boxyhq · deepakprabhakara · Nov 10, 2023 · Nov 8, 2023 · Nov 8, 2023 · Nov 9, 2023
diff --git a/npm/package-lock.json b/npm/package-lock.json
diff --git a/npm/package.json b/npm/package.json
@@ -44,7 +44,7 @@
     "@aws-sdk/util-dynamodb": "3.445.0",
     "@boxyhq/error-code-mnemonic": "0.1.1",
     "@boxyhq/metrics": "0.2.5",
-    "@boxyhq/saml20": "1.3.0",
+    "@boxyhq/saml20": "1.3.1",
     "@googleapis/admin": "13.0.0",
     "axios": "1.6.0",
     "encoding": "0.1.13",

diff --git a/npm/src/controller/oauth.ts b/npm/src/controller/oauth.ts
@@ -40,7 +40,7 @@ import * as codeVerifier from './oauth/code-verifier';
 import * as redirect from './oauth/redirect';
 import { getDefaultCertificate } from '../saml/x509';
 import { SAMLHandler } from './saml-handler';
-import { extractSAMLResponseAttributes } from '../saml/lib';
+import { ValidateOption, extractSAMLResponseAttributes } from '../saml/lib';
 import { oidcIssuerInstance } from './oauth/oidc-issuer';
 
 const deflateRawAsync = promisify(deflateRaw);
@@ -494,7 +494,7 @@ export class OAuthController implements IOAuthController {
     let issuer: string | undefined;
     let isIdPFlow: boolean | undefined;
     let isSAMLFederated: boolean | undefined;
-    let validateOpts: { thumbprint: string; audience: string; privateKey: string };
+    let validateOpts: ValidateOption;
     let redirect_uri: string | undefined;
     const { SAMLResponse, idp_hint, RelayState = '' } = body;
 
@@ -587,11 +587,16 @@ export class OAuthController implements IOAuthController {
       const { privateKey } = await getDefaultCertificate();
 
       validateOpts = {
-        thumbprint: `${connection?.idpMetadata.thumbprint}`,
         audience: `${this.opts.samlAudience}`,
         privateKey,
       };
 
+      if (connection.idpMetadata.publicKey) {
+        validateOpts.publicKey = connection.idpMetadata.publicKey;
+      } else if (connection.idpMetadata.thumbprint) {
+        validateOpts.thumbprint = connection.idpMetadata.thumbprint;
+      }
+
       if (session && session.id) {
         validateOpts['inResponseTo'] = session.id;
       }

diff --git a/npm/src/controller/utils.ts b/npm/src/controller/utils.ts
@@ -1,6 +1,7 @@
 import crypto from 'crypto';
 import * as jose from 'jose';
 import { Client, TokenSet } from 'openid-client';
+import saml from '@boxyhq/saml20';
 
 import * as dbutils from '../db/utils';
 import type {
@@ -68,6 +69,9 @@ export const OAuthErrorResponse = ({
 
 // https://kentcdodds.com/blog/get-a-catch-block-error-message-with-typescript
 export function getErrorMessage(error: unknown) {
+  if (error instanceof saml.WrapError) {
+    return error.message + ' ' + error.inner.message;
+  }
   if (error instanceof Error) {
     return error.message;
   }

diff --git a/npm/src/saml/lib.ts b/npm/src/saml/lib.ts
@@ -258,8 +258,9 @@ export const createSAMLResponse = async ({
   );
 };
 
-type ValidateOption = {
-  thumbprint: string;
+export type ValidateOption = {
+  thumbprint?: string;
+  publicKey?: string;
   audience: string;
   privateKey: string;
   inResponseTo?: string;

diff --git a/npm/src/typings.ts b/npm/src/typings.ts
@@ -65,6 +65,7 @@ export interface SAMLSSORecord extends SAMLSSOConnection {
       redirectUrl?: string;
     };
     thumbprint?: string;
+    publicKey?: string;
     validTo?: string;
   };
   deactivated?: boolean;