From a0b334ce4f0da169a9245481ed72baa05ee9a604 Mon Sep 17 00:00:00 2001
From: Bertrand Fan <bert@slack-corp.com>
Date: Thu, 20 Oct 2016 16:49:16 -0700
Subject: [PATCH 1/5] If signed, set the prefix to ds for the Signature and
 place it after the Issuer, according to spec

---
 lib/samlp.js | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/lib/samlp.js b/lib/samlp.js
index 63795aa..167a8c1 100644
--- a/lib/samlp.js
+++ b/lib/samlp.js
@@ -74,11 +74,20 @@ function buildSamlResponse(options) {
     var pem = encoders.removeHeaders(options.cert);
     sig.keyInfoProvider = {
       getKeyInfo: function () {
-        return "<X509Data><X509Certificate>" + pem + "</X509Certificate></X509Data>";
+        return "<ds:X509Data><ds:X509Certificate>" + pem + "</ds:X509Certificate></ds:X509Data>";
       }
     };
 
-    sig.computeSignature(cannonicalized);
+    console.log(cannonicalized);
+
+    sig.computeSignature(cannonicalized, {
+      prefix: 'ds',
+      location: {
+        reference: "//*[local-name(.)='Issuer']",
+        action: 'after'
+      }
+    });
+
     SAMLResponse = sig.getSignedXml();
   }
 

From e242e0d6f34537c3240e114d27fab84b6a311c81 Mon Sep 17 00:00:00 2001
From: Bertrand Fan <bert@slack-corp.com>
Date: Thu, 20 Oct 2016 16:55:42 -0700
Subject: [PATCH 2/5] Remove console.log

---
 lib/samlp.js | 2 --
 1 file changed, 2 deletions(-)

diff --git a/lib/samlp.js b/lib/samlp.js
index 167a8c1..7b50a17 100644
--- a/lib/samlp.js
+++ b/lib/samlp.js
@@ -78,8 +78,6 @@ function buildSamlResponse(options) {
       }
     };
 
-    console.log(cannonicalized);
-
     sig.computeSignature(cannonicalized, {
       prefix: 'ds',
       location: {

From 10575de45e4db83216a6e33a31782c5034bba523 Mon Sep 17 00:00:00 2001
From: Bertrand Fan <bert@slack-corp.com>
Date: Fri, 21 Oct 2016 10:12:33 -0700
Subject: [PATCH 3/5] Don't envelop the signature, let both the assertion and
 the message be signed

---
 lib/samlp.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/samlp.js b/lib/samlp.js
index 7b50a17..b75200b 100644
--- a/lib/samlp.js
+++ b/lib/samlp.js
@@ -66,7 +66,7 @@ function buildSamlResponse(options) {
 
     sig.addReference(
       "//*[local-name(.)='Response' and namespace-uri(.)='urn:oasis:names:tc:SAML:2.0:protocol']",
-      ["http://www.w3.org/2000/09/xmldsig#enveloped-signature", "http://www.w3.org/2001/10/xml-exc-c14n#"],
+      ["http://www.w3.org/2001/10/xml-exc-c14n#"],
       algorithms.digest[options.digestAlgorithm]);
 
     sig.signingKey = options.key;

From 750dbbe879eca3d6e803858446ab9f0b3938d5ae Mon Sep 17 00:00:00 2001
From: Bertrand Fan <bert@slack-corp.com>
Date: Fri, 21 Oct 2016 10:41:23 -0700
Subject: [PATCH 4/5] Add options addDsPrefix and signAssertion

---
 lib/samlp.js | 34 +++++++++++++++++++++++++++-------
 1 file changed, 27 insertions(+), 7 deletions(-)

diff --git a/lib/samlp.js b/lib/samlp.js
index b75200b..8beb324 100644
--- a/lib/samlp.js
+++ b/lib/samlp.js
@@ -64,27 +64,46 @@ function buildSamlResponse(options) {
       idAttribute: 'ID'
     });
 
+    var transforms = [];
+
+    if (!options.signAssertion) {
+      transforms.push("http://www.w3.org/2000/09/xmldsig#enveloped-signature");
+    }
+
+    transforms.push("http://www.w3.org/2001/10/xml-exc-c14n#");
+
     sig.addReference(
       "//*[local-name(.)='Response' and namespace-uri(.)='urn:oasis:names:tc:SAML:2.0:protocol']",
-      ["http://www.w3.org/2001/10/xml-exc-c14n#"],
+      transforms,
       algorithms.digest[options.digestAlgorithm]);
 
     sig.signingKey = options.key;
 
     var pem = encoders.removeHeaders(options.cert);
+
+    var dsPrefix = '';
+    if (options.addDsPrefix) {
+      dsPrefix = 'ds:';
+    }
+
     sig.keyInfoProvider = {
       getKeyInfo: function () {
-        return "<ds:X509Data><ds:X509Certificate>" + pem + "</ds:X509Certificate></ds:X509Data>";
+        return "<" + dsPrefix + "X509Data><" + dsPrefix + "X509Certificate>" + cert + "</" + dsPrefix + "X509Certificate></" + dsPrefix + "X509Data>";
       }
     };
 
-    sig.computeSignature(cannonicalized, {
-      prefix: 'ds',
+    var sigOpts = {
       location: {
-        reference: "//*[local-name(.)='Issuer']",
+        reference: options.xpathToNodeBeforeSignature || "//*[local-name(.)='Issuer']",
         action: 'after'
       }
-    });
+    }
+
+    if (options.addDsPrefix) {
+      sigOpts.prefix = 'ds';
+    }
+
+    sig.computeSignature(cannonicalized, sigOpts);
 
     SAMLResponse = sig.getSignedXml();
   }
@@ -121,7 +140,8 @@ function getSamlResponse(options, user, callback) {
     authnContextClassRef: options.authnContextClassRef,
     encryptionPublicKey:  options.encryptionPublicKey,
     encryptionCert:       options.encryptionCert,
-    sessionIndex:         options.sessionIndex
+    sessionIndex:         options.sessionIndex,
+    addDsPrefix:          options.addDsPrefix
   }, function (err, signedAssertion) {
     if (err) return callback(err);
 

From eb94c274c43e2763e0739b21208985bdcade9cd9 Mon Sep 17 00:00:00 2001
From: Bertrand Fan <bert@slack-corp.com>
Date: Fri, 21 Oct 2016 10:44:13 -0700
Subject: [PATCH 5/5] typo

---
 lib/samlp.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/samlp.js b/lib/samlp.js
index 8beb324..1895448 100644
--- a/lib/samlp.js
+++ b/lib/samlp.js
@@ -88,7 +88,7 @@ function buildSamlResponse(options) {
 
     sig.keyInfoProvider = {
       getKeyInfo: function () {
-        return "<" + dsPrefix + "X509Data><" + dsPrefix + "X509Certificate>" + cert + "</" + dsPrefix + "X509Certificate></" + dsPrefix + "X509Data>";
+        return "<" + dsPrefix + "X509Data><" + dsPrefix + "X509Certificate>" + pem + "</" + dsPrefix + "X509Certificate></" + dsPrefix + "X509Data>";
       }
     };