fix: update libs

[kdhttps]

update libraries

Breaking changes

• need to update passport-saml script name in provider to @node-saml/passport-saml
  

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (dbe3511) 78.87% compared to head (7fc4ee2) 78.87%.
Report is 21 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #547   +/-   ##
=======================================
  Coverage   78.87%   78.87%           
=======================================
  Files          35       35           
  Lines         781      781           
=======================================
  Hits          616      616           
  Misses        165      165           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[sonarcloud]

Kudos, SonarCloud Quality Gate passed!   

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

0.0% Coverage
0.0% Duplication

[srd90]

@node-saml/passport-saml and @node-saml/node-saml versions >= 4.x (currently latest published vesion) has a bug which disables inResponseTo validation if configuration value is set to true (or anything else except one of the enum values introduced at PR node-saml/node-saml#40 ). See following bug report for further information:

• [BUG] validateInResponseTo = true does not validate responses node-saml/passport-saml#874

Upcoming @node-saml/node-saml (5.x) has this fix node-saml/node-saml#314 which would throw exception if value is not one of the enum values.

At the moment this configuration and possible end user supplied configurations with value true shall not enable inResponseTo validation.

As a result of aforementioned inResponseTo issue at least this code might need some changes due to this PR:

gluu-passport/server/providers.js

Line 97 in 7fc4ee2

if (providerOptions.validateInResponseTo) {

i.e. to respect enum values instead of simple true/false.

Sidenote:
You might want to inform end users about other breaking changes which include but are not limited to e.g.:

• audience is now mandatory configuration option
• wantAuthnResponseSigned and wantAssertionsSigned are set by default to true. Most IdPs signs by default only assertion or response so users shall run into issues because @node-saml/passort-saml reports Invalid document signature or Invalid signature if one of those are missing. There has already been huge number of issues related to these configuration parameters. Root causes has been that people have not read @node-saml/passport-saml and @node-saml/node-saml change logs prior to migrate and/or just ignored change logs / documentation / not inspecting IdP configuration prior to start using SAML authentication). Here is list of example issues you can expect once this PR goes to production
  • NOTE: @node-saml/passport-saml's documentation related to core saml configuration parameters is not quite up to date. @node-saml/node-saml (which is used internally by @node-saml/passport-saml) contains most up to date description of core saml configuration parameters.
  • https://github.com/node-saml/passport-saml/blob/v4.0.4/CHANGELOG.md
  • https://github.com/node-saml/node-saml/blob/v4.0.5/CHANGELOG.md
    • see also 4.0.0-beta* changes

ping @kdhttps @moabu @ossdhaval @yurem

[srd90]

Created following issue to track whats being mentioned above:

• PR #547 introduced SAML inResponseTo validation related security issue and didn't add notes about other breaking changes to user documentation #552