mirror of
https://github.com/stack-auth/stack.git
synced 2026-06-13 21:01:21 +08:00
0e542f72f5
Three modules under apps/backend/src/saml/:
- saml.tsx — buildSamlClient (per-connection SAML instance), build
AuthnRequestUrl (returns URL + extracted requestId for replay
protection), parseAndVerifyAssertion (signature + audience + clock-skew
+ InResponseTo are all enforced by node-saml), getSpMetadataXml.
Defines SamlConnectionConfig locally so the wrapper doesn't depend on
the project-config schema work.
- metadata-parser.tsx — pulls entityId, ssoUrl, and the signing X509
certificate out of pasted IdP metadata XML. Uses xmldom + xpath rather
than regex so it handles attribute-order variations across IdPs.
- discovery.tsx — email-domain to connection lookup for the
signInWithSso({ email }) flow. Iterates the project's connections and
returns the first whose `domain` matches.
The clock-skew tolerance is set to 60s, matching the e2e test matrix
item #16. The 'wantAssertionsSigned: true' default means an unsigned
assertion is rejected even if the response itself is signed — which is
the safer default per OWASP SAML guidance.
|
||
|---|---|---|
| .. | ||
| app | ||
| auto-migrations | ||
| lib | ||
| oauth | ||
| private | ||
| route-handlers | ||
| saml | ||
| utils | ||
| analytics.tsx | ||
| globals.d.ts | ||
| instrumentation.ts | ||
| polyfills.tsx | ||
| prisma-client.tsx | ||
| proxy.tsx | ||
| s3.tsx | ||
| smart-router.tsx | ||
| stack.tsx | ||