"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.SAMLProvider = void 0;
/**
 * SAML 2.0 SSO provider.
 * Uses @node-saml/node-saml for SP-initiated SSO.
 */
const node_saml_1 = require("@node-saml/node-saml");
class SAMLProvider {
    constructor(config) {
        const samlConfig = {
            entryPoint: config.entryPoint,
            issuer: config.issuer,
            idpCert: config.cert,
            callbackUrl: config.callbackUrl,
            wantAuthnResponseSigned: false,
        };
        this.saml = new node_saml_1.SAML(samlConfig);
    }
    async generateAuthUrl(relayState) {
        return this.saml.getAuthorizeUrlAsync(relayState ?? '', undefined, {});
    }
    async validateResponse(body) {
        const { profile } = await this.saml.validatePostResponseAsync(body);
        if (!profile) {
            throw new Error('SAML validation failed: no profile');
        }
        return {
            nameID: typeof profile.nameID === 'string' ? profile.nameID : '',
            email: typeof profile['email'] === 'string' ? profile['email'] : undefined,
            displayName: typeof profile.displayName === 'string' ? profile.displayName : undefined,
        };
    }
}
exports.SAMLProvider = SAMLProvider;