ArtifactResolve: change order of elements to satisfy ADFS

crewjam · crewjam · commit e9852265c3f4 · 2025-04-12T12:12:07.000-04:00
fixes #535
diff --git a/schema.go b/schema.go
@@ -353,12 +353,15 @@ func (r *ArtifactResolve) Element() *etree.Element {
 	if r.Issuer != nil {
 		el.AddChild(r.Issuer.Element())
 	}
-	artifact := etree.NewElement("samlp:Artifact")
-	artifact.SetText(r.Artifact)
-	el.AddChild(artifact)
 	if r.Signature != nil {
+		// ADFS requires that <Signature> come before <Artifact>.
+		// ref: https://github.com/crewjam/saml/issues/535
+		// ref: https://www.wiktorzychla.com/2017/09/adfs-and-saml2-artifact-binding-woes.html
 		el.AddChild(r.Signature)
 	}
+	artifact := etree.NewElement("samlp:Artifact")
+	artifact.SetText(r.Artifact)
+	el.AddChild(artifact)
 	return el
 }
 

Original file line number	Diff line number	Diff line change
`@@ -353,12 +353,15 @@ func (r ArtifactResolve) Element() etree.Element {`
`353`	`353`	`if r.Issuer != nil {`
`354`	`354`	`el.AddChild(r.Issuer.Element())`
`355`	`355`	`}`
`356`		`- artifact := etree.NewElement("samlp:Artifact")`
`357`		`- artifact.SetText(r.Artifact)`
`358`		`- el.AddChild(artifact)`
`359`	`356`	`if r.Signature != nil {`
	`357`	`+ // ADFS requires that <Signature> come before <Artifact>.`
	`358`	`+ // ref: https://github.com/crewjam/saml/issues/535`
	`359`	`+ // ref: https://www.wiktorzychla.com/2017/09/adfs-and-saml2-artifact-binding-woes.html`
`360`	`360`	`el.AddChild(r.Signature)`
`361`	`361`	`}`
	`362`	`+ artifact := etree.NewElement("samlp:Artifact")`
	`363`	`+ artifact.SetText(r.Artifact)`
	`364`	`+ el.AddChild(artifact)`
`362`	`365`	`return el`
`363`	`366`	`}`
`364`	`367`