req) {
+        encodeAndDeflate(samlRequestPlain, function (err, req) {
           if (err) { return done(err); };
 
           samlp.parseRequest({
@@ -112,7 +130,7 @@ describe('samlp parse response', function() {
             }
           }, {
             relayState: '123'
-          }, function(err, result) {
+          }, function (err, result) {
             expect(err).to.exist;
             expect(result).to.be.undefined;
             expect(err.message).to.equal('end tag name: test is not match the current start tagName:undefined');
@@ -126,9 +144,9 @@ describe('samlp parse response', function() {
 });
 
 
- function encodeAndDeflate(xml, cb){
+function encodeAndDeflate(xml, cb) {
   zlib.deflateRaw(new Buffer(xml), function (err, buffer) {
-    if (err) {return cb(err); }
-    cb(null, buffer.toString('base64'));  
+    if (err) { return cb(err); }
+    cb(null, buffer.toString('base64'));
   });
 };
\ No newline at end of file